Iptables insert rule at top of tables ( PREPEND rule on Linux )

last updated in Categories ,

I want to insert the iptables rule at the top of given tables such as filter table INPUT chain. How do I prepend iptables rules at the top of a filter table on Linux operating system?

iptables is Linux administration tool for IPv4 packet filtering and NAT. One can use iptables/ip6tables to set up, manage, and examine the tables of IPv4 and IPv6 packet filter rules in the Linux kernel. This page shows how to use Iptables to insert rule at top of tables.

How to list iptables rules with line numbers

Just use the following syntax:
sudo iptables -t filter -L INPUT --line-numbers -n
sudo iptables -t filter -L OUTPUT --line-numbers -n
sudo iptables -t filter -L FORWARD --line-numbers -n
sudo iptables -t nat -L --line-numbers -n

iptables list rules with line numbers

Iptables insert rule at top of tables Linux syntax

The iptables allows you to APPEND or INSERT or REPLACE firewall rules as follows.

Iptables append firewall rules to the end of the selected chain

The syntax is:
iptables -A chain firewall-rule
For examples when you use the -A or --append switch you add rule to the end of the chain such as INPUT, FORWARD and more :

## append rule to INPUT chain ##
sudo iptables -A INPUT -i eth0 -j ACCEPT
sudo iptables -A INPUT -i eth0 -d 192.168.1.254 -j ACCEPT
 
## append rule to FORWARD chain ## 
sudo iptables -A FORWARD -o virbr0 -d 192.168.122.42 -j ACCEPT
sudo iptables -A FORWARD -m state -s 192.168.2.0/24 -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT

Verify it with the following:
sudo iptables -t filter -L INPUT --line-numbers -n -v
sudo iptables -t filter -L FORWARD --line-numbers -n -v

Sample outputs:

Chain INPUT (policy ACCEPT 6 packets, 518 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* generated for LXD network lxdbr0 */
2      259 16615 ACCEPT     udp  --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* generated for LXD network lxdbr0 */
3     1517  498K ACCEPT     udp  --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67 /* generated for LXD network lxdbr0 */
4       36  2674 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
5        0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
6        4  1312 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
7        0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
8        0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

Iptables prepend firewall rules to the end of the selected chain

You need to use the following syntax:
iptables -I chain [rule-number] firewall-rule
For example:
sudo iptables -I INPUT 1 -i eth0 -j ACCEPT
The above command will insert rule in the INPUT chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified.

Example: Iptables insert rule at top of tables

I am going to INSERT the following rule at of filter table and FORWARD chain:
sudo iptables -I FORWARD 1 -m state -s 192.168.2.0/24 -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT
Verify it:
sudo iptables -t filter -L FORWARD --line-numbers -n -v

Linux Iptables insert rule at top of tables command
Linux Iptables insert rule at top of tables command (click to enlarge file)

Linux Iptables insert/prepend rule at top of tables command summary

You need to use the following syntax:
sudo iptables -I chain [rule-number] firewall-rule
To view rules:
sudo iptables -t filter -L chain --line-numbers -n -v
Where,

  1. -I : Insert rule at given rule number
  2. -t : Specifies the packet matching table such as nat, filter, security, mangle, and raw.
  3. -L : List info for specific chain (such as INPUT/FORWARD/OUTPUT) of given packet matching table
  4. --line-numbers : See firewall rules with line numbers
  5. -n : Do not resolve names using dns i.e. only show numeric output for IP address and port numbers.
  6. -v : Verbose output. This option makes the list command show the interface name, the rule options (if any), and the TOS masks

For more info see iptables man page here or read on your system by typing the following man command:
man iptables
man ip6tables

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.