iptables Rule Explainer
Paste an iptables rule — or a whole ruleset, one per line — and get it back in plain English, flag by flag. Well-known ports are named for you (22 → SSH, 443 → HTTPS). Nothing leaves your browser. There's a cheatsheet at the bottom for when you just need a reminder.
Common Rules
Cheatsheet
Commands
- -A
- Append a rule to the end of a chain
- -I
- Insert a rule (default: at the top)
- -D
- Delete a matching rule
- -R
- Replace a rule by number
- -P
- Set a chain's default policy
- -N
- Create a new user-defined chain
- -F
- Flush (delete all rules in) a chain
- -L
- List rules (add -n to skip DNS)
Built-in Chains
- INPUT
- Traffic destined for this machine
- OUTPUT
- Traffic this machine sends out
- FORWARD
- Traffic routed through (not for it)
- PREROUTING
- As packets arrive, before routing (nat/mangle)
- POSTROUTING
- As packets leave, after routing (nat/mangle)
Match Options
- -p
- Protocol: tcp, udp, icmp, all
- -s / -d
- Source / destination IP or CIDR
- --sport / --dport
- Source / destination port
- -i / -o
- Incoming / outgoing interface
- -m state
- --state NEW,ESTABLISHED,RELATED,INVALID
- -m multiport
- --dports 80,443 — several ports at once
- !
- Invert the next match (NOT)
Targets (-j)
- ACCEPT
- Let the packet through
- DROP
- Discard silently, no reply
- REJECT
- Discard and send an error back
- LOG
- Log, then keep checking rules
- DNAT
- Rewrite destination (port forwarding)
- SNAT
- Rewrite source (fixed public IP)
- MASQUERADE
- Rewrite source to iface IP (dynamic IP)
- RETURN
- Leave this chain, resume the caller
Tables (-t)
- filter
- Default — allow/deny decisions
- nat
- Address/port rewriting (DNAT/SNAT)
- mangle
- Alter headers (TTL, TOS, marks)
- raw
- Connection-tracking exemptions
Rule of Thumb
- Order
- Rules are checked top-to-bottom; the first match wins
- Policy
- Set -P … DROP, then explicitly ACCEPT what you need
- State
- Allow ESTABLISHED,RELATED early so replies get back in
- Persist
- Rules are in-memory; save with iptables-save / netfilter-persistent
An explainer, not a validator — it describes what each flag means but won't catch every typo or exotic module. Always review firewall changes on a machine you can still reach if you lock yourself out.