List all rules
sudo iptables -L -v
List rules with line numbers
sudo iptables -L --line-numbers
Allow incoming SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Allow incoming HTTP
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Allow incoming HTTPS
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Allow from specific IP
sudo iptables -A INPUT -s 192.168.1.100 -j ACCEPT
Block specific IP
sudo iptables -A INPUT -s 192.168.1.100 -j DROP
Block specific port
sudo iptables -A INPUT -p tcp --dport 23 -j DROP
Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT
Allow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Drop all other input
sudo iptables -P INPUT DROP
Default policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
Delete rule by number
sudo iptables -D INPUT 3
Delete specific rule
sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT
Flush all rules
sudo iptables -F
Flush specific chain
sudo iptables -F INPUT
Save rules (Ubuntu/Debian)
sudo iptables-save > /etc/iptables/rules.v4
Restore rules
sudo iptables-restore < /etc/iptables/rules.v4
NAT port forwarding
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
Masquerade (NAT)
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Limit connection rate
sudo iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min -j ACCEPT
Block ping
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
Log dropped packets
sudo iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: "
Allow specific subnet
sudo iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
Port range
sudo iptables -A INPUT -p tcp --dport 6000:6100 -j ACCEPT