How to PREPEND rules rather than APPEND using iptables?

Question

Pretty basic question: how to PREPEND rules on IPTABLES rather than to APPEND?

I have DROP statements at the bottom of my rules. I have a software to add new rules but adding rules after DROP statements isn't good. Every time I want to add a new rule, I have to flush the table (which is inefficient).

Is there a way to prepend a rule i.e., add a rule to the top of the table rather than the bottom?

Many thanks.

score 90 · Accepted Answer · edited Oct 28 '15 at 19:29

90

Use the -I switch:

sudo iptables -I INPUT 1 -i lo -j ACCEPT

This would insert a rule at position #1 in the INPUT chain.

edited Oct 28 '15 at 19:29

Giacomo1968

3,522
25
38

answered Mar 29 '12 at 19:27

Yanick Girouard

2,295
1
17
18

2

Dang! You beat me by 18 seconds... I wasn't quick enough :( – Yanick Girouard Mar 29 '12 at 19:28
1

Hehehehehehehe :) – cjc Mar 29 '12 at 19:30
2

@YanickGirourad, hah, you got the checkmark! – cjc Mar 29 '12 at 21:56
6

Also to note, when using -I INPUT 1, no rule gets overwritten. Instead all rules will be shifted by one position up. – Abdull Jan 12 '14 at 22:25
1

Important note from Abdull. – Halsafar Feb 04 '16 at 22:19
The `1` isn't even required, per the man page: _If the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified._ – Bert Dec 06 '18 at 19:09

score 20 · Answer 2 · answered Mar 29 '12 at 19:26

20

-I will insert. You're probably using -A to append.

You can also do iptables -I chain rulenum to insert a rule as number "rulenum" in chain "chain". -R chain rulenum can be used to replace a specific rule at number "rulenum" in chain "chain". iptables -L -n --line-numbers will show the rule numbers in the left-most column.

answered Mar 29 '12 at 19:26

cjc

24,533
2
49
69

I'm in a rush at the moment or I'd look it up but it would be nice to see an example of how the "chain" works here, or a link. – PJ Brunet Jul 03 '13 at 23:21
// , Refer to https://fedoraproject.org/wiki/How_to_edit_iptables_rules#Inserting_Rules for more information about how to correctly insert an IPTables rule. – Nathan Basanese Jun 14 '16 at 23:26

score 2 · Answer 3 · edited Aug 14 '13 at 02:13

2

To help with determining what line number to add the new rule, I use iptables-save to output the existing rules to the console.

For beginners I can also suggest a cheat card by using webmin administer your rules. It's very friendly and you can easily manually re-order rules in the list. It will also handle the 'slight' variations in redhat vs debian based implementations of iptables.

edited Aug 14 '13 at 02:13

Falcon Momot

24,975
13
61
92

answered Aug 14 '13 at 01:23

AngryWombat

499
3
6

2

`iptables -L --line-numbers` is a little more platform independant – Sirex Aug 14 '13 at 01:32
1

I'm not sure exactly why one should use webmin for that (or anything). It's far better to learn the command-line way than to use a crutch. – Falcon Momot Aug 14 '13 at 02:14

score 2 · Answer 4 · answered Aug 22 '15 at 04:24

There is a program named iptables-persistent which make iptable's rules persistent as a OS service. this service include a configuration file as the iptables-save export.

So you can reorder the lines in the configuration file and restart the service.

sudo service iptables-persistent restart

So easy!!!!!

How to PREPEND rules rather than APPEND using iptables?

4 Answers4