iptables / ip6tables Commands Cheat Sheet (Rules, Policies, Logging, Forwarding)

Practical iptables basics: save/restore rules, list/flush, set default policies, allow established connections, remove rules by line, raw table viewing, restrict inbound to specific subnets/ports with logging, and NAT port-forward examples. Includes IPv6 equivalents (ip6tables).

Use iptables for IPv6

IPv6 firewall uses ip6tables (legacy)
```
ip6tables -L -v --line-numbers
```
Same concepts as iptables, but applies to IPv6 traffic.
Modern alternative (often preferred): nftables Many distros now use nftables; iptables commands may be compatibility wrappers.

Save / restore rules

```
iptables-save -c > file
```
Exports current IPv4 rules to file including packet/byte counters (-c).
(Your iptables-save -c file corrected: output is written to stdout, so redirect it.)
```
iptables-restore < file
```
Restores rules from file.
(Your iptables-restore file corrected: it reads from stdin.)

IPv6 equivalents

ip6tables-save -c > file.v6
ip6tables-restore < file.v6

Listing rules (with line numbers)

```
iptables -L -v --line-numbers
```
Lists all rules in filter table with verbose counters and line numbers.

Useful add-on:

iptables -S

Shows rules in a format closer to what you typed.

Flush rules

```
iptables -F
```
Flushes (deletes) rules in the current table (default filter).

To flush NAT too:

iptables -t nat -F

Default policy (what happens if no rule matches)

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Sets chain default policy to ACCEPT/REJECT/DROP.

To set a default drop stance:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

Allow established/related inbound traffic

```
iptables -A INPUT -i interface -m state --state RELATED,ESTABLISHED -j ACCEPT
```
Allows return traffic for connections you already permitted.
(Spelling corrected: ESTABLISHED.)

Modern match module (preferred):

iptables -A INPUT -i interface -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Delete a rule by line number

```
iptables -D INPUT 7
```
Deletes rule number 7 in the INPUT chain.

Raw table listing (state/conntrack-related visibility)

```
iptables -t raw -L -n
```
Lists rules in the raw table (often used for NOTRACK / conntrack tuning).
Note: “disabling statefulness” is done by adding NOTRACK rules in raw table, not just listing it.

“Delete all packets” / drop inbound by policy

```
iptables -P INPUT DROP
```
Sets default inbound policy to DROP (blocks anything not explicitly allowed).

Allow SSH (TCP/22) outbound and related inbound

iptables -A OUTPUT -o iface -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

Allows new and established outbound SSH connections.

iptables -A INPUT -i iface -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Allows inbound packets that belong to established SSH connections (server replies).

(Conntrack form)

iptables -A OUTPUT -o iface -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -i iface -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow ICMP (ping) outbound/inbound

iptables -A OUTPUT -o iface -p icmp --icmp-type echo-request -j ACCEPT

Allows outbound ping requests.

iptables -A INPUT -i iface -p icmp --icmp-type echo-reply -j ACCEPT

Allows inbound ping replies.

(Your original had -i/-o swapped; corrected.)

Create port forward (DNAT + SNAT/MASQUERADE + forwarding)

Enable IPv4 forwarding

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

Enables routing between interfaces (temporary).

```
sudo sysctl -w net.ipv4.ip_forward=1
```
Same via sysctl.

DNAT (PREROUTING) example

iptables -t nat -A PREROUTING -i eth0 -p tcp -d pivotip --dport 443 -j DNAT --to-destination attkip:443

Traffic hitting pivotip:443 on eth0 is forwarded to attkip:443.

SNAT (POSTROUTING) example

iptables -t nat -A POSTROUTING -o eth0 -p tcp -s targetsubnet/cidr -d attkip --dport 443 -j SNAT --to-source pivotip

Rewrites source address so replies route back through the pivot.

Common alternative when pivot has dynamic IP:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Allow forwarding in filter table

```
iptables -t filter -I FORWARD 1 -j ACCEPT
```
Inserts an allow rule at the top of FORWARD chain.

Allow 1.1.1.0/24 to ports 80 and 443 + logging

```
iptables -A INPUT -s 1.1.1.0/24 -p tcp -m multiport --dports 80,443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
```
Allows HTTP/HTTPS from that subnet (new and established traffic).
(Your chain name typo corrected: INPUT; and multipart corrected to multiport.)

iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Allows return traffic for anything already permitted.

```
iptables -P INPUT DROP
```
Drops everything else not allowed.
```
iptables -A OUTPUT -o eth0 -j ACCEPT
```
Allows outbound traffic on eth0.

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Allows loopback traffic.

Create a logging chain and log drops

```
iptables -N LOGGING
```
Creates a custom chain named LOGGING.
```
iptables -A INPUT -j LOGGING
```
Sends INPUT traffic (that reaches this rule) into LOGGING chain.
```
iptables -A LOGGING -m limit --limit 4/min -j LOG --log-prefix "DROPPED "
```
Logs at most 4 messages per minute with prefix “DROPPED ” (prevents log flooding).
```
iptables -A LOGGING -j DROP
```
Drops packets after logging.

Where logs go: typically kernel log (/var/log/kern.log, /var/log/messages, or journald). Exact location depends on rsyslog/systemd config.

Important additions (high value)

Show rules with table selection

iptables -t nat -L -v --line-numbers
iptables -t mangle -L -v --line-numbers

Save rules persistently (Debian/Ubuntu common)

sudo apt install iptables-persistent
sudo netfilter-persistent save

IPv6 equivalents (same patterns)

List:
```
ip6tables -L -v --line-numbers
```
Default drop inbound:
```
ip6tables -P INPUT DROP
```

Allow established:

ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

aw-junaid/iptables.md

Select an option

No results found