iptables [-t table] command [match] [target/jump]
-t table: the default is for filter table; otherwise you must use the -t flag;
command must come first or right after the table specification; it is used to insert, add or delete a rule;
iptables -m tos -h
This lists the TOS match types.
iptables commands list
-A, –append appends the rule to the end of a chain
iptables -A rule_to_append
-D, –delete (deletes a rule)
iptables -D exact_rule_to_delete
iptables -D ‘chain’ number
-R, –replace (replaces a rule)
-I, –insert (inserts a new rule at the specified position in the chain)
iptables -I INPUT 1 –dport 80 -j ACCEPT
The above will insert the rule in the INPUT chain on the first position.
-L (lists the rules in a chain)
iptables -L [chain]
You can specify no chain in which case all the rules will be listed.
iptables -F [chain]
This deletes all rules (from the specified chain if you specify one).
iptables -Z [chain]
This will reset all counters for the specified chain.
iptables -N ‘custom_chain’
This will create a new (custom) chain.
The chain to be deteleted must be empty.
iptables -P chain target
target can be DROP or ACCEPT.
iptables -E old_chain new_name
This can be used with list, insert, append, delete, replace. Used with list, this lists the interface address, TOS and masks. Used along with the -x option it will also lists the exact counters for packets and bytes. Used with insert, append, delete or replace it will output detailed information on how the rules was interpreted and if it was accepted.
See above. Only relevant to list.
This will output numeric values. Only relevant to list. IPs and port numbers will be listed istead of the host, network or application names (which is the default).
This is only relevant to list. It displays the rule number.
This is relevant to insert, append and replace. It initialises the counters for a rule.
–set-counter 20 4000
This would be used to set the counters to 20 packets and 4000 bytes.
This is relevant to all commands and it’s used to tell iptables which module to use when probing for modules or adding them to the kernel.
iptables-save -c -t > file
-c flag does not reset the packet and byte counters
-t can be used to specify a specific table to be saved
cat text_file > iptables-restore -c -n
-c flag keeps the packet and byte counters from the file
-n does not overwrite the current rules from iptables (the default is to flush all rules previous to import)