Yes, you can easily list all iptables rules using the following commands on Linux:
1) iptables command – IPv4 netfilter admin tool.
2) ip6tables command – IPv6 netfilter admin tool.
How to list all iptables rules on Linux
The procedure to list all rules on Linux is as follows:
- Open the terminal app or login using ssh:
ssh user@server-name - To list all IPv4 rules :
sudo iptables -S - To list all IPv6 rules :
sudo ip6tables -S - To list all tables rules :
sudo iptables -L -v -n | more - To list all rules for INPUT tables :
sudo iptables -L INPUT -v -n
sudo iptables -S INPUT
Let us see all syntax and usage in details to list all iptables rules on Linux operating systems.
Viewing all iptables rules in Linux
The syntax is:
iptables -S iptables --list iptables -L iptables -S TABLE_NAME iptables --table NameHere --list iptables -t NameHere -L -n -v --line-numbers |
Print all rules in the selected chain
sudo iptables -S
sudo iptables -S INPUT
iptables -S OUTPUT
How to list rules for given tables
Type the following command as root user:
# iptables -L INPUT
# iptables -L FORWARD
# iptables -L OUTPUT
# iptables -L
Sample outputs:
target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:bootps ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ufw-before-logging-forward all -- anywhere anywhere ufw-before-forward all -- anywhere anywhere ufw-after-forward all -- anywhere anywhere ufw-after-logging-forward all -- anywhere anywhere ufw-reject-forward all -- anywhere anywhere ufw-track-forward all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- anywhere anywhere ufw-before-output all -- anywhere anywhere ufw-after-output all -- anywhere anywhere ufw-after-logging-output all -- anywhere anywhere ufw-reject-output all -- anywhere anywhere ufw-track-output all -- anywhere anywhere ..... .. .. Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination |
Let us try to understand rules:
- target – Tell what to down when a packet matches the rule.
- prot – The protocol for rule.
- opt – Additional options for rule.
- source – The source IP address/subnet/domain name.
- destination – The destination IP address/subnet/domain name.
How to see nat rules:
By default the filter table is used. To see NAT rules, enter:
# iptables -t nat -L
Other table options:
# iptables -t filter -L
# iptables -t raw -L
# iptables -t security -L
# iptables -t mangle -L
# iptables -t nat -L
How to see nat rules with line numbers:
Pass the --line-numbers option:
# iptables -t nat -L --line-numbers -n
Sample outputs:
Chain PREROUTING (policy ACCEPT 28M packets, 1661M bytes) num pkts bytes target prot opt in out source destination 1 0 0 DNAT tcp -- eth0 * 10.10.29.68 0.0.0.0/0 tcp dpt:3306 to:10.0.3.19:3306 2 0 0 DNAT tcp -- eth0 * 10.10.29.68 0.0.0.0/0 tcp dpt:11211 to:10.0.3.20:11211 3 0 0 DNAT udp -- eth0 * 10.10.29.68 0.0.0.0/0 udp dpt:11211 to:10.0.3.20:11211 Chain INPUT (policy ACCEPT 18M packets, 1030M bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 23M packets, 1408M bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 33M packets, 1979M bytes) num pkts bytes target prot opt in out source destination 1 38927 2336K MASQUERADE all -- * * 10.0.3.0/24 !10.0.3.0/24 2 0 0 MASQUERADE all -- * * 10.0.3.0/24 !10.0.3.0/24 |
How to see nat rules with counters (bytes and packets)
Pass the -v option to iptables command to view all iptables rules on Linux:
# iptables -t nat -L -n -v
Sample outputs:
Say hello to ip6tables
ip6tables is administration tool for IPv6 packet filtering and NAT. To see IPv6 tables, enter:
# ip6tables -L -n -v
Chain INPUT (policy DROP 239 packets, 16202 bytes)
pkts bytes target prot opt in out source destination
136K 30M ufw6-before-logging-input all * * ::/0 ::/0
136K 30M ufw6-before-input all * * ::/0 ::/0
241 16360 ufw6-after-input all * * ::/0 ::/0
239 16202 ufw6-after-logging-input all * * ::/0 ::/0
239 16202 ufw6-reject-input all * * ::/0 ::/0
239 16202 ufw6-track-input all * * ::/0 ::/0
Chain FORWARD (policy DROP 483 packets, 32628 bytes)
pkts bytes target prot opt in out source destination
483 32628 ufw6-before-logging-forward all * * ::/0 ::/0
483 32628 ufw6-before-forward all * * ::/0 ::/0
483 32628 ufw6-after-forward all * * ::/0 ::/0
483 32628 ufw6-after-logging-forward all * * ::/0 ::/0
483 32628 ufw6-reject-forward all * * ::/0 ::/0
483 32628 ufw6-track-forward all * * ::/0 ::/0
Chain OUTPUT (policy ACCEPT 122 packets, 8555 bytes)
pkts bytes target prot opt in out source destination
136K 30M ufw6-before-logging-output all * * ::/0 ::/0
136K 30M ufw6-before-output all * * ::/0 ::/0
183 14107 ufw6-after-output all * * ::/0 ::/0
183 14107 ufw6-after-logging-output all * * ::/0 ::/0
183 14107 ufw6-reject-output all * * ::/0 ::/0
183 14107 ufw6-track-output all * * ::/0 ::/0
Chain ufw6-after-forward (1 references)
pkts bytes target prot opt in out source destination
...
....
..
pkts bytes target prot opt in out source destination
19 1520 ACCEPT tcp * * ::/0 ::/0 ctstate NEW
42 4032 ACCEPT udp * * ::/0 ::/0 ctstate NEW
Chain ufw6-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-user-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 0
level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all * * ::/0 ::/0 reject-with icmp6-port-unreachable
Chain ufw6-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all * * ::/0 ::/0
Chain ufw6-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw6-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw6-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw6-user-output (1 references)
pkts bytes target prot opt in out source destination
To see nat rules and line-numbers, enter:
# ip6tables -L -n -v -t nat --line-numbers
1 comment
Thanks you it saved me tons of time.