≡ Menu

How to list all iptables rules with line numbers on Linux

I recently added NAT rules on my RHEL 6.x system. How do I see the rules including line numbers that I just added in Linux?

Yes, you can easily view your rules using the following commands on Linux:

  1. iptables command – IPv4 netfilter admin tool.
  2. ip6tables command – IPv6 netfilter admin tool.

Viewing all iptables rules in Linux

The syntax is:

iptables --list
iptables -L
iptables --table NameHere --list
iptables -t NameHere -L -n -v --line-numbers

Examples

Type the following command as root user:
# iptables -L
Sample outputs:

target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ufw-before-logging-input  all  --  anywhere             anywhere
ufw-before-input  all  --  anywhere             anywhere
ufw-after-input  all  --  anywhere             anywhere
ufw-after-logging-input  all  --  anywhere             anywhere
ufw-reject-input  all  --  anywhere             anywhere
ufw-track-input  all  --  anywhere             anywhere
 
Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ufw-before-logging-forward  all  --  anywhere             anywhere
ufw-before-forward  all  --  anywhere             anywhere
ufw-after-forward  all  --  anywhere             anywhere
ufw-after-logging-forward  all  --  anywhere             anywhere
ufw-reject-forward  all  --  anywhere             anywhere
ufw-track-forward  all  --  anywhere             anywhere
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ufw-before-logging-output  all  --  anywhere             anywhere
ufw-before-output  all  --  anywhere             anywhere
ufw-after-output  all  --  anywhere             anywhere
ufw-after-logging-output  all  --  anywhere             anywhere
ufw-reject-output  all  --  anywhere             anywhere
ufw-track-output  all  --  anywhere             anywhere
.....
..
..
Chain ufw-user-limit (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
 
Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
 
Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination
 
Chain ufw-user-logging-input (0 references)
target     prot opt source               destination
 
Chain ufw-user-logging-output (0 references)
target     prot opt source               destination
 
Chain ufw-user-output (1 references)
target     prot opt source               destination

How to see nat rules:

By default the filter table is used. To see NAT rules, enter:
# iptables -t nat -L
Other table options:
# iptables -t filter -L
# iptables -t raw -L
# iptables -t security -L
# iptables -t mangle -L
# iptables -t nat -L

How to see nat rules with line numbers:

Pass the --line-numbers option:
# iptables -t nat -L --line-numbers -n
Sample outputs:

Chain PREROUTING (policy ACCEPT 28M packets, 1661M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       tcp  --  eth0   *       10.10.29.68          0.0.0.0/0            tcp dpt:3306 to:10.0.3.19:3306
2        0     0 DNAT       tcp  --  eth0   *       10.10.29.68          0.0.0.0/0            tcp dpt:11211 to:10.0.3.20:11211
3        0     0 DNAT       udp  --  eth0   *       10.10.29.68          0.0.0.0/0            udp dpt:11211 to:10.0.3.20:11211
 
Chain INPUT (policy ACCEPT 18M packets, 1030M bytes)
num   pkts bytes target     prot opt in     out     source               destination
 
Chain OUTPUT (policy ACCEPT 23M packets, 1408M bytes)
num   pkts bytes target     prot opt in     out     source               destination
 
Chain POSTROUTING (policy ACCEPT 33M packets, 1979M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    38927 2336K MASQUERADE  all  --  *      *       10.0.3.0/24         !10.0.3.0/24
2        0     0 MASQUERADE  all  --  *      *       10.0.3.0/24         !10.0.3.0/24

How to see nat rules with counters (bytes and packets)

Pass the -v option to iptables command:
# iptables -t nat -L -n -v
Sample outputs:

Fig.01: Linux viewing all iptables NAT, DNAT, MASQUERADE rules

Fig.01: Linux viewing all iptables NAT, DNAT, MASQUERADE rules

Say hello to ip6tables

ip6tables is administration tool for IPv6 packet filtering and NAT. To see IPv6 tables, enter:
# ip6tables -L -n -v

Chain INPUT (policy DROP 239 packets, 16202 bytes)
 pkts bytes target     prot opt in     out     source               destination
 136K   30M ufw6-before-logging-input  all      *      *       ::/0                 ::/0
 136K   30M ufw6-before-input  all      *      *       ::/0                 ::/0
  241 16360 ufw6-after-input  all      *      *       ::/0                 ::/0
  239 16202 ufw6-after-logging-input  all      *      *       ::/0                 ::/0
  239 16202 ufw6-reject-input  all      *      *       ::/0                 ::/0
  239 16202 ufw6-track-input  all      *      *       ::/0                 ::/0
Chain FORWARD (policy DROP 483 packets, 32628 bytes)
 pkts bytes target     prot opt in     out     source               destination
  483 32628 ufw6-before-logging-forward  all      *      *       ::/0                 ::/0
  483 32628 ufw6-before-forward  all      *      *       ::/0                 ::/0
  483 32628 ufw6-after-forward  all      *      *       ::/0                 ::/0
  483 32628 ufw6-after-logging-forward  all      *      *       ::/0                 ::/0
  483 32628 ufw6-reject-forward  all      *      *       ::/0                 ::/0
  483 32628 ufw6-track-forward  all      *      *       ::/0                 ::/0
Chain OUTPUT (policy ACCEPT 122 packets, 8555 bytes)
 pkts bytes target     prot opt in     out     source               destination
 136K   30M ufw6-before-logging-output  all      *      *       ::/0                 ::/0
 136K   30M ufw6-before-output  all      *      *       ::/0                 ::/0
  183 14107 ufw6-after-output  all      *      *       ::/0                 ::/0
  183 14107 ufw6-after-logging-output  all      *      *       ::/0                 ::/0
  183 14107 ufw6-reject-output  all      *      *       ::/0                 ::/0
  183 14107 ufw6-track-output  all      *      *       ::/0                 ::/0
Chain ufw6-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
...
....
..
 pkts bytes target     prot opt in     out     source               destination
   19  1520 ACCEPT     tcp      *      *       ::/0                 ::/0                 ctstate NEW
   42  4032 ACCEPT     udp      *      *       ::/0                 ::/0                 ctstate NEW
Chain ufw6-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw6-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw6-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all      *      *       ::/0                 ::/0                 limit: avg 3/min burst 5 LOG flags 0
level 4 prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all      *      *       ::/0                 ::/0                 reject-with icmp6-port-unreachable
Chain ufw6-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      *      *       ::/0                 ::/0
Chain ufw6-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw6-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw6-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw6-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         


To see nat rules and line-numbers, enter:
# ip6tables -L -n -v -t nat --line-numbers

Share this tutorial on:
{ 0 comments… add one }
Security: Are you a robot or human?

Leave a Comment

You can use these HTML tags and attributes: <strong> <em> <pre> <code> <a href="" title="">


   Tagged with: , , ,