Iptables Syntax Summary. You can use this brief summary to help you write correct iptables rules. They are only meant for you to get the SYNTAX right. To use the rules correctly you must also understand the underlying concepts. iptables -A INPUT/FORWARD/OUTPUT ... -j ACCEPT/DROP/REJECT/LOG/user-chain iptables -t nat -A PREROUTING/POSTROUTING -j SNAT/DNAT --to 10.1.0.6:80 iptables -N NewChain -- creates new user chain iptables -I INPUT 1 -- inserts rule in place iptables -D INPUT 2 -- delete rule number 2 iptables -P FORWARD DROP -- sets policy for entire chain. iptables -A FORWARD -p tcp/udp/icmp/#number -- specify protocol by common name, or #number, e.g. 47 is for GRE tunnels iptables -A FORWARD -s 10.1.0.0/16 -d 10.2.0.0/16 -- source and destinations iptables -A FORWARD -i eth0 -- input interface -o eth1 -- output interface --dport -- destination port - only with -p tcp/udp --sport -- source port - only with -p tcp/udp --icmp-type echo-request/echo-reply -only with -p icmp ! - can be placed infront of any spec for negation -j LOG --log-prefix "message" - specifies log message (hint: LOG target doesn't exit chains - other rules will still be consulted). Special Modules: -m state --state NEW/ESTABLISHED/RELATED/INVALID -m limit --limit 20/m -- 20 per minute limit --limit-burst 5 -- specifies limit burst. -p tcp --tcp-flags SYN,ACK,RST ACK,RST -- specifies first which flags to examine (syn,ack,rst), then which are set (ack and rst) -m length --length 128: -- matches packets longer than 128 bytes -m owner --pid-owner pid -- OUTPUT packet generated by pid process -- used in combination with grep/scripts -m mac --mac-source aa:bb:cc:dd:ee:ff -- matches MAC source addr.