iptables Rule Explainer

Paste an iptables rule — or a whole ruleset, one per line — and get it back in plain English, flag by flag. Well-known ports are named for you (22 → SSH, 443 → HTTPS). Nothing leaves your browser. There's a cheatsheet at the bottom for when you just need a reminder.

Common Rules

Cheatsheet

Commands

-A
Append a rule to the end of a chain
-I
Insert a rule (default: at the top)
-D
Delete a matching rule
-R
Replace a rule by number
-P
Set a chain's default policy
-N
Create a new user-defined chain
-F
Flush (delete all rules in) a chain
-L
List rules (add -n to skip DNS)

Built-in Chains

INPUT
Traffic destined for this machine
OUTPUT
Traffic this machine sends out
FORWARD
Traffic routed through (not for it)
PREROUTING
As packets arrive, before routing (nat/mangle)
POSTROUTING
As packets leave, after routing (nat/mangle)

Match Options

-p
Protocol: tcp, udp, icmp, all
-s / -d
Source / destination IP or CIDR
--sport / --dport
Source / destination port
-i / -o
Incoming / outgoing interface
-m state
--state NEW,ESTABLISHED,RELATED,INVALID
-m multiport
--dports 80,443 — several ports at once
!
Invert the next match (NOT)

Targets (-j)

ACCEPT
Let the packet through
DROP
Discard silently, no reply
REJECT
Discard and send an error back
LOG
Log, then keep checking rules
DNAT
Rewrite destination (port forwarding)
SNAT
Rewrite source (fixed public IP)
MASQUERADE
Rewrite source to iface IP (dynamic IP)
RETURN
Leave this chain, resume the caller

Tables (-t)

filter
Default — allow/deny decisions
nat
Address/port rewriting (DNAT/SNAT)
mangle
Alter headers (TTL, TOS, marks)
raw
Connection-tracking exemptions

Rule of Thumb

Order
Rules are checked top-to-bottom; the first match wins
Policy
Set -P … DROP, then explicitly ACCEPT what you need
State
Allow ESTABLISHED,RELATED early so replies get back in
Persist
Rules are in-memory; save with iptables-save / netfilter-persistent

An explainer, not a validator — it describes what each flag means but won't catch every typo or exotic module. Always review firewall changes on a machine you can still reach if you lock yourself out.