The iptables command structure looks something like this:
iptables [-t table] -[AD] chain rule-specification [options]
It looks a bit confusing at first. Let's take a look at an full-blown command to make it easier to discern.
iptables -A INPUT -p tcp -j DROP
What the above iptables command does is this:
- The -A indicates this is a new chain and that the chain is called INPUT.
- The -p indicates what follows is the protocol (tcp or udp) this chain will watch for.
- The -j means if anything has matched so far, to take the action that follows. The DROP means the packet is to be dropped and will not make it to its destination.
The above is a bit of an over-simplification, but it makes iptables easily understood. But let's explain it all a bit further.
The iptables system works like this:
The administrator creates chains which form a table.
Each chain is defined as either an INPUT or OUTPUT chain. This means it either watches traffic going IN or OUT of the system. The administrator defines what protocol the chain is to watch for, and/or any of the following:
- The interface.
- The source address (where the network packet originated from).
- The source port.
- What to do with the matching packet.
The iptables tool can be used in various ways. The simplest (but less efficient) is to run (as root) individual iptables commands to add chains to a table. A more efficient way is to write all of your chains into a script so all the chains will be issued with a single command.