Iptables is a critical part of network security for many Linux systems. While most iptables tutorials show how to write firewall rules to lock down your Linux box, this article will focus on a different aspect of firewall administration: listing iptables rules. Say you just set up some NAT settings on your Linux server running Ubuntu. How do you view the rules you just wrote, complete with line numbers? This article assumes you are working with a Linux system with iptables capability loaded and that your user account has root access. So let‘s log into your Ubuntu 20.04 system today as we will be running all commands on its shell. To open the Linux terminal, you need to try out the Ctrl+Alt+T shortcut right after the successful login.
An Overview of Listing Iptables Rules
Before doing anything else, make sure your system is up to date and upgraded. If not, run the apt update
and apt upgrade
commands on the shell. First, let‘s look at how to generate a rules list. The active iptables rules can be viewed in two main ways: in a tabular form or as a list of rule specifications. Both methods provide the same content in slightly different formats.
So if you want to list down all the currently enabled iptables rules along with their functionality or specification, you can do so by running a simple iptables
command followed by the -S
flag. Be sure to use the sudo
keyword here. It will prompt you for your sudo password when run. Enter your password, hit enter, and get the list of iptables rules and their specifications as shown in the image below:
$ sudo iptables -S
You can use any of the commands listed in the image above as needed. The iptables output above shows many iptables rules for IPv4 to handle various things. You can also list rules for IPv6 using the ip6tables
command:
$ sudo ip6tables -S
The commands so far were about listing all rules in the system for IPv4 and IPv6. If you want to avoid that and only display some specific rules by name, you can do that too. You just have to specify the chain name after the -S
flag in the iptables command:
$ sudo ip6tables –S INPUT
There‘s a chance a specific chain has no rules defined on your system. When we tried to check for rules on the TCP chain, we found that iptables has no TCP chain at all:
$ sudo ip6tables –S TCP
If you want to display iptables rules for some chain in a tabular format, use the -L
flag in the iptables command. So we‘ll take an example to show all iptables rules for the FORWARD chain on the shell using the -L
option:
$ sudo ip6tables –L FORWARD
The iptables command also allows you to show the total number of packets matched to rules for a chain and their size in bytes. Use the -v
flag for this. If you want tabular output, try the -t
flag too.
We‘ll use the --line-numbers
option here to list line numbers and NAT rules. You‘ll see the output is more organized. Here‘s the command for the nat table:
$ sudo iptables –L –n –v –t nat --line-numbers
And that‘s the basics of listing iptables rules in Ubuntu 20.04 using the shell. We learned the simple iptables command to show rules as lists and tables. We looked at various options like -S, -L, -n, -v, -t for specific purposes. We also used --line-numbers
to display line numbers for the rules.
Listing Rules for Specific Chains
Now let‘s go a bit deeper into viewing iptables rules. As we saw earlier, you can view all rules or only those belonging to a particular chain. Specifying a chain is useful when dealing with a firewall with complex rulesets spanning various chains and tables.
To list all rules in the nat table‘s POSTROUTING chain:
$ sudo iptables -t nat -S POSTROUTING
You can also combine -S and -L for getting rule specs in table layout.
$ sudo iptables -t nat -L -S POSTROUTING
We can even view rules per chain for all tables like so:
$ for table in $(iptables -t -S | cut -d" " -f2 | sort -u); do echo; echo "*** Table $table"; iptables -t $table -nvL; done
This loops through tables, prints table names and shows all chains‘ rules in detailed verbose listing format.
Counting Rules
When you have many iptables rules, counting them quickly helps determine the ruleset size. Rather than viewing the full list, get a numerical count with:
$ sudo iptables -L | wc -l
The wc utility prints newline counts, great for totals. This gives a total across chains. For counts per chain:
$ for chain in $(iptables -S | cut -d‘ ‘ -f2 | sort -u); do echo -ne "$chain\t"; iptables -S $chain | wc -l; done
You can also combine variables for getting table-wide rule counts:
$ for table in $(iptables -t -S | cut -d" " -f2 | sort -u ); do echo -ne "$table\t"; iptables -t $table -S | wc -l; done
Saving Iptables Rules
Iptables rules are held in memory and lost after a reboot unless saved. To persist rules, save them to a file.
CentOS/RHEL/Fedora systems use /etc/sysconfig/iptables. Debian-based distros utilize /etc/iptables/rules.v4 for IPv4 and /etc/iptables/rules.v6 for IPv6 configs.
Dump active rules to the applicable file:
$ sudo sh -c "iptables-save > /etc/iptables/rules.v4" # for IPv4
$ sudo sh -c "ip6tables-save > /etc/iptables/rules.v6" # for IPv6
On restart, rules will reload from these files. You can also load rules manually from files without rebooting:
$ sudo iptables-restore < /etc/iptables/rules.v4
Additional Rule Listing Options
Beyond the common listing flags we covered already, iptables supports further options that provide extra details:
- -x: Expand numbers into network ranges rather than host counts
- -v: Verbose output, display rule descriptions
- –line-numbers: Show line numbers for each rule
- -c: Show byte and packet counters per rule
- -n: Show IP addresses and ports instead of hostnames
Using verbose listing with line numbers is helpful for locating specific rules from a system log or error:
$ sudo iptables -nvL --line-numbers
For showing memory usage by your ruleset:
$ sudo iptables -L -v --size
Get output in JSON format with:
$ sudo iptables -L -v --json
Temporary View Filtering
Rather than show all rules in a chain or table, you can filter iptables output to narrow your view. Assume only wanting to view rules dealing with a particular subnet, port or protocol for example.
First, list rules normally with an additional grep
filter:
$ sudo iptables -S | grep "192.168"
$ sudo iptables -S | grep "22"
$ sudo iptables -S | grep "tcp"
This filters for ip addresses, port 22 or TCP only. While useful for analyzing, such filtering is temporary. The live rules remain unchanged.
To truly isolate matching rules, use the -C
flag. This checks if a rule exists, only showing matched lines:
$ sudo iptables -C INPUT -s 192.168.5.0/24 -j ACCEPT
$ sudo iptables -C OUTPUT -p tcp --dport 22 -j ACCEPT
$ sudo iptables -C FORWARD -p tcp -j DROP
The main advantage over grep is that -C
verifies an actual rule. Grep only checks if a text string exists which might not represent a real rule component.
Inserting Rule Comments
When listing complex rulesets, comments help identify meaning and organize sections. Rather than deciphering intricate rules line by line, comments let you grasp sections easier.
To comment in iptables, use:
$ iptables -I INPUT 5 -s 192.168.0.0/24 -j ACCEPT -m comment --comment "Allow Local Subnet"
Inserted at line 5, this ACCEPT rule permits traffic from 192.168.0.0/24 with an explanatory comment.
View comments when listing rules:
$ iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* Allow local loopback */
2 0 0 DROP all -- * * 0.0.0.0/0 127.0.0.1 /* Anti spoofing protection */
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Allow established connections */
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0 /* Allow Local Subnet */
Comments are visible at the end of matching rules. This self-documents your firewall rules right in the overview.
Viewing Iptables Logs
Beyond listing live rules, you can also report on firewall activity from logs. Logs record when rules match and action taken.
CentOS 7/8 systems log iptables messages via firewalld to /var/log/messages:
$ sudo grep firewall /var/log/messages
For Ubuntu/Debian check /var/log/syslog or ufw.log:
$ sudo grep iptables /var/log/syslog
$ sudo cat /var/log/ufw.log
When investigating connection issues or traffic blocked, the logs point to matching rules. Use them in conjunction with rule listings to identify and resolve problems.
Conclusion
Now you have a comprehensive overview of listing, analyzing and interpreting iptables firewall rules in Linux. We covered the core iptables command with various helpful options like -S, -L and -C for detailed visibility. You learned how to view specific chains, count rules globally or per table, add comments and check logs.
Whether you manage a Linux system with a simple or complex iptables ruleset, being able to properly list and understand the active configuration is critical. Use the filtering and formatting techniques covered here to tune your network security groups and troubleshoot issues caused by your firewall. Mastering iptables introspection helps tame Linux firewall administration.