<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/JSPWiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/JSPWiki/images/favicon.ico" />

<pre>
[{ALLOW view All}]
[{ALLOW edit Markus}]

! Commands

{{{
&gt; ls -la /usr/sbin/ip*  # list all commands, there are many
&gt; iptables*             # for ipv4 (in debian busters = nft)
&gt; ip6tables*            # for ipv6 (in debian busters = nft)
&gt; iptables-legacy       # former ones, not nft
&gt; iptables-nft          # directly use nft
}}}
Notes:
* all iptables commands (for ipv4) have an ip__6__tabbles* equivalent (for ipv6)
* see [info|https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables#using_iptables_nft] on nft

! Syntax
see [docu|https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s1-iptables-options#s2-iptables-options-structure]
{{{
&gt; sudo iptables -L -v 
&gt; sudo iptables -n -v --line-numbers -L 
&gt; sudo service iptables start		# activate firewalling
&gt; sudo service ip6tables start
&gt; sudo chkconfig iptables on		# enable after reboot
&gt; sudo chkconfig ip6tables on
}}}

{{{
iptables [-t &lt;table-name&gt;] &lt;command&gt; &lt;chain-name&gt; &lt;parameter-1&gt;  &lt;option-1&gt; &lt;parameter-n&gt; &lt;option-n&gt;
}}}
* table-name 
** like ~[filter, nat, mangle, raw, security~], if omitted we use &quot;filter&quot;
* comamnd
** -F : flush current chain or all if omitted
** -X : deletes a user-specified chain or all if omitted
** -Z : zeros the byte and packet counters in all chains
** -A : apppend a rule at the end
** -I : inserts at a specified position (similar to replace -R), wihtout position at the top
** -P : a policy is a fall back and is used after all rules have passede** you can enable certain special addresses earlier 
** -L : list all rules
* chain-name
** INPUT, FORWARD, OUTPUT (as listed with &gt; iptables -L)
** you may invent new chain names, but this seems not to be common (command -N)
* parameter-1 (filter)
** -s : source filter (address~[/mask~]~[...~])
** -d : destination filter
** -p : protocoll filter like ~[icmp, tcp, udp, all~] or those in /etc/protocols, if omitted ALL protocols are considered
*** with -p tcp you can use --dport for destination port filter, any number
*** with -p udp you can use --dport for destination port and --sport as source port filter
*** ports can be also a range like 3000:3200 (all from 3000 to 3200)
*** with -p icmp you can use --icmp-type
** -i : interface like ~[eth0, lo, ppp0~], without name ALL interfaces are used
** -j : jump to ~[ACCEPT, DROP, QUEUE, RETURN~] (or others added with modules)
** -m : adds a comment when listing the rules, syntax &gt;-m comment --comment &quot;My comments here&quot;&lt;
* option-1 (target)
** ~[ACCEPT, DROP, QUEUE, RETURN~] (or others added with modules)
* option-n (listing options)
** -v : verbose output
** -n : displays IP addresses and port numbers in numeric format instead of hostname/network service
* notes
** the first three commands are usually used to create a fresh ruleset in a script
** in the chain list and then drop all other later

! Python
* package python3-iptables manages legacy ones only
* package &quot;python3-nftables&quot; manages nft tables
* alternatively you can use subprocess.run to call the original system commands

import nftables
</pre>