How to list iptables rules
Command-line utility iptables allows users to configure and view information about their Linux firewall. One of its key functions, however, is its ability to list the rules that have already been created and are active. In this quick guide, we're going to show you several ways to do just that.
Listing all iptables rules
Listing all iptables rules is quite simple. Just run:
iptables --list
This will output a simple table such as:
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Listing iptables rules by specification
More useful perhaps is listing the rules by their function or specification. For this, you can use the -S
flag:
iptables -S
Your list will be presented in this format instead:
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
You can filter to only the types of rule you want to display by writing the chain name after your -S
flag. For example:
iptables -S INPUT
Now you'll see only your input rules:
-P INPUT DROP
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
Listing chains as tables
If you'd prefer to see your chains in the tabular format, you can do so using the -L
option. For example, iptables -L OUTPUT
might return the following:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Showing packet counts in iptables
That about covers the basics of viewing iptables. The only thing we'd like to add is that adding -v
to your command will allow you to see the number of packets and aggregate size of packets that are matched to each rule. This can be very handy indeed if you're trying to work out which rules are working as intended. Here's another example:
iptables -L INPUT -v
Chain INPUT (policy DROP 36 packets, 1847 bytes)
pkts bytes target prot opt in out source destination
259 20898 f2b-sshd tcp -- any any anywhere anywhere multiport dports ssh
10639 178M ufw-before-logging-input all -- any any anywhere anywhere
10639 178M ufw-before-input all -- any any anywhere anywhere
162 7774 ufw-after-input all -- any any anywhere anywhere
148 7086 ufw-after-logging-input all -- any any anywhere anywhere
148 7086 ufw-reject-input all -- any any anywhere anywhere
148 7086 ufw-track-input all -- any any anywhere anywhere
root@digitalocean-wordpress-lon1-s-1vcpu-1gb:~#