Changelog

Linux Firewall Cheat Sheet

Common Linux firewall command cheat sheet, including iptables, firewalld, ufw, etc.

iptables Basics
11
iptables -L -n -v

List all rules (verbose mode)

iptables -L -n --line-numbers

List rules and display line numbers

iptables -t nat -L -n -v

List NAT table rules

iptables-save > /etc/iptables.rules

Save current rules to file

iptables-restore < /etc/iptables.rules

Restore rules from file

iptables -F

Clear all rules

iptables -t nat -F

Clear NAT table rules

iptables -X

Delete all custom chains

iptables -Z

Clear all counters

iptables -P INPUT DROP

Set default policy of INPUT chain to DROP

iptables -P INPUT ACCEPT

Set default policy of INPUT chain to ACCEPT

iptables Whitelist
8
iptables -A INPUT -s 192.168.1.100 -j ACCEPT

Allow access from specified IP

iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

Allow access from specified subnet

iptables -A INPUT -s 192.168.1.100 -p tcp --dport 22 -j ACCEPT

Allow specified IP to access specified port

iptables -A INPUT -s 10.0.0.100 -j DROP

Deny specified IP access

iptables -A INPUT -s 10.0.0.0/8 -j DROP

Deny access from specified subnet

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow established connections

iptables -A INPUT -i lo -j ACCEPT

Allow loopback interface

iptables -P INPUT DROP\niptables -A INPUT -s 192.168.1.0/24 -j ACCEPT\niptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow only whitelisted IPs (full configuration)

iptables Rules
14
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Allow SSH connection (port 22)

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Allow HTTP connection (port 80)

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Allow HTTPS connection (port 443)

iptables -A INPUT -p tcp --dport 3306 -j ACCEPT

Allow MySQL connection (port 3306)

iptables -A INPUT -p tcp --dport 6379 -j ACCEPT

Allow Redis connection (port 6379)

iptables -A INPUT -p tcp --dport 8000:9000 -j ACCEPT

Allow port range 8000-9000

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Allow Ping requests

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

Block Ping requests

iptables -D INPUT 3

Delete the 3rd rule in INPUT chain

iptables -I INPUT 1 -s 192.168.1.100 -j ACCEPT

Insert rule at the 1st line

iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: "

Log dropped packets

iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPT

Limit SSH connection rate

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

Port forwarding 80 to 8080

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Enable NAT masquerading (shared internet access)

firewalld Basics
11
firewall-cmd --state

Check firewall status

systemctl start firewalld

Start firewall

systemctl stop firewalld

Stop firewall

systemctl enable firewalld

Set to start on boot

systemctl disable firewalld

Disable start on boot

firewall-cmd --reload

Reload configuration

firewall-cmd --list-all

List all configurations in the current zone

firewall-cmd --get-zones

List all available zones

firewall-cmd --get-default-zone

Get the default zone

firewall-cmd --set-default-zone=public

Set the default zone

firewall-cmd --get-services

List all available services

firewalld Rules
12
firewall-cmd --permanent --add-service=http

Permanently add HTTP service

firewall-cmd --permanent --remove-service=http

Permanently remove HTTP service

firewall-cmd --permanent --add-port=8080/tcp

Permanently open port 8080

firewall-cmd --permanent --remove-port=8080/tcp

Permanently close port 8080

firewall-cmd --permanent --add-port=8000-9000/tcp

Permanently open port range

firewall-cmd --permanent --add-source=192.168.1.0/24

Add trusted source IP subnet

firewall-cmd --permanent --remove-source=192.168.1.0/24

Remove trusted source IP subnet

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.1.100 accept'

Rich rule: Allow specified IP

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=10.0.0.100 drop'

Rich rule: Deny specified IP

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=22 protocol=tcp accept'

Rich rule: Allow subnet to access specified port

firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=8080

Port forwarding 80 to 8080

firewall-cmd --permanent --add-masquerade

Enable NAT masquerading

UFW Basics
8
ufw status verbose

View firewall status (verbose)

ufw enable

Enable firewall

ufw disable

Disable firewall

ufw reset

Reset all rules

ufw default deny incoming

Default deny all incoming

ufw default allow outgoing

Default allow all outgoing

ufw reload

Reload rules

ufw status numbered

Display the list of rules with numbers

UFW Rules
14
ufw allow ssh

Allow SSH service

ufw allow http

Allow HTTP service

ufw allow https

Allow HTTPS service

ufw allow 8080/tcp

Allow TCP port 8080

ufw allow 8000:9000/tcp

Allow port range 8000-9000

ufw allow from 192.168.1.100

Allow all access from specified IP

ufw allow from 192.168.1.0/24

Allow all access from specified subnet

ufw allow from 192.168.1.100 to any port 22

Allow specified IP to access port 22

ufw deny from 10.0.0.100

Deny all access from specified IP

ufw deny 3306/tcp

Deny TCP port 3306

ufw delete allow 8080/tcp

Delete rule allowing 8080

ufw delete 3

Delete rule number 3

ufw insert 1 allow from 192.168.1.100

Insert rule at line 1

ufw limit ssh

Limit SSH connection rate (prevent brute force attacks)

nftables
9
nft list ruleset

List all rules

nft flush ruleset

Clear all rules

nft add table inet filter

Add table

nft add chain inet filter input { type filter hook input priority 0 \\; }

Add chain

nft add rule inet filter input tcp dport 22 accept

Allow port 22

nft add rule inet filter input ip saddr 192.168.1.100 accept

Allow specified IP

nft add rule inet filter input ip saddr 10.0.0.100 drop

Deny specified IP

nft list ruleset > /etc/nftables.conf

Save rules to file

nft -f /etc/nftables.conf

Restore rules from file

πŸ“–Tool Introduction

Linux Firewall Quick Reference is a quick reference tool for system administrators and operations personnel, covering common commands for mainstream firewall tools such as iptables, firewalld, ufw, and nftables, with special emphasis on practical configurations including IP whitelists, port openings, and access control. It supports fast search and one-click copy, helping you efficiently manage server security.

Key Features

1
8 major categories covering mainstream Linux firewall tools
2
80+ common commands, comprehensively covering from basic to advanced
3
IP whitelist configuration, quickly implement access control
4
Supports iptables, firewalld, ufw, nftables
5
One-click command copy, improve operational efficiency
6
Clear Chinese instructions, easy to understand and learn
7
Categorized browsing and filtering, quickly find relevant commands
8
Runs locally, usable without internet connection

❓Frequently Asked Questions

πŸ”—Related Tools

Cron Expression Parser

Validate cron syntax and preview upcoming schedules.

Developer Tools
Try Now

JSON to CSV

Convert JSON data to CSV format

Converters
Try Now

JSON to YAML

Convert JSON data to YAML format

Converters
Try Now

JSON to XML

Convert JSON data to XML format

Converters
Try Now

YAML to JSON

Convert YAML configuration to JSON data

Converters
Try Now

JSON Formatter

Format, validate and minify JSON data

JSON Utilities
Try Now

JSON Visualizer

Display JSON data in tree structure

JSON Utilities
Try Now

JSON Data Generator

Generate mock JSON data for testing

JSON Utilities
Try Now

i18n JSON Translator

Translate entire JSON locale files in one go. Paste your base content, choose target languages, and the tool will call your OpenRouter-powered API with flattened keys.

JSON Utilities
Try Now

JSON Diff Comparison

Compare differences between two JSON data

JSON Utilities
Try Now

QR Code Generator

Generate custom QR code images

Image Tools
Try Now

SVG Placeholder Generator

Generate custom SVG placeholder images

Image Tools
Try Now

Base64 Image Converter

Convert images to Base64 encoding and vice versa

Image Tools
Try Now

UUID Generator

Generate UUID unique identifiers in batch

Generator Tools
Try Now

Password Generator

Generate secure and reliable random passwords

Generator Tools
Try Now

Base64 Encoder/Decoder

Base64 string encoding and decoding tool

Text Tools
Try Now

URL Encoder/Decoder

URL string encoding and decoding tool

Text Tools
Try Now

MD5 Hash Generator

Generate MD5 hash values from text

Crypto Tools
Try Now

SHA256 Hash Generator

Generate SHA256 hash values from text

Crypto Tools
Try Now

SHA1 Hash Generator

Generate SHA1 hash values from text

Crypto Tools
Try Now

Hex Encoder/Decoder

Hexadecimal string encoding and decoding tool

Crypto Tools
Try Now

Binary Encoder/Decoder

Binary string encoding and decoding tool

Crypto Tools
Try Now

AES Encrypt/Decrypt

AES symmetric encryption algorithm tool

Crypto Tools
Try Now

RSA Encrypt/Decrypt

RSA asymmetric encryption algorithm tool

Crypto Tools
Try Now

HMAC Generator

HMAC message authentication code generation tool

Crypto Tools
Try Now

IP Address Lookup

Query geographical location and network information of IP addresses

Network Tools
Try Now

Milliseconds Time Converter

Convert between millisecond timestamps and formatted date strings.

Time Tools
Try Now
Showing 27 of 28 tools
    Linux Firewall Quick Reference - iptables/firewalld/ufw Command Guide - IT Tools Collection