Iptables is a command and not a kernel module. The actual firewall in the kernel is called netfilter and is built in without a module of its own. However there may be netfilter kernel modules that are loaded. For example, try "lsmod | grep conntrack".
The prefix that the module uses depends on your kernel version. On my kernel they start with "nf".
I find it convenient to look at an individual iptable's chain instead of an entire listing. For example:
sudo /usr/sbin/iptables -L INPUT
With only 6 to 10 entries it is easy to count where you want a rule inserted in that table. Sometimes a rule doesn't work because a previous rule has already handled the situation.
You can insert a new rule at a certain place in the chain.
Code:
-I, --insert chain [rulenum] rule-specification
Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules
are inserted at the head of the chain. This is also the default if no rule number is specified.
-R, --replace chain rulenum rule-specification
Replace a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command
will fail. Rules are numbered starting at 1.
-L, --list [chain]
List all rules in the selected chain. If no chain is selected, all chains are listed. As every other iptables command,
it applies to the specified table (filter is the default), so NAT rules get listed by
iptables -t nat -n -L
Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups. It is legal to spec‐
ify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is
affected by the other arguments given. The exact rules are suppressed until you use
iptables -L -v
Note the rulenum argument. This will help you add or change rules in a particular chain and try them out before committing the changes.