iptables options: (Linux kernel 2.4/2.6 firewall)

General /sbin/iptables format to add rules:
iptables [-t|--table table] -command [chain] [-i interface] [-p protocol] [-s address [port[:port]]] [-d address [port[:port]]] -j policy

Six pre-defined "chain" rules are available:

* INPUT
* OUTPUT
* INPUT
* FORWARD
* PREROUTING
* POSTROUTING
* User defined chains (just give it a new name instead of one of the pre-defined names)

iptables options:

--table
-t Description
filter Default table. This is used if not specified
nat Network address translation
mangle Used for Quality Of Service (QOS) and preferential treatment
raw Enables optimization. i.e. Ignore firewall state matching for port 80 for enhanced speed due to less processing. Requires kernel patch

Command
(Use one) Description
-A --append Append rule to chain
-D --delete Delete rule from chain
-I--insert Insert rule at beginning or at specified sequence number in chain.
-R --replace Replace rule
-F --flush Flush all rules
-Z --zero Zero byte counters in all chains
-L --list List all rules.
Add option --line-numbers for rule number.
-N --new-chain Create new chain
-X --delete-chain Delete user defined chain
-P --policy Set default policy for a chain
-E --rename-chain Rename a chain

Command Option Description
-s --source Source address of packet
-d
--destination Destination address of packet
-i
--in-interface Interface packet is arriving from
-o --out-interface Interface packet is going to
-p --protocol Protocol:

°tcp
--sport port[:port]
--dport port[:port]

--syn
°udp
°icmp
°mac
...
-j --jump Target to send packet to
-f --fragment Fragment matching
-c
--set-counters Set packet/byte counter
-m tcp
--match tcp °--source-port port[:port]
(port # or range #:#)
°--destination-port port[:port]
°--tcp-flags
-m state
--match state --state
°ESTABLISHED
°RELATED
°NEW
°INVALID
(Push content, not expected to recieve this packet.)

Defined Policies Description
ACCEPT Let packet through
DROP Deny packet with no reply
REJECT Deny packet and notify sender
RETURN Handled by default targets
MARK Used for error response.
Use with option --reject-with type
MASQUERADE Used with nat table and DHCP.
LOG Log to file and specify message:
°--log-level #
°--log-prefix "prefix"
°--log-tcp-sequence
°--log-tcp-options
°--log-ip-options
ULOG Log to file and specify userpace logging messages
SNAT Valid in PREROUTING chain. Used by nat.
REDIRECT Used with nat table. Output.
DNAT Valid in POSTROUTING chain. Output.
QUEUE Pass packet to userspace.

For the full info see the man page for iptables.