iptables Rule Generator

Rule preset:

Start from a narrow allow or deny pattern, then adjust the exact match below.

Chain:

Use INPUT for traffic to this host, OUTPUT for traffic from this host, and FORWARD for routed traffic.

Target action:

ACCEPT and DROP are terminal decisions; LOG records a match and then evaluation continues.

Protocol:

Choose TCP or UDP for service ports, ICMP for ping-style rules, or All for address/interface rules.

Port match:

Use values like 22, 80,443, or 8000-8080; leave blank only when the rule must match every port.

ICMP type:

Echo-request is the usual inbound ping match; Any leaves ICMP type unrestricted.

Source CIDR or IP:

Use the narrowest source you can, for example 203.0.113.0/24 or 198.51.100.10/32.

Destination CIDR or IP:

Destination is usually any for INPUT rules and a host or subnet for OUTPUT/FORWARD rules.

Fix before applying

{{ error }}

Command family:

The address family must match the source and destination fields.

Rule operation:

Append is safest for review; Insert changes order-sensitive behavior.

Insert position:

Use 1 only when the rule must outrank the current chain entries.

position

Port direction:

Destination is the normal service-port match for inbound or outbound allows.

Conntrack state:

NEW,ESTABLISHED is common for a service allow; Any omits conntrack matching.

Input interface:

Optional; examples include eth0, ens3, wg0, or br-lan.

Output interface:

Optional; useful on OUTPUT, FORWARD, gateway, and VPN rules.

Reject response:

tcp-reset is only valid with TCP; ICMP reject types fit non-TCP IPv4 rules.

Prefix sudo:

Turn off when pasting into a root shell or automation that already runs as root.

Rule comment:

Keep it short and specific; long comments may not fit older iptables comment limits.

{{ result.commandText }}

Field	Generated value	Review note	Copy
{{ row.field }}	{{ row.value }}	{{ row.note }}

Check	Status	Action	Reason	Copy
{{ row.check }}	{{ row.status }}	{{ row.action }}	{{ row.reason }}

Export to PDF Fullscreen

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

iptables rules describe how a Linux host should handle packets that match a set of conditions. A rule can narrow traffic by chain, protocol, port, source, destination, interface, connection state, and target action, so a small change can decide whether a service becomes reachable, blocked, logged, or left for later rules.

The filter table is the usual place for host firewall decisions. INPUT covers packets addressed to the local host, OUTPUT covers packets created by the host, and FORWARD covers routed packets that pass through it. Choosing the wrong chain can produce a command that is syntactically valid but operationally useless.

Packet match flow showing selectors, a filter chain, and a final iptables target decision.

Rule order matters because iptables checks a chain in sequence. An appended allow rule may never be reached if an earlier drop rule already matches the same packet. An inserted rule can solve that ordering problem, but it can also outrank protections that were intentionally placed first.

Generated firewall commands are planning aids, not proof that a host is protected. A good rule still needs a maintenance window, a duplicate check, a rollback path, and a persistence method that fits the distribution.

Technical Details:

iptables and ip6tables are user-space commands for maintaining IPv4 and IPv6 packet-filter rule tables in the Linux kernel. A rule specification combines zero or more match conditions with a target. When a packet does not match a rule, evaluation continues to the next rule in the same chain. When a packet matches, the target decides the next action.

The default filter table contains the built-in INPUT, OUTPUT, and FORWARD chains. These chains are enough for many simple allow, deny, log, and return cases, but they are still order-sensitive. The selected command operation changes where the rule is checked: -A appends, -I inserts at a rule number, -C checks for an existing match, and -D deletes a matching rule.

Rule Core:

The generated command follows a fixed packet-filter shape. Optional match clauses are emitted only when the selected value narrows the rule.

iptables rule construction map
Command part	Generated when	Meaning
`iptables` or `ip6tables`	Always present.	Chooses IPv4 or IPv6 rule syntax and validates source and destination addresses against that family.
`-A`, `-I`, `-C`, or `-D`	Selected by `Rule operation`.	Appends, inserts, checks, or deletes a rule specification in the chosen chain.
`-p tcp`, `-p udp`, `-p icmp`, or `-p ipv6-icmp`	Any protocol except `All protocols`.	Limits the rule to the selected protocol. IPv6 ICMP uses the `ipv6-icmp` protocol name.
`-s` and `-d`	Source or destination is not `any`.	Constrains the match to a host or CIDR block.
`--dport`, `--sport`, `--dports`, or `--sports`	TCP or UDP has a port value.	Matches one service port, one inclusive range, or a comma-separated multiport set.
`-m conntrack --ctstate`	Conntrack state is not `Any state`.	Matches packets by connection state such as `NEW`, `ESTABLISHED`, `RELATED`, or `INVALID`.
`-m comment --comment`	A rule comment is present.	Adds a short audit note to the stored rule.
`-j ACCEPT`, `DROP`, `REJECT`, `LOG`, or `RETURN`	Always present when validation passes.	Chooses the target applied to matching packets.

Validation Boundaries:

Several limits are checked before command text is treated as ready. These checks reduce obvious syntax mistakes, but they do not know the current host policy, installed modules, or distribution persistence setup.

Validation rules used by the iptables rule generator
Field	Accepted shape	Blocked or warned case
`Port match`	Numeric ports `1` to `65535`, comma-separated values, or one inclusive range such as `8000-8080`.	Service names are not emitted. More than 15 multiport entries are blocked.
`Source CIDR or IP` and `Destination CIDR or IP`	`any`, an IPv4 address or CIDR for `iptables`, or an IPv6 address or CIDR for `ip6tables`.	An address family mismatch blocks command generation.
`Input interface` and `Output interface`	Up to 32 characters using letters, numbers, underscore, dot, colon, plus, and hyphen.	Characters outside that Linux interface-name pattern are blocked.
`Reject response`	Default response, selected ICMP reject types, or `tcp-reset`.	`tcp-reset` is blocked unless protocol is TCP.
`Rule comment`	Up to 256 characters, shell-quoted when needed.	Longer comments are blocked before command generation.
`Target action`	`ACCEPT`, `DROP`, `REJECT`, `LOG`, or `RETURN`.	`LOG` receives a warning because packet evaluation continues after logging.

The safety review also flags broad matches. Accepting SSH from any source, dropping all protocols from any source to any destination, omitting ports for TCP or UDP, and leaving conntrack unrestricted all deserve extra review before use on a remote or shared host.

Modern Linux distributions may run iptables syntax through an nftables compatibility backend. The generated syntax still targets iptables and ip6tables commands, so full ruleset design, atomic restore files, and migration to native nftables remain separate administration choices.

Everyday Use & Decision Guide:

Start from the preset closest to the change you intend to make, then narrow the match before copying the command. Allow HTTPS from office CIDR is a good model for a service allow, Allow SSH from one admin IP keeps remote access scoped to one address, and Drop one noisy source shows a host-specific deny rule without a port matcher.

Use INPUT for traffic reaching the current host, OUTPUT for traffic leaving it, and FORWARD for routed traffic through a gateway. If the host is a server, most service allows belong in INPUT. If the host is a router, a service path between two networks usually belongs in FORWARD.

Choose iptables for IPv4 addresses and ip6tables for IPv6 addresses. The source and destination fields must match that choice.
Use Destination port for ordinary service rules such as 22, 53, or 443. Use Source port only when the service really appears on the packet's source side.
Leave Conntrack state on NEW,ESTABLISHED for a first service allow, then adjust only when the traffic direction or policy needs a different state set.
Keep Append (-A) while reviewing. Switch to Insert (-I) only when the rule must run before existing entries, and check the insert position carefully.
Add a short Rule comment so later iptables -S output explains why the rule exists.

The first stop-and-verify cue is the summary. iptables command ready means the fields produced a command, while iptables rule needs review means validation blocked it. Read the Safety Review table even when the command is valid, because warnings can point to risky scope rather than syntax errors.

A generated command does not guarantee that the rule is in the right place. Use the duplicate check command and the list command in the output snapshot, then confirm the chain order on the host before running a change that could affect remote access.

Step-by-Step Guide:

Build one rule at a time and verify the generated text before applying it on a Linux host.

Choose Rule preset. Confirm the summary updates to the intended action and chain, such as ACCEPT INPUT for an inbound allow.
Set Chain, Target action, and Protocol. If you choose TCP or UDP, enter a numeric Port match; if you choose ICMP, choose an ICMP type or leave it unrestricted.
Enter Source CIDR or IP and Destination CIDR or IP. Use any only when the rule truly should omit -s or -d.
Open Advanced for Command family, Rule operation, Conntrack state, interfaces, reject response, sudo prefix, and rule comment.
Read the warning panel if it appears. Fix invalid ports, address-family mismatches, unsafe interface names, overlong comments, or invalid tcp-reset selections before continuing.
Open iptables Command and inspect the final command text. Then open Rule Ledger to confirm each emitted flag has the expected value.
Open Safety Review. Resolve broad source scope, missing service scope, unrestricted conntrack, persistence, and audit-comment warnings as needed.
Copy or download the command only after the command text, ledger rows, and safety review all describe the same intended firewall change.

If validation fails, the command area intentionally shows a fix-first message instead of a runnable firewall command.

Interpreting Results:

The command text is the part that would be pasted into a shell, but the surrounding outputs explain whether it deserves trust. The Rule Ledger is best for checking exact flags. The Safety Review is best for spotting policy mistakes that still produce valid syntax.

How to interpret iptables rule generator outputs
Output cue	Meaning	Practical check
`review clean`	No generator warning is active.	Still check existing chain order and persistence on the host.
`warnings` badge	Syntax may be valid, but scope or operation deserves attention.	Open `Safety Review` before copying.
`Syntax gate`	Shows whether validation blocked command generation.	Fix every blocked field before using the command.
`Source scope`	Warns when an allow rule is open to `any` source.	Prefer a host address or CIDR for administration services.
`Persistence`	Reminds that runtime iptables commands are not automatically saved across reboot.	Use the distribution-approved save or restore process after testing.

Do not read a valid command as a safe change. Safety depends on the current ruleset, default policies, module support, active connections, and the route path that packets actually take.

Worked Examples:

Inbound HTTPS from an office range

The default service-allow path uses INPUT, TCP, destination port 443, source 203.0.113.0/24, destination any, conntrack NEW,ESTABLISHED, and target ACCEPT. The result is an append command with --dport 443, -s 203.0.113.0/24, a conntrack matcher, and a comment. Rule Ledger should show Port match as destination 443 and Source as the office CIDR.

Multiple UDP service ports

For outbound resolver access, choose OUTPUT, UDP, destination 1.1.1.1/32, and port 53. If you change the port field to 53,853, the command switches to -m multiport --dports 53,853. If the list grows beyond the multiport limit, validation blocks the command instead of emitting a line that iptables would reject.

IPv6 ICMP monitoring

Choose ip6tables, INPUT, ICMP, echo-request, and an IPv6 source such as 2001:db8:100::/48. The command uses -p ipv6-icmp and --icmpv6-type echo-request. If an IPv4 source remains in the field after switching command family, the syntax gate blocks the result until the address is changed or reset to any.

Risky remote SSH allow

An INPUT TCP rule for destination port 22 with source any can generate valid syntax, but the safety review warns that SSH is accepted from every source. The better correction is to enter one admin host such as 198.51.100.10/32, rerun the review, and confirm the source row before copying the command.

FAQ:

Does the generated command change my firewall?

No. The page generates command text, review rows, and exportable snapshots. A firewall change happens only when you run the copied command on a host with the required privileges.

Why did the command disappear after I entered a port?

The port field accepts numbers from 1 to 65535, comma-separated numbers, or one range. Service names, reversed ranges, out-of-range values, and too many multiport entries block command generation.

Should I append or insert a rule?

Use Append (-A) for initial review because it places the rule at the end of the chain. Use Insert (-I) only when the rule must appear before existing rules, then verify the insert position with the host's chain listing.

Why does LOG get a warning?

LOG records a match but does not make a final allow or deny decision. Add a later ACCEPT, DROP, REJECT, or RETURN rule if packet handling must stop after logging.

Does the rule data get sent to a firewall host?

No firewall host is contacted by the generator. The rule fields are turned into text in the page, and applying, testing, saving, or rolling back the rule remains a separate shell task.

Glossary:

Chain: An ordered list of rules checked at a specific packet path, such as INPUT, OUTPUT, or FORWARD.
Target: The action used when a packet matches a rule, such as ACCEPT, DROP, REJECT, LOG, or RETURN.
CIDR: A compact IP address and prefix format, such as 203.0.113.0/24, used to match a network range.
Conntrack: Connection tracking metadata that lets a rule match packet state, including NEW, ESTABLISHED, RELATED, and INVALID.
Multiport: An iptables extension for matching several TCP or UDP ports in one rule.
Rule persistence: The distribution-specific process that saves runtime firewall rules so they survive reboot.

References:

iptables(8) Linux manual page, man7.org.
iptables-extensions manual page, Netfilter and ipset project.
nftables project overview, netfilter.org.