iptables

# debug iptables rulesets
iptables -L -v

# list NAT rules
iptables -t nat -n -L

ACCEPT      # packets are allowed to proceed on their way
DROP        # drops packet silently
REJECT      # drops packet with ICMP error message
LOG         # track packets as they match rules
ULOG        # expands logging
REDIRECT    # shunts packets to a proxy instead of let them proceed
RETURN      # terminates user defined chains
MIRROR      # swaps the IP source and destination addresses
QUEUE       # hands packets to local user programs through a kernel module
NOTRACK     # ?????
SECMARK     # ?????
CONNSECMARK # ?????

# built-in chains (non-user-defined)
INPUT       # packets destined to local sockets
OUTPUT      # for locally generated packets
FORWARD     # packets being routed through the box
PREROUTING  # alter packets as soon as they come in
POSTROUTING # alter packets as they are about to go out

iptables
    -t, --table

filter:     (default) INPUT OUTPUT FORWARD
nat:        (Consulted when packet creates a new encounter) INPUT OUTPUT PREROUTING POSTROUTING
mangle:     (used for specialized packet alteration) INPUT OUTPUT PREROUTING POSTROUTING FORWARD
raw:        (configuring exemptions from connection tracking in combo with NOTRACK) OUTPUT PREROUTING
security:   (used for Mandatory Access Control network rules using SECMARK and CONNSECMARK) INPUT OUTPUT FORWARD 

iptables
    -A, --append <chain> <rule>         # add 1+ rules to the end of selected chain
    -C, --check <chain> <rule>          # check if rule exists in chain, does not alter config
    -D, --delete <chain> <rule>         # delete chain rule
    -I, --insert <chain> <num> <rule>   # insert rules in selected chain
    -R, --replace <chain> <num> <rule>  # replace a rule in selected chain
    -L, --list <chain>                  # list all rules in the selected chain
    -S, --list-rules <chain>            # print all rules in the selected chain
    -F, --flush <chain>                 # delete all rules
    -Z, --zero <chain> <num>            # zero all packet and bytle counters in all chains
    -N, --new-chain <chain>             # create a new user defined chain
    -X, --delete-chain <chain>          # delete a user defined chain, must first remove all rules
    -P, --policy <chain> <target>       # set the policy for a non user defined chain to target (ACCEPT or DROP) 
    -E, --rename-chain <old> <new>      # rename a chain (cosmetic)                

-4, --ipv4                              # specify IPv4
-6, --ipv6                              # specify IPv6
-p, --protocol <protocol>               # protocol to be checked for [tcp udp icmp sctp all] [!] before protocol inverts test
-s, --source <CIDR>                     # source
-d, --destination                       # destination
-m, --match <match>                     # test for specific property
-g, --goto <chain>                      # set processing to continue in a user specified chain
-i, --in-interface <name>               # interface which packet will be recieved via [INPUT FORWARD PREROUTING]
-o, --out-interface <name>              # interface which packet will be sent [OUTPUT FORWARD POSTROUTING]
-f, --fragment                          # for IPv4 fragmented packets
-c, --set-counters <packets> <bytes>    # initialize packet and bytle counters of a rule
-n, --numeric                           # numneric output for hostname, network name, services. ie IPs instead
--line-numbers                          # list line numbers when listing rules