iptables Command
Advanced Firewall & Security man(1)Configure Linux kernel packet filtering firewall rules
👁 11 views
📅 Updated: Mar 15, 2026
SYNTAX
iptables [OPTION]... [CHAIN] [RULE]
What Does iptables Do?
iptables is the traditional Linux firewall tool that manages packet filtering rules in the kernel. It controls incoming, outgoing, and forwarded network traffic using chains (INPUT, OUTPUT, FORWARD) and tables (filter, nat, mangle).
iptables is powerful but complex — each rule must be specified precisely. Modern distributions often provide friendlier frontends like ufw (Ubuntu) or firewall-cmd (RHEL), but understanding iptables is essential for advanced networking.
iptables rules are not persistent by default — they are lost on reboot unless saved with iptables-save and restored with iptables-restore.
iptables is powerful but complex — each rule must be specified precisely. Modern distributions often provide friendlier frontends like ufw (Ubuntu) or firewall-cmd (RHEL), but understanding iptables is essential for advanced networking.
iptables rules are not persistent by default — they are lost on reboot unless saved with iptables-save and restored with iptables-restore.
Options & Flags
| Option | Description | Example |
|---|---|---|
| -A | Append rule to chain | iptables -A INPUT -p tcp --dport 80 -j ACCEPT |
| -I | Insert rule at position | iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT |
| -D | Delete rule | iptables -D INPUT -p tcp --dport 8080 -j ACCEPT |
| -L | List rules | iptables -L -v -n |
| -F | Flush (delete all rules) | iptables -F |
| -P | Set default policy | iptables -P INPUT DROP |
| -j | Jump target (ACCEPT, DROP, REJECT) | iptables -A INPUT -j DROP |
| -s/-d | Source/destination IP | iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT |
Practical Examples
#1 List all rules
Shows all firewall rules with line numbers, verbose, and numeric output.
$ sudo iptables -L -v -n --line-numbers#2 Allow SSH
Allows incoming SSH connections.
$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT#3 Allow web traffic
Allows HTTP and HTTPS traffic.
$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT && sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT#4 Drop all other incoming
Sets default policy to drop all incoming traffic not matching a rule.
$ sudo iptables -P INPUT DROP#5 Allow established connections
Allows return traffic for connections you initiated.
$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT#6 Block IP address
Blocks all traffic from a specific IP address.
$ sudo iptables -I INPUT -s 192.168.1.100 -j DROP#7 Save rules
Saves current rules for persistence across reboots.
$ sudo iptables-save > /etc/iptables/rules.v4Tips & Best Practices
Rules are not persistent: iptables rules are lost on reboot. Save with iptables-save and restore with iptables-restore. Install iptables-persistent on Debian/Ubuntu.
Order matters: Rules are evaluated top-down. Place specific rules before general ones. A DROP at the top blocks everything below.
Use ufw or firewall-cmd instead: For simple firewall needs, ufw (Ubuntu) or firewall-cmd (RHEL) are much easier. Learn iptables for advanced scenarios.
Frequently Asked Questions
How do I block an IP address?
sudo iptables -I INPUT -s IP_ADDRESS -j DROP. Use -I to insert at the top for immediate effect.
How do I save iptables rules permanently?
sudo iptables-save > /etc/iptables/rules.v4. Install iptables-persistent package for automatic restore on boot.
How do I reset all firewall rules?
sudo iptables -F clears all rules. Then set default policies: sudo iptables -P INPUT ACCEPT (be careful on remote servers).
Related Commands
More Firewall & Security Commands
Master Linux with Professional eBooks
Curated IT eBooks covering Linux, DevOps, Cloud, and more
Browse Books →