How to list iptables rules

Command-line utility iptables allows users to configure and view information about their Linux firewall. One of its key functions, however, is its ability to list the rules that have already been created and are active. In this quick guide, we're going to show you several ways to do just that.

Listing all iptables rules

Listing all iptables rules is quite simple. Just run:

iptables --list

This will output a simple table such as:

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Listing iptables rules by specification

More useful perhaps is listing the rules by their function or specification. For this, you can use the -S flag:

iptables -S

Your list will be presented in this format instead:

-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output

You can filter to only the types of rule you want to display by writing the chain name after your -S flag. For example:

iptables -S INPUT

Now you'll see only your input rules:

-P INPUT DROP
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input

Listing chains as tables

If you'd prefer to see your chains in the tabular format, you can do so using the -L option. For example, iptables -L OUTPUT might return the following:

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ufw-before-logging-output  all  --  anywhere             anywhere
ufw-before-output  all  --  anywhere             anywhere
ufw-after-output  all  --  anywhere             anywhere
ufw-after-logging-output  all  --  anywhere             anywhere
ufw-reject-output  all  --  anywhere             anywhere
ufw-track-output  all  --  anywhere             anywhere

Showing packet counts in iptables

That about covers the basics of viewing iptables. The only thing we'd like to add is that adding -v to your command will allow you to see the number of packets and aggregate size of packets that are matched to each rule. This can be very handy indeed if you're trying to work out which rules are working as intended. Here's another example:

iptables -L INPUT -v
Chain INPUT (policy DROP 36 packets, 1847 bytes)
 pkts bytes target     prot opt in     out     source               destination
  259 20898 f2b-sshd   tcp  --  any    any     anywhere             anywhere             multiport dports ssh
10639  178M ufw-before-logging-input  all  --  any    any     anywhere             anywhere
10639  178M ufw-before-input  all  --  any    any     anywhere             anywhere
  162  7774 ufw-after-input  all  --  any    any     anywhere             anywhere
  148  7086 ufw-after-logging-input  all  --  any    any     anywhere             anywhere
  148  7086 ufw-reject-input  all  --  any    any     anywhere             anywhere
  148  7086 ufw-track-input  all  --  any    any     anywhere             anywhere
root@digitalocean-wordpress-lon1-s-1vcpu-1gb:~#