Linux Networking: Firewalls, NAT, and Netfilter

Linux Networking•Permalink

nftables, iptables, ufw, firewalld, conntrack, and packet flow debugging commands.

View

Standard Detailed Compact

Export

Copy the compact sheet, download it, or print it.

Download

`D` dense toggle · `C` copy all

Firewalling with nftables and iptables

Inspect and manage packet filtering and NAT.

Show nftables rules

Display the active nftables ruleset.

bashLINUXnftfirewallrules

↗#

bash

sudo nft list ruleset

Notes

Display the active nftables ruleset.

Create nftables table

Create an inet filter table.

bashLINUXnftfirewalltable

↗#

bash

sudo nft add table inet filter

Notes

Create an inet filter table.

Create nftables chain

Create an input chain with a default policy.

bashLINUXnftfirewallchain

↗#

bash

sudo nft 'add chain inet filter input { type filter hook input priority 0; policy drop; }'

Notes

Create an input chain with a default policy.

Allow SSH with nftables

Permit inbound SSH traffic.

bashLINUXnftsshallow

↗#

bash

sudo nft add rule inet filter input tcp dport 22 ct state new,established accept

Notes

Permit inbound SSH traffic.

List iptables rules

Show IPv4 filter rules with counters.

bashLINUXiptablesfirewalllist

↗#

bash

sudo iptables -L -n -v

Notes

Show IPv4 filter rules with counters.

Export iptables rules

Dump current iptables rules in restore format.

bashLINUXiptablesbackuprules

↗#

bash

sudo iptables-save

Notes

Dump current iptables rules in restore format.

Allow SSH with iptables

Insert a rule allowing inbound SSH.

bashLINUXiptablessshallow

↗#

bash

sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT

Notes

Insert a rule allowing inbound SSH.

Drop traffic from IP

Block all inbound traffic from a source IP.

bashLINUXiptablesblocksource-ip

↗#

bash

sudo iptables -A INPUT -s 203.0.113.25 -j DROP

Notes

Block all inbound traffic from a source IP.

Enable masquerading

Apply source NAT for outbound traffic.

bashLINUXiptablesnatmasquerade

↗#

bash

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Notes

Apply source NAT for outbound traffic.

Show UFW status

Inspect uncomplicated firewall status and rules.

bashLINUXufwfirewallstatus

↗#

bash

sudo ufw status verbose

Notes

Inspect uncomplicated firewall status and rules.

Allow a port with UFW

Allow inbound TCP on a specific port.

bashLINUXufwallowport

↗#

bash

sudo ufw allow 443/tcp

Notes

Allow inbound TCP on a specific port.

List firewalld settings

Show active firewalld zones and services.

bashLINUXfirewalldzonesstatus

↗#

bash

sudo firewall-cmd --list-all

Notes

Show active firewalld zones and services.

Allow service with firewalld

Permanently allow the HTTPS service.

bashLINUXfirewalldserviceallow

↗#

bash

sudo firewall-cmd --permanent --add-service=https && sudo firewall-cmd --reload

Notes

Permanently allow the HTTPS service.

Netfilter and Policy Debugging

Inspect conntrack, counters, and common packet flow issues.

Show tracked connections

Inspect conntrack table entries.

bashLINUXconntrackstateconnections

↗#

bash

sudo conntrack -L

Notes

Inspect conntrack table entries.

Delete a tracked flow

Remove conntrack state for a given flow.

bashLINUXconntrackdeletestate

↗#

bash

sudo conntrack -D -p tcp --orig-src 10.0.0.10 --orig-dst 10.0.0.20

Notes

Remove conntrack state for a given flow.

Reset iptables counters

Zero rule counters before testing packet paths.

bashLINUXiptablescountersdebug

↗#

bash

sudo iptables -Z

Notes

Zero rule counters before testing packet paths.

Trace nftables packet path

Monitor nftables trace events for debugging.

bashLINUXnfttracedebug

↗#

bash

sudo nft monitor trace

Notes

Monitor nftables trace events for debugging.

Check IP forwarding

Inspect whether packet forwarding is enabled.

bashLINUXsysctlroutingforwarding

↗#

bash

sysctl net.ipv4.ip_forward

Notes

Inspect whether packet forwarding is enabled.

Enable IP forwarding

Turn on IPv4 forwarding immediately.

bashLINUXsysctlroutingforwarding

↗#

bash

sudo sysctl -w net.ipv4.ip_forward=1

Notes

Turn on IPv4 forwarding immediately.

More in Linux Networking

Linux Networking: Troubleshooting and Diagnostics

Reachability, latency, DNS, proxy, logs, and real-time diagnostics for Linux network incidents.

Linux Networking: DNS, HTTP, and TLS Testing

DNS troubleshooting, resolver inspection, HTTP probing, and TLS certificate testing from Linux.

Linux Networking: Routing, VLANs, Bridges, and Tunnels

Linux routing tables, policy routing, bridges, VLANs, bonds, and tunnel configuration commands.

Linux Networking Cheat Sheet

Comprehensive Linux networking commands for interfaces, sockets, packet capture, and throughput testing.

Recommended next

No recommendations yet.

Browse all sheets →