iptables Cheatsheet

Firewall rules.

Overview

iptables is the Linux packet-filtering tool that backs most host-level firewalls. Five primitive surfaces cover almost every operational use: tables and chains for placement, match conditions for selection, targets for action, connection tracking for stateful rules, and iptables-save for persistence across reboots.

• Tables and chains. filter, nat, mangle tables; INPUT, OUTPUT, FORWARD chains. Right rule in the right place.
• Match conditions. -p tcp, -s 10.0.0.0/8, --dport 443. Precise rules from precise selectors.
• Targets. ACCEPT, DROP, REJECT, LOG, MASQUERADE. Action matched to intent.
• Connection tracking plus persistence. -m state --state ESTABLISHED,RELATED for stateful rules; iptables-save and iptables-restore survive reboots.

The approach

Five idioms carry most of the operational weight. Memorising them moves the team from cargo-culting rules to writing host firewalls that hold up under audit.

• iptables -L -n -v. List rules with hit counts. Misfiring rules surface immediately.
• iptables -A INPUT -p tcp --dport 22 -j ACCEPT. Allow SSH. The standard pattern for opening one port.
• iptables -P INPUT DROP. Default-deny policy. The starting point for any production host.
• Stateful rule plus persistence. -m state --state ESTABLISHED,RELATED -j ACCEPT for return traffic; iptables-save to persist across reboots.

Why this compounds

Each rule captures policy in a reviewable artefact. The team’s network-security fluency deepens; standard rule sets become reusable templates; new hosts inherit the conventions instead of recreating them.

• Security improves. Default-deny with explicit allows reduces attack surface. Audit findings drop.
• Faster debugging. Hit counts and LOG targets produce visibility into what is actually happening.
• Reusable rule sets. Standard templates capture baseline rules across hosts.
• Year-one investment, year-two habit. First year builds fluency. By year two, iptables is muscle memory.