Skip to content

Instantly share code, notes, and snippets.

@AlexAtkinson

AlexAtkinson/iptables.md

Last active February 27, 2026 20:02
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save AlexAtkinson/31b5bc527b07406950618a7e6bd1ec81 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save AlexAtkinson/31b5bc527b07406950618a7e6bd1ec81 to your computer and use it in GitHub Desktop.
Download ZIP
Guide: iptables
Raw
iptables.md

iptables

NOTICE: iptables is being deprecated. See nftables.

Architecture

Understanding the architecture of netfilters is helpful, but not necessary to make use of the information here.

<-- markdownlint-disable MD036 --> Diagram

Netfilter Diagram

SHOW ALL

Some iptables commands, such as iptables -S, will display only the 'filter' table. The following methods allow you to view all or some of the tables.

<-- markdownlint-disable MD036 --> Save Output

iptables-save
ip6tabes-save

<-- markdownlint-disable MD036 --> Tables Specific

sudo iptables -L -v -n -t filter          # Filters INPUT/OUTPUT/FORWARD Traffic
sudo iptables -L -v -n -t nat             # Redirects connections to interfaces
sudo iptables -L -v -n -t mangle          # Modifies connections/packets
sudo iptables -L -v -n -t raw             #
sudo iptables -L -v -n -t security        #

Scripting

Rule Helper

The following will check if a rule exists, then insert if not.

🗒️ -C operates on the same logic as -D.

function _ensure_iptables_rule() {
    if ! sudo iptables "$@" -C "${@:2}" 2>/dev/null; then
        sudo iptables "$@" -A "${@:2}"
    fi
}

Rules

Some common rules.

DROP Private CIDRs

iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP

Practical Demo

From my StackExchange Answer

<-- markdownlint-disable MD036 --> Accept All

iptables -I INPUT -j ACCEPT

<-- markdownlint-disable MD036 --> Flush/Reset

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables -t security -F
iptables -t security -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

<-- markdownlint-disable MD036 --> Allow Traffic

iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Allow all loopback traffic"
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT -m comment --comment "Drop all traffic to 127 that doesn't use lo"
iptables -A OUTPUT -j ACCEPT -m comment --comment "Accept all outgoing"
iptables -A INPUT -j ACCEPT -m comment --comment "Accept all incoming"
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow all incoming on established connections"
iptables -A INPUT -j REJECT -m comment --comment "Reject all incoming"
iptables -A FORWARD -j REJECT -m comment --comment "Reject all forwarded"

<-- markdownlint-disable MD036 --> Hardened Rules

iptables -I INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP"
iptables -I INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS"
iptables -I INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT -m comment --comment "Allow SSH"
iptables -I INPUT -p tcp --dport 8071:8079 -j ACCEPT -m comment --comment "Allow torrents"



Copyright © 2025 Alex Atkinson. All Rights Reserved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment