How to list all iptables rules with line numbers on Linux

Author: Last updated: October 5, 2020 3 comments
I recently added NAT rules on my RHEL 6.x system. How do I see the rules including line numbers that I just added in Linux?

Yes, you can easily list all iptables rules using the following commands on Linux:
1) iptables command – IPv4 netfilter admin tool to display iptables firewall rules.
2) ip6tables command – IPv6 netfilter admin tool to show rules.

ADVERTISEMENTS

How to list all iptables rules on Linux

The procedure to list all rules on Linux is as follows:

  1. Open the terminal app or login using ssh:
    ssh user@server-name
  2. To list all IPv4 rules :
    sudo iptables -S
  3. To list all IPv6 rules :
    sudo ip6tables -S
  4. To list all tables rules :
    sudo iptables -L -v -n | more
  5. To list all rules for INPUT tables :
    sudo iptables -L INPUT -v -n
    sudo iptables -S INPUT

Let us see all syntax and usage in details to show and list all iptables rules on Linux operating systems.

Viewing all iptables rules in Linux

The syntax is:

iptables -S
iptables --list
iptables -L
iptables -S TABLE_NAME
iptables --table NameHere --list
iptables -t NameHere -L -n -v --line-numbers

Print all rules in the selected chain

sudo iptables -S
sudo iptables -S INPUT
iptables -S OUTPUT
How to list all iptables rules in Linux

How to list rules for given tables

Type the following command as root user:
# iptables -L INPUT
# iptables -L FORWARD
# iptables -L OUTPUT
# iptables -L
Sample outputs:

target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            
 
Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere            
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            
.....
..
..
Chain ufw-user-limit (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
 
Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
 
Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         
 
Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         
 
Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         
 
Chain ufw-user-output (1 references)
target     prot opt source               destination


Let us try to understand rules:

  • target – Tell what to down when a packet matches the rule.
  • prot – The protocol for rule.
  • opt – Additional options for rule.
  • source – The source IP address/subnet/domain name.
  • destination – The destination IP address/subnet/domain name.

How to see nat rules:

By default the filter table is used. To see NAT rules, enter:
# iptables -t nat -L
Other table options:
# iptables -t filter -L
# iptables -t raw -L
# iptables -t security -L
# iptables -t mangle -L
# iptables -t nat -L

How to see nat rules with line numbers:

Pass the --line-numbers option:
# iptables -t nat -L --line-numbers -n
Sample outputs:

Chain PREROUTING (policy ACCEPT 28M packets, 1661M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DNAT       tcp  --  eth0   *       10.10.29.68          0.0.0.0/0            tcp dpt:3306 to:10.0.3.19:3306
2        0     0 DNAT       tcp  --  eth0   *       10.10.29.68          0.0.0.0/0            tcp dpt:11211 to:10.0.3.20:11211
3        0     0 DNAT       udp  --  eth0   *       10.10.29.68          0.0.0.0/0            udp dpt:11211 to:10.0.3.20:11211
 
Chain INPUT (policy ACCEPT 18M packets, 1030M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
 
Chain OUTPUT (policy ACCEPT 23M packets, 1408M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
 
Chain POSTROUTING (policy ACCEPT 33M packets, 1979M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    38927 2336K MASQUERADE  all  --  *      *       10.0.3.0/24         !10.0.3.0/24         
2        0     0 MASQUERADE  all  --  *      *       10.0.3.0/24         !10.0.3.0/24

How to see nat rules with counters (bytes and packets)

Pass the -v option to iptables command to view all iptables rules on Linux:
# iptables -t nat -L -n -v
Sample outputs:

Fig.01: Linux viewing all iptables NAT, DNAT, MASQUERADE rules

Fig.01: Linux viewing all iptables NAT, DNAT, MASQUERADE rules

Say hello to ip6tables

ip6tables is administration tool for IPv6 packet filtering and NAT. To see IPv6 tables, enter:
# ip6tables -L -n -v

Chain INPUT (policy DROP 239 packets, 16202 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 136K   30M ufw6-before-logging-input  all      *      *       ::/0                 ::/0                
 136K   30M ufw6-before-input  all      *      *       ::/0                 ::/0                
  241 16360 ufw6-after-input  all      *      *       ::/0                 ::/0                
  239 16202 ufw6-after-logging-input  all      *      *       ::/0                 ::/0                
  239 16202 ufw6-reject-input  all      *      *       ::/0                 ::/0                
  239 16202 ufw6-track-input  all      *      *       ::/0                 ::/0                

Chain FORWARD (policy DROP 483 packets, 32628 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  483 32628 ufw6-before-logging-forward  all      *      *       ::/0                 ::/0                
  483 32628 ufw6-before-forward  all      *      *       ::/0                 ::/0                
  483 32628 ufw6-after-forward  all      *      *       ::/0                 ::/0                
  483 32628 ufw6-after-logging-forward  all      *      *       ::/0                 ::/0                
  483 32628 ufw6-reject-forward  all      *      *       ::/0                 ::/0                
  483 32628 ufw6-track-forward  all      *      *       ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 122 packets, 8555 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 136K   30M ufw6-before-logging-output  all      *      *       ::/0                 ::/0                
 136K   30M ufw6-before-output  all      *      *       ::/0                 ::/0                
  183 14107 ufw6-after-output  all      *      *       ::/0                 ::/0                
  183 14107 ufw6-after-logging-output  all      *      *       ::/0                 ::/0                
  183 14107 ufw6-reject-output  all      *      *       ::/0                 ::/0                
  183 14107 ufw6-track-output  all      *      *       ::/0                 ::/0                

Chain ufw6-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

...
....
..
 pkts bytes target     prot opt in     out     source               destination         
   19  1520 ACCEPT     tcp      *      *       ::/0                 ::/0                 ctstate NEW
   42  4032 ACCEPT     udp      *      *       ::/0                 ::/0                 ctstate NEW

Chain ufw6-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all      *      *       ::/0                 ::/0                 limit: avg 3/min burst 5 LOG flags 0 
level 4 prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all      *      *       ::/0                 ::/0                 reject-with icmp6-port-unreachable

Chain ufw6-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                

Chain ufw6-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination


To see nat rules and line-numbers, enter:
# ip6tables -L -n -v -t nat --line-numbers

Conclusion

You learned how to display, filter and list all iptables rules on Linux system using the CLI. See iptables man pages by typing the following man command:
$ man iptables
$ man ip6tables

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
UP NEXT
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
3 comments… add one
  • TJ Jan 22, 2018 @ 17:03

    Thanks you it saved me tons of time.

    Reply Link
  • Carlos Oct 5, 2020 @ 10:12

    I was looking to display the iptables rules in the table view as I needed to compare different rules against each other. It solved my problem
    iptables -L

    Gracias

    Reply Link
  • tedmar Oct 5, 2020 @ 22:08

    Yehh, thank you

    Reply Link

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.

Next FAQ:

Previous FAQ: