Chart of the most commonly used iptables rule syntax, demonstrating command syntax along with the tables and chains where each command may be utilized. The table scrolls horizontally.
Common iptables Commands | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Commands | Chains | Tables | ||||||||||||||||||
Function | Module | Match | Tgt | Conn | Pckt | Parameter | Extension | Option | Argument | PRE | IN | OUT | POS | FWD | CST | raw | man | nat | fil | sec |
Match by protocol w/opt source ports | X | X | X | -p tcp|-p udp|-p icmp | --destination-port|--dport | [!] port|port:port | X | X | X | X | X | X | ||||||||
Match by protocol w/opt destination ports | X | X | X | -p tcp|-p udp|-p icmp | --source-port|--sport | [!] port|port:port | X | X | X | X | X | X | ||||||||
Destination IP Range | iprange | X | X | -m | -match | -m iprange | --dst-range | [!] from{-to} | X | X | X | X | X | X | |||||||
Source IP Range | iprange | X | X | -m | -match | -m iprange | --src-range | [!] from{-to} | X | X | X | X | X | X | |||||||
Match based on MAC ID | mac | X | X | -m | -match | -m mac | --mac-source | [!] XX:XX:XX:XX:XX:XX | X | X | X | X | |||||||||
Match on existing Packet Mark | mark | X | X | -m | -match | -m mark | --mark | [!] {integer} | X | X | X | X | X | X | X | X | |||||
Multi-port destination match (max 15) | multiport | X | X | -p {tcp | udp} | -m multiport | --destination-ports|--dports | [!] port{,port}{,port:port} | X | X | X | X | X | X | X | ||||||
Multi-port source match (max 15) | multiport | X | X | -p {tcp | udp} | -m multiport | --source-ports|--sports | [!] port{,port}{,port:port} | X | X | X | X | X | X | X | ||||||
Match packet owner by Group ID or Name | owner | X | X | -m | -match | -m owner | --gid-owner | [!] groupid {:groupid}|groupname | X | X | X | ||||||||||
Match packet owner by User ID or Name | owner | X | X | -m | -match | -m owner | --uid-owner | [!] userid {:userid} | username | X | X | X | ||||||||||
Destination IP address of Host or Network | X | X | -d|--destination|--dst | [!] ipaddr | ipaddr/CIDR | X | X | X | X | X | X | X | |||||||||
Source IP address of Host or Network | X | X | -s | --source | --src | [!] ipaddr | ipaddr/CIDR | X | X | X | X | X | X | X | |||||||||
Match on existing Connection Mark | connmark | X | X | -m | -match | -m connmark | --mark | [!] {integer} | {hexadecimal} | X | X | X | X | X | X | X | X | |||||
Check current state of connection | conntrack | X | X | -m | -match | -m conntrack | --ct-state | [!] state{,state} | X | X | X | X | X | X | X | ||||||
Copy Connection Mark to Packet | CONNMARK | X | X | -j | -jump | -j CONNMARK | --restore-mark | X | X | X | X | X | X | ||||||||
Assign security mark to a connection | CONNSECMARK | X | X | -j | -jump | -j CONNSECMARK | --restore|--save | X | X | X | X | X | X | ||||||||
Alter Destination IP address, ports | DNAT | X | X | -p tcp | udp | --to-destination | ipaddr{-ipaddr>} {port|port:port} | X | X | X | X | ||||||||||
Alter Source IP address, ports | SNAT | X | X | -p tcp | udp | --to-source | ipaddr{-ipaddr>} {port|port:port} | X | X | ||||||||||||
Mark a Packet | MARK | X | X | -j | -jump | -j MARK | --set-mark | {32-bit integer} | X | X | X | X | |||||||||
Assign security mark to a packet | SECMARK | X | X | -j | -jump | -j SECMARK | X | X | X | X | X | X | |||||||||
Mark a Connection | CONNMARK | X | X | -j | -jump | -j CONNMARK | --set-mark | {integer}|{hexadecimal} | X | X | X | X | X | X | X | ||||||
Copy Mark from Packet to Connection | CONNMARK | X | X | -j | -jump | -j CONNMARK | --save-mark | X | X | X | X | X | X | X | |||||||
Disable connection tracking | CT | X | X | -j | -jump | -j NOTRACK | X | X | X | ||||||||||||
Conceal outgoing conn true IP addr | MASQUERADE | X | X | -j | -jump | -j MASQUERADE | X | X | |||||||||||||
End chain and permit packet to continue1 | ACCEPT | X | X | -j | -jump | X | X | X | X | X | X | X | X | X | X | X | |||||
Stop processing and disallow connection2 | DROP | X | X | -j | -jump | X | X | X | X | X | X | X | X | X | X | X | |||||
Drop packet and return error3 | REJECT | X | X | -j | -jump | -j REJECT | X | X | X | X | X | X | X | X | X | X | X | ||||
Stop and return to previous chain4 | RETURN | X | X | -j RETURN | X | X | X | X | X | X | X | X | X | X | X | |||||
Redirect certain ports to localhost5 | REDIRECT | X | X | -p tcp | udp | -j REDIRECT | --to-ports port{-port} | X | X | X | X |
1 End the current chain and allow packet to proceed (potentially traversing other chains).
2 Disallow connection silently (no error message is returned to the source host).
3 Sends an error message back to the source host (default = ICMP destination-unreachable).
4 If no parent chain exists to return to then execute default policy (normally DROP or ACCEPT).
5 Protocol must be specified. Custom chains must be called via the PREROUTING or OUTPUT chains.