iptables / nftables Cheatsheet
Quick reference for iptables and nftables commands covering basic rules, chains, NAT, filtering, mangle, save/restore, and nftables migration
58 commands
iptables -LList all rules
sudo iptables -Liptables -L -nList rules with numeric output
sudo iptables -L -niptables -L -vList rules with verbose output
sudo iptables -L -v --line-numbersiptables -L -t natList rules in NAT table
sudo iptables -L -t natiptables -L -t mangleList rules in mangle table
sudo iptables -L -t mangleiptables -SList rules in iptables-save format
sudo iptables -Siptables -FFlush all rules
sudo iptables -Fiptables -XDelete all user-defined chains
sudo iptables -Xiptables -ZZero all packet counters
sudo iptables -Ziptables -PSet default chain policy
sudo iptables -P INPUT DROPiptables -A INPUTAppend rule to INPUT chain
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPTiptables -A OUTPUTAppend rule to OUTPUT chain
sudo iptables -A OUTPUT -p tcp --dport 443 -j ACCEPTiptables -A FORWARDAppend rule to FORWARD chain
sudo iptables -A FORWARD -i eth0 -o eth1 -j ACCEPTiptables -IInsert rule at top of chain
sudo iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPTiptables -DDelete rule from chain
sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPTiptables -D (line)Delete rule by line number
sudo iptables -D INPUT 3iptables -RReplace rule in chain
sudo iptables -R INPUT 1 -p tcp --dport 8080 -j ACCEPTiptables -NCreate user-defined chain
sudo iptables -N MYCHAINiptables -t nat -A POSTROUTING MASQUERADESet up IP masquerade (SNAT)
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEiptables -t nat -A PREROUTING DNATSet up destination NAT (port forward)
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:8080iptables -t nat -A POSTROUTING SNATSet up source NAT
sudo iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.1iptables -t nat -A OUTPUT REDIRECTSet up local port redirect
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080iptables -t nat -A PREROUTING REDIRECTRedirect incoming traffic port
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443iptables -t nat -FFlush NAT table rules
sudo iptables -t nat -Fiptables -t nat -L PREROUTINGList PREROUTING NAT rules
sudo iptables -t nat -L PREROUTING -niptables -A INPUT -s (allow IP)Allow connection from specific IP
sudo iptables -A INPUT -s 192.168.1.0/24 -j ACCEPTiptables -A INPUT -s (deny IP)Deny connection from specific IP
sudo iptables -A INPUT -s 10.0.0.5 -j DROPiptables -A INPUT --dport (allow port)Allow connection to specific port
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPTiptables -A INPUT -m multiportAllow multiple ports at once
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443,8080 -j ACCEPTiptables -A INPUT -m state ESTABLISHEDAllow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -i loAllow loopback interface
sudo iptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -p icmpAllow/deny ICMP (ping)
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPTiptables -A INPUT -m conntrackFilter with connection tracking
sudo iptables -A INPUT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTiptables -A INPUT -m limitSet rate limiting
sudo iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min -j ACCEPTiptables -A INPUT -j LOGLog packets
sudo iptables -A INPUT -j LOG --log-prefix 'DROPPED: 'iptables -t mangle -A PREROUTING TOSModify TOS field
sudo iptables -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos Minimize-Delayiptables -t mangle -A PREROUTING TTLSet TTL value
sudo iptables -t mangle -A PREROUTING -j TTL --ttl-set 64iptables -t mangle -A PREROUTING MARKMark packets
sudo iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1iptables -t mangle -A POSTROUTING MSSAdjust TCP MSS
sudo iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtuiptables -t mangle -A OUTPUT DSCPSet DSCP field
sudo iptables -t mangle -A OUTPUT -p tcp --dport 5060 -j DSCP --set-dscp-class EFiptables -t mangle -FFlush mangle table rules
sudo iptables -t mangle -Fiptables-saveSave current rules to stdout
sudo iptables-save > /etc/iptables/rules.v4iptables-restoreRestore rules from file
sudo iptables-restore < /etc/iptables/rules.v4ip6tables-saveSave IPv6 rules
sudo ip6tables-save > /etc/iptables/rules.v6ip6tables-restoreRestore IPv6 rules
sudo ip6tables-restore < /etc/iptables/rules.v6netfilter-persistent saveSave with netfilter-persistent
sudo netfilter-persistent savenetfilter-persistent reloadReload saved rules
sudo netfilter-persistent reloadiptables-save -cSave rules with counters
sudo iptables-save -c > /tmp/rules-with-countersnft list rulesetList entire ruleset
sudo nft list rulesetnft list tablesList all tables
sudo nft list tablesnft list tableList rules in specific table
sudo nft list table inet filternft add tableAdd a table
sudo nft add table inet myfilternft add chainAdd a chain
sudo nft add chain inet myfilter input '{ type filter hook input priority 0; policy accept; }'nft add ruleAdd a rule
sudo nft add rule inet myfilter input tcp dport 22 acceptnft delete ruleDelete a rule
sudo nft delete rule inet myfilter input handle 4nft flush rulesetFlush entire ruleset
sudo nft flush rulesetnft -fLoad ruleset from file
sudo nft -f /etc/nftables.confiptables-translateTranslate iptables rule to nftables
iptables-translate -A INPUT -p tcp --dport 22 -j ACCEPT