Linux: Iptables List and Show All NAT IPTables Rules Command

Posted on in Categories , , , , last updated August 17, 2017

I am using /sbin/iptables -L -v -n | more command. However, I am unable to list NAT rules. How do I use the iptables command to view or list NAT rules stored in NAT tables? How do I see all the rules in NAT tables under CentOS / RHEL / Debian / Ubuntu Linux based server?

/sbin/iptables command for IPv4 packet filtering and NAT. Network address translation (NAT) imodifyies IP address information in IP packet headers while in transit across a routing device. To see NAT rules type any one of the following command.
Show/Display Iptables NAT rules

Syntax

The syntax is as follows for iptables command:

iptables -t nat -L
iptables -t nat -L -n -v | grep 'something'
iptables -t nat -L -n -v

Sample outputs:

Chain PREROUTING (policy ACCEPT 867 packets, 146K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  vlan2  *       0.0.0.0/0            192.168.1.0/24      
 
Chain POSTROUTING (policy ACCEPT 99 packets, 6875 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0           
 
Chain OUTPUT (policy ACCEPT 99 packets, 6875 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 
Chain WANPREROUTING (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[email protected]:/tmp/home/root#

Here is another command:
$ sudo iptables -t nat -L -n -v
Sample outputs:

Chain PREROUTING (policy ACCEPT 294K packets, 17M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 165K 9879K DNAT       tcp  --  *      *       0.0.0.0/0            192.168.203.146      tcp dpt:443 to:10.105.28.42:443
 166K 9982K DNAT       tcp  --  *      *       0.0.0.0/0            192.168.203.146      tcp dpt:80 to:10.105.28.42:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.203.146      tcp dpt:443 to:10.105.28.42:443
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.203.146      tcp dpt:80 to:10.105.28.42:80
22034 1322K DNAT       tcp  --  *      *       0.0.0.0/0            192.168.203.146      tcp dpt:444 to:10.105.28.45:444
22073 1324K DNAT       tcp  --  *      *       0.0.0.0/0            192.168.203.146      tcp dpt:81 to:10.105.28.45:81
31328 1880K DNAT       tcp  --  *      *       0.0.0.0/0            192.168.203.146      tcp dpt:445 to:10.105.28.44:445
19424 1165K DNAT       tcp  --  *      *       0.0.0.0/0            192.168.203.146      tcp dpt:82 to:10.105.28.44:82
 
Chain INPUT (policy ACCEPT 199K packets, 12M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 
Chain OUTPUT (policy ACCEPT 387 packets, 24906 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 
Chain POSTROUTING (policy ACCEPT 252K packets, 15M bytes)
 pkts bytes target     prot opt in     out     source               destination         
93223 5593K MASQUERADE  all  --  *      *       10.105.28.0/24      !10.105.28.0/24       /* generated for LXD network lxdbr0 */

Say hello netstat-nat

The netstat-nat command display the natted connections on a Linux iptable firewall:
# netstat-nat -n
To display SNAT connections, run:
# netstat-nat -S
To display DNAT connections, type:
# netstat-nat -D

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

2 comment

  1. Anon is wrong. netstat-nat is a standalone package entirely different than the netstat command.

    On CentOS/RHEL
    # yum install netstat-nat

    On Debian/*buntu
    # nobody actually runs Debian/*buntu so who cares?

Leave a Comment