
The iptables command with the -L or --list option can be used to display the rules. In this example, there are no rules.
- INPUT = Packets addressed to the host
- OUTPUT = Packets created by the host
- FORWARD = Packets neither addressed to the host nor created by the host. Forward is used to forward or route a packet to it's destination
iptables -L
. . .
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain ACCEPT (policy ACCEPT)
target prot opt source destination
In this example, there is one rule. The -v (verbose) option is used to identify that this rule is for the lo (loopback) interface.
iptables -L -v
. . .
Chain INPUT (policy ACCEPT)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
Chain FORWARD (policy ACCEPT)
pkts bytes target prot opt in out source destination
Chain ACCEPT (policy ACCEPT)
pkts bytes target prot opt in out source destination
Or sometimes the output of -S or --list-rules is preferred.
~]$ iptables --list-rules
-A INPUT -d 172.17.0.2/32 ! -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
You can specify a specific chain. In this example, only the rules in the INPUT chain will be displayed.
~]# iptables -L INPUT -v
Chain INPUT (policy ACCEPT 110 packets, 9880 bytes)
pkts bytes target prot opt in out source destination
40 2292 ACCEPT all -- lo any anywhere anywhere
By default, iptables will display protocols, not ports. For example, let's say a rule has been added to allow connections on HTTP port 80. iptables will list HTTP, not port 80.
~]# iptables --list
Chain INPUT (policy ACCEPT 110 packets, 9880 bytes)
target prot opt source destination
ACCEPT all -- anywhere 172.17.0.3 tcp dpt:http
The -n or --numeric option can be used to disable DNS resolutions, so that the ports are listed, not the protocol. Likewise, notice the source now lists 0.0.0.0/0 instead of "anywhere".
~]# iptables --list --numeric
Chain INPUT (policy ACCEPT 110 packets, 9880 bytes)
target prot opt source destination
ACCEPT all -- 0.0.0.0./0 172.17.0.3 tcp dpt:80
Did you find this article helpful?
If so, consider buying me a coffee over at