sudo(8) iptables(8) -t nat -L PREROUTING -n %7C tr -s %27 %27 %7C cut -d %27 %27 -f7-
execute a command as another user
administration tool for IPv4 packet filtering and NAT
-t, --table table
       This option specifies the packet matching table which the  command  should  operate  on.   If  the
       kernel  is  configured  with  automatic  module  loading,  an  attempt  will  be  made to load the
       appropriate module for that table if it is not already there.

              The tables are as follows:

              filter:
                  This is the default table (if no -t option is passed). It contains the built-in  chains  INPUT
                  (for  packets  destined to local sockets), FORWARD (for packets being routed through the box),
                  and OUTPUT (for locally-generated packets).

              nat:
                  This table is consulted when a packet that  creates  a  new  connection  is  encountered.   It
                  consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT
                  (for altering locally-generated packets before routing), and POSTROUTING (for altering packets
                  as they are about to go out).

              mangle:
                  This table is used for specialized packet alteration.  Until kernel 2.4.17 it had two built-in
                  chains: PREROUTING (for altering incoming packets before routing)  and  OUTPUT  (for  altering
                  locally-generated  packets  before routing).  Since kernel 2.4.18, three other built-in chains
                  are also supported: INPUT (for packets coming into the  box  itself),  FORWARD  (for  altering
                  packets being routed through the box), and POSTROUTING (for altering packets as they are about
                  to go out).

              raw:
                  This table is used mainly for configuring exemptions from connection tracking  in  combination
                  with the NOTRACK target.  It registers at the netfilter hooks with higher priority and is thus
                  called before ip_conntrack, or any other  IP  tables.   It  provides  the  following  built-in
                  chains:  PREROUTING  (for  packets  arriving  via  any  network interface) OUTPUT (for packets
                  generated by local processes)

              security:
                  This table is used for Mandatory Access Control (MAC) networking rules, such as those  enabled
                  by  the  SECMARK  and  CONNSECMARK  targets.  Mandatory Access Control is implemented by Linux
                  Security Modules such as SELinux.  The security  table  is  called  after  the  filter  table,
                  allowing  any  Discretionary  Access  Control  (DAC)  rules in the filter table to take effect
                  before MAC rules.  This table provides the  following  built-in  chains:  INPUT  (for  packets
                  coming  into  the box itself), OUTPUT (for altering locally-generated packets before routing),
                  and FORWARD (for altering packets being routed through the box).
-L, --list [chain]
       List  all rules in the selected chain.  If no chain is selected, all chains are listed. Like every
       other iptables command, it applies to the specified table (filter is the default),  so  NAT  rules
       get listed by
        iptables -t nat -n -L
       Please  note that it is often used with the -n option, in order to avoid long reverse DNS lookups.
       It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically
       listed and zeroed.  The exact output is affected by the other arguments given. The exact rules are
       suppressed until you use
        iptables -L -v
-n, --numeric
       Numeric output.  IP addresses and port numbers will be printed in numeric format.  By default, the
       program will try to display them as host names, network names, or services (whenever applicable).
[!] -s, --source address[/mask][,...]
       Source specification. Address can be either a network name, a hostname, a network IP address (with
       /mask),  or a plain IP address. Hostnames will be resolved once only, before the rule is submitted
       to the kernel.  Please note that specifying any name to be resolved with a remote  query  such  as
       DNS is a really bad idea.  The mask can be either a network mask or a plain number, specifying the
       number of 1's at the left side of the  network  mask.   Thus,  a  mask  of  24  is  equivalent  to
       255.255.255.0.   A "!" argument before the address specification inverts the sense of the address.
       The flag --src is an alias for this option.  Multiple addresses can be specified,  but  this  will
       expand  to  multiple rules (when adding with -A), or will cause multiple rules to be deleted (with
       -D).
[!] -d, --destination address[/mask][,...]
       Destination specification.  See the description of the -s (source) flag for a detailed description
       of the syntax.  The flag --dst is an alias for this option.
[!] -f, --fragment
       This means that the rule only refers to second and further fragments of fragmented packets.  Since
       there is no way to tell the source or destination ports of such a packet (or ICMP  type),  such  a
       packet will not match any rules which specify them.  When the "!" argument precedes the "-f" flag,
       the rule will only match head fragments, or unfragmented packets.
source manpages: sudoiptables