iptables - listing rules (-L --list --list-rules)

The iptables command with the -L or --list option can be used to display the rules. In this example, there are no rules.

  • INPUT = Packets addressed to the host
  • OUTPUT = Packets created by the host
  • FORWARD = Packets neither addressed to the host nor created by the host. Forward is used to forward or route a packet to it's destination
iptables -L
. . .
Chain INPUT (policy ACCEPT)
target  prot  opt  source  destination

Chain FORWARD (policy ACCEPT)
target  prot  opt  source  destination

Chain ACCEPT (policy ACCEPT)
target  prot  opt  source  destination

 

In this example, there is one rule. The -v (verbose) option is used to identify that this rule is for the lo (loopback) interface.

iptables -L -v
. . .
Chain INPUT (policy ACCEPT)
pkts bytes target  prot  opt  in out source   destination
0    0     ACCEPT  all   --   lo any anywhere anywhere

Chain FORWARD (policy ACCEPT)
pkts bytes target  prot  opt  in out source   destination

Chain ACCEPT (policy ACCEPT)
pkts bytes target  prot  opt  in out source   destination

 

Or sometimes the output of -S or --list-rules is preferred.

~]$ iptables --list-rules
-A INPUT -d 172.17.0.2/32 ! -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT

 

You can specify a specific chain. In this example, only the rules in the INPUT chain will be displayed.

~]# iptables -L INPUT -v
Chain INPUT (policy ACCEPT 110 packets, 9880 bytes)
 pkts bytes target     prot opt in     out     source               destination
   40  2292 ACCEPT     all  --  lo     any     anywhere             anywhere

 

By default, iptables will display protocols, not ports. For example, let's say a rule has been added to allow connections on HTTP port 80. iptables will list HTTP, not port 80.

~]# iptables --list
Chain INPUT (policy ACCEPT 110 packets, 9880 bytes)
 target     prot opt     source              destination
ACCEPT     all  --      anywhere             172.17.0.3  tcp dpt:http

 

The -n or --numeric option can be used to disable DNS resolutions, so that the ports are listed, not the protocol. Likewise, notice the source now lists 0.0.0.0/0 instead of "anywhere".

~]# iptables --list --numeric
Chain INPUT (policy ACCEPT 110 packets, 9880 bytes)
 target     prot opt     source              destination
ACCEPT     all  --       0.0.0.0./0          172.17.0.3  tcp dpt:80

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter 99cb5 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |