Quick take: The iptables command configures the Linux kernel firewall through rules in chains (INPUT, OUTPUT, FORWARD). List rules with iptables -L -n -v and add them with -A. For everyday use on Ubuntu, the simpler ufw sits on top of iptables.
Introduction
The iptables command is the traditional, powerful interface to the Linux kernel's netfilter firewall. It organises rules into chains — INPUT for incoming traffic, OUTPUT for outgoing, and FORWARD for routed traffic — and processes packets against them in order. It is more complex than ufw but offers complete control.
This guide covers the structure of chains and rules, allowing and blocking traffic, listing and deleting rules, and making them persist across reboots.
Syntax
The basic syntax of the iptables command is:
iptables [-t TABLE] COMMAND CHAIN RULECommon Options and Parameters
The most useful options and parameters for the iptables command:
| Option | Description |
|---|---|
| -L -n -v | List rules (numeric, verbose). |
| -A CHAIN | Append a rule to a chain. |
| -I CHAIN N | Insert a rule at position N. |
| -D CHAIN N | Delete rule number N from a chain. |
| -p tcp --dport N | Match a TCP destination port. |
| -s IP / -d IP | Match a source / destination address. |
| -j ACCEPT|DROP|REJECT | Action to take when a rule matches. |
| -P CHAIN POLICY | Set the default policy for a chain. |
| --line-numbers | Show rule numbers when listing. |
Practical Examples
Real iptables commands you can run today:
# List all rules with packet counts
sudo iptables -L -n -v
# Allow incoming SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow HTTP and HTTPS
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
# Block a specific IP
sudo iptables -A INPUT -s 203.0.113.5 -j DROP
# Delete a rule by number
sudo iptables -D INPUT 3
# Save rules (Debian/Ubuntu)
sudo iptables-save | sudo tee /etc/iptables/rules.v4Tips and Best Practices
- Allow SSH before setting a restrictive default policy on a remote server, or you will lock yourself out.
- iptables rules are not persistent by default — save them with
iptables-saveand restore withiptables-restore, or use theiptables-persistentpackage. - For most host firewalling,
ufwis far simpler and sits on top of iptables; reach for raw iptables when you need fine control or NAT.
Final Thoughts
iptables gives complete control over the Linux firewall through ordered rules in chains, at the cost of complexity. Learn to list with -L -n -v, append with -A, and the ACCEPT/DROP actions, and always allow SSH before tightening defaults. Save rules so they survive reboots — and remember ufw handles the common cases with far less effort.
FAQ: iptables Command in Linux
How do I list iptables rules?+
Use sudo iptables -L -n -v for a numeric, verbose listing with packet counts. Add --line-numbers to see rule numbers for editing or deletion.
How do I allow a port with iptables?+
Append an ACCEPT rule, for example sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT to allow HTTPS. Rules are evaluated top to bottom, so order matters.
How do I block an IP address?+
Add a DROP rule: sudo iptables -A INPUT -s 203.0.113.5 -j DROP silently discards all traffic from that address. Use REJECT instead of DROP to send a rejection back.
How do I make iptables rules persistent?+
Rules reset on reboot by default. Save them with sudo iptables-save > /etc/iptables/rules.v4 and restore at boot, or install the iptables-persistent package to automate it.
Should I use iptables or ufw?+
ufw is a simple front end to iptables and is best for everyday host firewalling on Ubuntu. Use raw iptables when you need advanced rules, NAT, or fine-grained control that ufw does not expose.
Need help with Linux servers or infrastructure?
Work directly with Muhammad Irfan Aslam for Linux, Ubuntu, Docker, DevOps, cloud, CI/CD, or infrastructure support.
Hire Me for Support