iptables related commands


iptables [-t table] command [match] [target/jump]

-t table: the default is for filter table; otherwise you must use the -t flag;

command must come first or right after the table specification; it is used to insert, add or delete a rule;

iptables -m tos -h

This lists the TOS match types.

iptables commands list

-A, –append appends the rule to the end of a chain

iptables -A rule_to_append

-D, –delete (deletes a rule)

iptables -D exact_rule_to_delete

iptables -D ‘chain’ number

-R, –replace (replaces a rule)

-I, –insert (inserts a new rule at the specified position in the chain)

iptables -I INPUT 1 –dport 80 -j ACCEPT

The above will insert the rule in the INPUT chain on the first position.

-L (lists the rules in a chain)

iptables -L [chain]

You can specify no chain in which case all the rules will be listed.

-F, –flush

iptables -F [chain]

This deletes all rules (from the specified chain if you specify one).

-Z, –zero

iptables -Z [chain]

This will reset all counters for the specified chain.

-N, –new-chain

iptables -N ‘custom_chain’

This will create a new (custom) chain.

-X, –delete-chain

The chain to be deteleted must be empty.

-P, –policy

iptables -P chain target

target can be DROP or ACCEPT.

-E, –rename-chain

iptables -E old_chain new_name

iptables options

-v, –verbose

This can be used with list, insert, append, delete, replace. Used with list, this lists the interface address, TOS and masks. Used along with the -x option it will also lists the exact counters for packets and bytes. Used with insert, append, delete or replace it will output detailed information on how the rules was interpreted and if it was accepted.

-x, –exact

See above. Only relevant to list.

-n, –numeric

This will output numeric values. Only relevant to list. IPs and port numbers will be listed istead of the host, network or application names (which is the default).


This is only relevant to list. It displays the rule number.

-c, –set-counters

This is relevant to insert, append and replace. It initialises the counters for a rule.

–set-counter 20 4000

This would be used to set the counters to 20 packets and 4000 bytes.


This is relevant to all commands and it’s used to tell iptables which module to use when probing for modules or adding them to the kernel.


iptables-save -c -t > file

-c flag does not reset the packet and byte counters

-t can be used to specify a specific table to be saved


cat text_file > iptables-restore -c -n

-c flag keeps the packet and byte counters from the file
-n does not overwrite the current rules from iptables (the default is to flush all rules previous to import)

Audit tools

– nmap

– nessus