Viewing all iptables rules

Question

Is there a way to view iptables rules in a bit more detail?

I recently added masquerade to a range of IPs:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save
service iptables restart

Which has done what I want it to, but when I use:

iptables -L

I get the same output as I normally get:

Chain INPUT (policy ACCEPT)
target    prot opt source        destination

Chain FORWARD (policy ACCEPT)
target    prot opt source        destination

Chain OUTPUT (policy ACCEPT)
target    prot opt source        destination

How can I see the rules including the ones I add? (system is CentOS 6)

Anthony Geoghegan · Accepted Answer · 2018-06-17T19:45:31.303

When using the -L, --list option to list the current firewall rules, you also need to specify the appropriate Netfilter table (one of filter, nat, mangle, raw or security). So, if you’ve added a rule for the nat table, you should explicitly specify this table using the -t, --table option:

iptables --table nat --list

Or using the options short form:

iptables -t nat -L

If you don’t specify a specific table, the filter table is used as the default.

For faster results, it can be useful to also include the -n, --numeric option to print numeric IP addresses instead of hostnames, thus avoiding the need to wait for reverse DNS lookups.

You can get even more information by including the -v, --verbose option.

Gilles 'SO- stop being evil' · Answer 2 · 2015-11-14T16:46:16.733

iptables controls five different tables: filter, nat, mangle, raw and security. On a given call, iptables only displays or modifies one of these tables, specified by the argument to the option -t (defaulting to filter). To see the complete state of the firewall, you need to call iptables on each of the tables successively.

Additionally, to get an accurate representation of the rules, you need to pass the option -v. Otherwise some important criteria are omitted in the output, such as the interface in filter rules (e.g. a rule that says “accept everything” and a rule that says “accept everything on the loopback interface” can only be distinguished with -v).

Thus, to get a complete presentation of the netfilter rules, you need

iptables -vL -t filter
iptables -vL -t nat
iptables -vL -t mangle
iptables -vL -t raw
iptables -vL -t security

Alternatively, you can call the iptables-save program, which displays all the rules in all tables in a format that can be parsed by iptables-restore. This format is also reasonably readable by humans (it's pretty much like a series of calls to the iptables command to build the table).

filter, nat, mangle, raw, security... and mark looks like another one. Having a hard time finding a way to list all the tables, especially if some are system dependent. Someone asked the same thing a while ago with no real answer: https://comp.os.linux.networking.narkive.com/fDfacHDC/iptables-how-to-list-tables — tarabyte, Apr 22 '22 at 21:23

Cameron · Answer 3 · 2017-06-22T19:56:27.313

65

iptables -S does the trick for me. It seems to list all the active rules, even when the service is off.

From the man page:

-S, --list-rules [chain] Print all rules in the selected chain. If no chain is selected, all chains are printed like iptables-save. Like every other iptables command, it applies to the specified table (filter is the default).

edited Jun 22 '17 at 19:56

answered Apr 01 '16 at 03:32

Cameron

775

This is a really kwl answer, I've also noticed that /sbin/service iptables status gives a similar output – TheLovelySausage Apr 01 '16 at 10:08
6

+1. No 'seems' about it- from the man page: "-S, Print all rules in the selected chain. If no chain is selected, all chains are printed like iptables-save". This is the one I usually need. – Mike S May 11 '16 at 21:27
12

i did not find this to be the case. iptables -S does not show all my nat rules, which i can see when i run iptables -L -t nat – mulllhausen Apr 08 '17 at 01:34
2

@MikeS From the man page, BOTH commands operate only on the specified table, filter by default. "Like every other iptables command, it applies to the specified table (filter is the default)." The wording in the documentation is copied almost identically for -S and -L, they only differ in formatting of the output, not the rules printed. This is true at least on Ubuntu 16.04 which on my system is iptables v1.6.0. – Scott Jun 18 '17 at 03:15
3

Agree with @mulllhausen here. I needed "sudo iptables --table nat --list" to show my nat table rules. the "-S" flag by itself did not show them. – Robert Oschler Aug 18 '17 at 19:54

score 24 · Answer 4 · answered May 27 '15 at 13:35

24

What I do is to execute iptables-save > iptables_bckp, this would backup all the layers, then edit the file and restore the iptables iptables-restore < iptables_bckp

# iptables-save > iptables_bckp
# vim iptables_bckp
# iptables-restore < iptables_bckp

You can make a double backup so you modify one of them without losing your past iptables.

This is a personal practice, I'm not saying this is the best way but for me works great.

Give a try

answered May 27 '15 at 13:35

tachomi

7,592

1

This is the only realistic answer I have found so far that actually dumps all of the tables too. – Chris Harrington May 28 '17 at 00:50

score 5 · Answer 5 · answered Dec 14 '17 at 08:12

5

You can use:

# lsmod | grep ip_tables
ip_tables              13193  4 iptable_raw,iptable_mangle,iptable_nat,iptable_filter

To find all tables and show specific rule in table.

answered Dec 14 '17 at 08:12

Tur Le

81

2

A better way to find the table names is cat /proc/net/ip_tables_names and cat /proc/net/ip6_tables_names – Paul Tobias Feb 05 '20 at 10:43

score 4 · Answer 6 · edited Oct 11 '16 at 15:10

4

The iptables command also requires you to specify the table otherwise it defaults to filter table. So try:

iptables -t nat -L

edited Oct 11 '16 at 15:10

czerasz

197

answered May 27 '15 at 13:22

user425

49

score 2 · Answer 7 · edited Feb 05 '18 at 08:11

If it will really help you could write a bash script and put it in a folder that is reference by your path or reference it via an alias in the ~/.bashrc file.

AllRules.sh

#!/bin/bash

 echo "Filter table:"
 iptables -t filter -vL

 echo "Nat table:"
 iptables -t nat -vL

 echo "Mangle table:"
 iptables -t mangle -vL

 echo "Raw table:"
 iptables -t raw -vL

 echo "Security table:"
 iptables -t security -vL

 echo 
 echo "All rules in all tables printed"

Remember to give your new bash script execute permissions with chmod

If permission is an issue you may have to add sudo in front of all the iptables commands.

score 2 · Answer 8 · answered Dec 17 '18 at 13:33

2

iptables -vnxL
iptables -vnxL -tnat

possibly additionally, though these are very very rarely used:

iptables -vnxL -traw
iptables -vnxL -tmangle
iptables -vnxL -tsecuriy

answered Dec 17 '18 at 13:33

sjas

565

Viewing all iptables rules

8 Answers8

Linked