iptables and nftables commands reference
Complete reference for iptables and nftables commands, chain targets, match extensions, and rule syntax.
iptables and nftables commands reference
Complete reference for iptables and nftables commands, chain targets, and common rule patterns.
iptables Command Flags
| Flag | Description | Example |
|---|---|---|
-A CHAIN | Append a rule to the end of a chain. | iptables -A INPUT -p tcp --dport 22 -j ACCEPT |
-I CHAIN [N] | Insert a rule at position N (default: 1, top). | iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT |
-D CHAIN RULE | Delete a specific rule from a chain. | iptables -D INPUT -p tcp --dport 8080 -j ACCEPT |
-L [CHAIN] | List rules in a chain (or all chains). | iptables -L INPUT -n -v |
-F [CHAIN] | Flush (delete) all rules in a chain. | iptables -F INPUT |
-P CHAIN TARGET | Set the default policy for a chain. | iptables -P INPUT DROP |
-t TABLE | Specify the table (filter, nat, mangle, raw). | iptables -t nat -L |
-p PROTOCOL | Match protocol (tcp, udp, icmp). | -p tcp |
--dport PORT | Match destination port. | --dport 443 |
--sport PORT | Match source port. | --sport 1024:65535 |
-s IP | Match source IP address or CIDR. | -s 203.0.113.0/24 |
-d IP | Match destination IP address or CIDR. | -d 10.0.0.1 |
-i IFACE | Match input interface. | -i eth0 |
-o IFACE | Match output interface. | -o wg0 |
-m state --state | Match connection state (NEW, ESTABLISHED, RELATED). | -m state --state ESTABLISHED,RELATED |
-j TARGET | Jump to target (ACCEPT, DROP, REJECT, DNAT, SNAT, MASQUERADE, LOG). | -j DROP |
nftables Common Commands
| Command | Description | Example |
|---|---|---|
nft list ruleset | Display all tables, chains, and rules. | sudo nft list ruleset |
nft add table | Create a new table. | nft add table ip filter |
nft add chain | Create a chain with a hook and priority. | nft add chain ip filter input { type filter hook input priority 0; } |
nft add rule | Add a rule to a chain. | nft add rule ip filter input tcp dport 22 accept |
nft delete rule | Delete a specific rule by handle. | nft delete rule ip filter input handle 5 |
nft flush ruleset | Remove all rules, chains, and tables. | nft flush ruleset |
nft list ruleset -a | Show rules with handle numbers for deletion. | sudo nft list ruleset -a |