Red Hat LINUX 7.2 Reference Manual page 300

300
iptables [-t <table-name> ] <command> <chain-name>
<parameter-1> <option-1>
<parameter-n> <option-n>
In this example, the <table-name> option allows the user to select a table other than the default
filter table to use with the command. The <command> option is the center of the command, dic-
tating a specific action to perform, such as appending or deleting a rule from a particular chain, which
is specified by the <chain-name> option. Following the <chain-name> are pairs of parame-
ters and options that actually define the way the rule will work and what will happen when a packet
matches the rule.
When looking at the structure of an iptables command, it is important to remember that, unlike
most other commands, the length and complexity of an iptables command can change based on
its purpose. A simple command to remove a rule from a chain can be very short, while a command
designed to filter packets from a particular subnet using a variety of specific parameters and options
can be rather lengthy. One way to think about iptables commands is to recognize that some param-
eters and options used may create the need to use other parameters and options to further specify the
previous option's request. In order to construct a valid rule, this must continue until every parameter
and option that requires another set of options is satisfied.
Type iptables -h to see a comprehensive list of iptables command structures.
18.3.3 Commands
Commands tell iptables to perform a specific action, and only one command is allowed per ipt-
ables command string. Except for the help command, all commands are written in upper-case char-
acters.
The iptables commands are:
• -A — Appends the iptables rule to the end of the specified chain. This is the command used
to simply add a rule when rule order in the chain does not matter.
• -C — Checks a particular rule before adding it to the user-specified chain. This command can
help you construct complicated iptables rules by prompting you for additional parameters and
options.
• -D — Deletes a rule in a particular chain by number (such as 5 for the fifth rule in a chain). You
can also type the entire rule, and iptables will delete the rule in the chain that matches it.
• -E — Renames a user-defined chain. This does not affect the structure of the table at all. Rather, it
just saves you the trouble of deleting the chain, creating it under the new name, and reconfiguring
all of your rules for that chain.
• -F — Flushes the selected chain, which effectively deletes every rule in the the chain. If no chain
is specified, this command flushes every rule from every chain.
Chapter 18:Firewalling with iptables