Linux Networking: Firewalls, NAT, and Netfilter

Linux Networking•Permalink

nftables, iptables, ufw, firewalld, conntrack, and packet flow debugging commands.

View

Standard Detailed Compact

Export

Copy the compact sheet, download it, or print it.

Download

`D` dense toggle · `C` copy all

## Firewalling with nftables and iptables

Show nftables rules

↗#

sudo nft list ruleset

# Display the active nftables ruleset.

Create nftables table

↗#

sudo nft add table inet filter

# Create an inet filter table.

Create nftables chain

↗#

sudo nft 'add chain inet filter input { type filter hook input priority 0; policy drop; }'

# Create an input chain with a default policy.

Allow SSH with nftables

↗#

sudo nft add rule inet filter input tcp dport 22 ct state new,established accept

# Permit inbound SSH traffic.

List iptables rules

↗#

sudo iptables -L -n -v

# Show IPv4 filter rules with counters.

Export iptables rules

↗#

sudo iptables-save

# Dump current iptables rules in restore format.

Allow SSH with iptables

↗#

sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT

# Insert a rule allowing inbound SSH.

Drop traffic from IP

↗#

sudo iptables -A INPUT -s 203.0.113.25 -j DROP

# Block all inbound traffic from a source IP.

Enable masquerading

↗#

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Apply source NAT for outbound traffic.

Show UFW status

↗#

sudo ufw status verbose

# Inspect uncomplicated firewall status and rules.

Allow a port with UFW

↗#

sudo ufw allow 443/tcp

# Allow inbound TCP on a specific port.

List firewalld settings

↗#

sudo firewall-cmd --list-all

# Show active firewalld zones and services.

Allow service with firewalld

↗#

sudo firewall-cmd --permanent --add-service=https && sudo firewall-cmd --reload

# Permanently allow the HTTPS service.

## Netfilter and Policy Debugging

Show tracked connections

↗#

sudo conntrack -L

# Inspect conntrack table entries.

Delete a tracked flow

↗#

sudo conntrack -D -p tcp --orig-src 10.0.0.10 --orig-dst 10.0.0.20

# Remove conntrack state for a given flow.

Reset iptables counters

↗#

sudo iptables -Z

# Zero rule counters before testing packet paths.

Trace nftables packet path

↗#

sudo nft monitor trace

# Monitor nftables trace events for debugging.

Check IP forwarding

↗#

sysctl net.ipv4.ip_forward

# Inspect whether packet forwarding is enabled.

Enable IP forwarding

↗#

sudo sysctl -w net.ipv4.ip_forward=1

# Turn on IPv4 forwarding immediately.

More in Linux Networking

Linux Networking: Troubleshooting and Diagnostics

Reachability, latency, DNS, proxy, logs, and real-time diagnostics for Linux network incidents.

Linux Networking: DNS, HTTP, and TLS Testing

DNS troubleshooting, resolver inspection, HTTP probing, and TLS certificate testing from Linux.

Linux Networking: Routing, VLANs, Bridges, and Tunnels

Linux routing tables, policy routing, bridges, VLANs, bonds, and tunnel configuration commands.

Linux Networking Cheat Sheet

Comprehensive Linux networking commands for interfaces, sockets, packet capture, and throughput testing.

Recommended next

No recommendations yet.

Browse all sheets →