iptables and iprules

Chart: iptables Command Matrix

Chart of the most commonly used iptables rule syntax, demonstrating command syntax along with the tables and chains where each command may be utilized. The table scrolls horizontally.

Common iptables Commands
Commands Chains Tables
Function Module Match Tgt Conn Pckt Parameter Extension Option Argument PRE IN OUT POS FWD CST raw man nat fil sec
Match by protocol w/opt source ports X X X -p tcp|-p udp|-p icmp --destination-port|--dport [!] port|port:port X X X X X X
Match by protocol w/opt destination ports X X X -p tcp|-p udp|-p icmp --source-port|--sport [!] port|port:port X X X X X X
Destination IP Range iprange X X -m | -match -m iprange --dst-range [!] from{-to} X X X X X X
Source IP Range iprange X X -m | -match -m iprange --src-range [!] from{-to} X X X X X X
Match based on MAC ID mac X X -m | -match -m mac --mac-source [!] XX:XX:XX:XX:XX:XX X X X X
Match on existing Packet Mark mark X X -m | -match -m mark --mark [!] {integer} X X X X X X X X
Multi-port destination match (max 15) multiport X X -p {tcp | udp} -m multiport --destination-ports|--dports [!] port{,port}{,port:port} X X X X X X X
Multi-port source match (max 15) multiport X X -p {tcp | udp} -m multiport --source-ports|--sports [!] port{,port}{,port:port} X X X X X X X
Match packet owner by Group ID or Name owner X X -m | -match -m owner --gid-owner [!] groupid {:groupid}|groupname X X X
Match packet owner by User ID or Name owner X X -m | -match -m owner --uid-owner [!] userid {:userid} | username X X X
Destination IP address of Host or Network X X -d|--destination|--dst [!] ipaddr | ipaddr/CIDR X X X X X X X
Source IP address of Host or Network X X -s | --source | --src [!] ipaddr | ipaddr/CIDR X X X X X X X
Match on existing Connection Mark connmark X X -m | -match -m connmark --mark [!] {integer} | {hexadecimal} X X X X X X X X
Check current state of connection conntrack X X -m | -match -m conntrack --ct-state [!] state{,state} X X X X X X X
Copy Connection Mark to Packet CONNMARK X X -j | -jump -j CONNMARK --restore-mark X X X X X X
Assign security mark to a connection CONNSECMARK X X -j | -jump -j CONNSECMARK --restore|--save X X X X X X
Alter Destination IP address, ports DNAT X X -p tcp | udp --to-destination ipaddr{-ipaddr>} {port|port:port} X X X X
Alter Source IP address, ports SNAT X X -p tcp | udp --to-source ipaddr{-ipaddr>} {port|port:port} X X
Mark a Packet MARK X X -j | -jump -j MARK --set-mark {32-bit integer} X X X X
Assign security mark to a packet SECMARK X X -j | -jump -j SECMARK X X X X X X
Mark a Connection CONNMARK X X -j | -jump -j CONNMARK --set-mark {integer}|{hexadecimal} X X X X X X X
Copy Mark from Packet to Connection CONNMARK X X -j | -jump -j CONNMARK --save-mark X X X X X X X
Disable connection tracking CT X X -j | -jump -j NOTRACK X X X
Conceal outgoing conn true IP addr MASQUERADE X X -j | -jump -j MASQUERADE X X
End chain and permit packet to continue1 ACCEPT X X -j | -jump X X X X X X X X X X X
Stop processing and disallow connection2 DROP X X -j | -jump X X X X X X X X X X X
Drop packet and return error3 REJECT X X -j | -jump -j REJECT X X X X X X X X X X X
Stop and return to previous chain4 RETURN X X -j RETURN X X X X X X X X X X X
Redirect certain ports to localhost5 REDIRECT X X -p tcp | udp -j REDIRECT --to-ports port{-port} X X X X

1 End the current chain and allow packet to proceed (potentially traversing other chains).

2 Disallow connection silently (no error message is returned to the source host).

3 Sends an error message back to the source host (default = ICMP destination-unreachable).

4 If no parent chain exists to return to then execute default policy (normally DROP or ACCEPT).

5 Protocol must be specified. Custom chains must be called via the PREROUTING or OUTPUT chains.