Skip to content

Instantly share code, notes, and snippets.

@AlexAtkinson

AlexAtkinson/iptables.md

Last active January 10, 2026 20:31
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save AlexAtkinson/31b5bc527b07406950618a7e6bd1ec81 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save AlexAtkinson/31b5bc527b07406950618a7e6bd1ec81 to your computer and use it in GitHub Desktop.
Download ZIP
Guide: iptables
Raw
iptables.md

iptables

NOTICE: iptables is being deprecated. See nftables.

Architecture

Understanding the architecture of netfilters is helpful, but not necessary to make use of the information here.

Diagram

Netfilter Diagram

SHOW ALL

Some iptables commands, such as iptables -S, will display only the 'filter' table. The following methods allow you to view all or some of the tables.

Save Output

iptables-save
ip6tabes-save

Tables Specific

sudo iptables -L -v -n -t filter          # Filters INPUT/OUTPUT/FORWARD Traffic
sudo iptables -L -v -n -t nat             # Redirects connections to interfaces
sudo iptables -L -v -n -t mangle          # Modifies connections/packets
sudo iptables -L -v -n -t raw             # 
sudo iptables -L -v -n -t security        #

Scripting

Rule Helper

The following will check if a rule exists, then insert if not.

🗒️ -C operates on the same logic as -D.

function _ensure_iptables_rule() {
    if ! sudo iptables "$@" -C "${@:2}" 2>/dev/null; then
        sudo iptables "$@" -A "${@:2}"
    fi
}

Rules

Some common rules.

DROP Private CIDRs

iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP

Practical Demo

From my StackExchange Answer

Accept All

iptables -I INPUT -j ACCEPT

Flush/Reset

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables -t security -F
iptables -t security -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Allow Traffic

iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Allow all loopback traffic"
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT -m comment --comment "Drop all traffic to 127 that doesn't use lo"
iptables -A OUTPUT -j ACCEPT -m comment --comment "Accept all outgoing"
iptables -A INPUT -j ACCEPT -m comment --comment "Accept all incoming"
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow all incoming on established connections"
iptables -A INPUT -j REJECT -m comment --comment "Reject all incoming"
iptables -A FORWARD -j REJECT -m comment --comment "Reject all forwarded"

Hardened Rules

iptables -I INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP"
iptables -I INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS"
iptables -I INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT -m comment --comment "Allow SSH"
iptables -I INPUT -p tcp --dport 8071:8079 -j ACCEPT -m comment --comment "Allow torrents"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment