I'm gonna go over some commonly used rule specification options. For a full list, see the iptables man page. If you want to match a packet by source, use -s followed by the source, this will either be an IP address, a network specification, or a host name. If you're using a host name, it's very important to be aware that the host name is resolved once when the rule is added and the IP address of that host name is used. It's best to use an IP address or a network specification. You can use classless inter-domain routing notation, which is sometimes referred to a slash notation or CIDR. You can also specify the network address and a sub-net mask if you wish. to specify a destination, use the -d option. Again, here you specify an IP, a network, or a name. If you want to match a packet by protocol, use the -p option followed by the network protocol to match. For example, totally matched TCP packets use -p tcp. The -m option is used to enable extended packet matching modules. You follow the -m with the name of the extended module which enables additional command line options provided by that module. From there, you can use those additional options on the command line. You can use multiple extended match modules in a rule if you want or need to. For a list of these modules and their options, view the iptables-extensions man page. If you want to specify a destination port, first specify the protocol with -p, then enable the extended module by using -m followed by the protocol. Now you can use the --dport option followed by the port. For example, if you wanted to match all TCP packets that are destined to port 80, you would use -p tcp -m tcp --dport 80. There's a built-in shortcut for this however, when you use the -p tcp option, all the options for the TCP module become available so you don't have to explicitly use -m tcp. The shorthand version of the previous example would be -p tcp --dport 80. The same concept holds true for UDP. When you use UDP as the protocol, the UDP module options become available to you by default. You can also do the same thing for source ports, in this case use the --sport option followed by the port. If you want to match based on the ICMP protocol use -p icmp. Just like TCP and UDP, When you specify the ICMP protocol, it enables the ICMP module and additional options become available to you. You can specify the ICMP type by using --imcp-type followed by the name or number of the type. to get a full list of types, run iptables -p icmp -h. To match pings, use echo-request and to match pongs, use echo-reply. The limit module can be used to match packets based on rate. For example, you could match all packets that do not exceed a given rate. You can use this module to control how often logs are written or to limit the effects of a denial of service attack. The --limit option is used to set an average rate and the --limit-burst option is used to set an initial burst rate. With --limit five /m --limit dash-burst 10, the first 10 consecutive packets will be matched, and then from then on, only five packets per minute will be matched. The limit-burst count is reset, every time the limit rate is not broken. If you don't specify a limit, it defaults to three per hour, if you don't specify a limit burst, it defaults to five. You can also use the exclamation mark to invert the match. For ! --limit five /s, this means a match will occur after the limit of five packets per second is broken. So that takes care of the matching section of a rule. The other section, the target section is really pretty simple. You specify the target with -j followed by the target name. This could be a built-in target, like ACCEPT or DROP, or it could be the name of a custom chain that you created. You can think of these targets as jumps, when -j is encountered, the matching packet will jump to the specified target.