It's a good idea to list the rules you've defined, to double-check that they are installed and are in the order you expect. The -L command lists the actual rules for a given chain as they exist in the internal kernel table. Rules are listed in the order in which they are matched against a packet. The basic format of the iptables list command is as follows: iptables [-v -n] -L [chain] or iptables [-t <table>] [-v -n] -L [chain] The first format refers to the default filter table. If a specific chain isn't specified, the command lists all rules on the three built-in filter table chains, plus any user-defined chains. The second format is needed to list the rules on the nat or mangle tables. Adding the -v option is useful to see the interface to which the rule applies. Adding the -n option is useful if the firewall rules refer to remote or illegal addresses, to avoid the lengthy name-resolution time for those addresses. Remember that if a chain is specified, it must follow the -L command. Also note that -L is a command and -v and -n are options. They cannot be combined as in -Lvn. Unlike using iptables to define actual rules, using iptables to list existing rules can be done from the command line. The output goes to your terminal or can be redirected into a file. filter Table Listing FormatsThe basic format of the filter table list command to list all rules on all filter table chains is this: iptables -vn -L INPUT iptables -vn -L OUTPUT iptables -vn -L FORWARD or iptables -vn -L Notice that the preceding list commands show only the rules in the filter table chains. The next three sections use seven sample rules on the INPUT chain to illustrate the differences among the various listing format options available to you with the filter table and to explain what the output fields mean. Using the different listing format options, the same seven sample rules are listed with varying degrees of detail and readability. The listing format options and fields are the same for the INPUT, OUTPUT, and FORWARD chains. iptables -L INPUTHere is an abbreviated list of seven rules from an INPUT chain using the default listing options: > iptables -L INPUT 1 INPUT (policy DROP) 2 target prot opt source destination 3 ACCEPT all -- anywhere anywhere 4 LOG icmp -f anywhere anywhere \ LOG level warning prefix `Fragmented ICMP: ' 5 DROP tcp -- anywhere anywhere \ tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 6 ACCEPT all -- anywhere anywhere \ state RELATED,ESTABLISHED 7 ACCEPT udp -- 192.168.1.0/25 my.host.domain \ udp spts:1024:65535 dpt:domain state NEW 8 REJECT tcp -- anywhere my.host.domain2 \ tcp dpt:auth reject-with icmp-port-unreachable 9 ACCEPT tcp -- 192.168.1.0/25 my.host.domain \ multiport dports http,https tcp spts:1024:65535 \ flags:SYN,RST,ACK/SYN state NEW
Line 1 identifies the listing as being for the INPUT chain. The INPUT chain's default policy is DROP. Line 2 contains these column headings:
Line 3 illustrates how the simple -L list command, without qualifying arguments, lacks some important detail. The rule appears to accept all incoming packetstcp, udp, and icmpfrom anywhere. The missing detail, in this case, is the interface, lo. This is the rule accepting all input on the loopback interface. Line 4 is a rule to log any (second and subsequent) fragmented ICMP packets. The default logging level for syslog is warn. The LOG rule has an associated --log-prefix string defined for it. Line 5 is a rule that drops TCP packets without any state flags set. Line 6 is a rule that accepts any incoming packet that is part of an ESTABLISHED connection, or a packet RELATED to such a connection (that is, an associated ICMP error or FTP data connection). Line 7 is a rule that accepts incoming UDP DNS requests from hosts in the local network, 192.168.1.0/25. Notice that the network is divided into two subnets, so the hosts could range from 192.168.1.1 to 192.168.1.126. Line 8 is a rule that rejects incoming TCP auth requests or queries to the local identd server. The ICMP Type 3 error message returned contains the default port-unreachable code. It isn't evident in the listing that the machine has two network interfaces. Requests are rejected from the "external" network, domain2. Line 9 accepts incoming TCP connection requests from the local LAN for standard HTTP web connections and HTTPS web connections. A destination port list was defined with the multiport match option. iptables -n -L INPUTThe -n option reports all fields as numeric values rather than symbolic names. This option can save time if your rules use a lot of specific IP addresses that otherwise would require DNS lookups before being listed. Additionally, a port range is more informative if it is listed as 23:79 rather than as telnet:finger. Using the same seven sample rules from the INPUT chain, the following shows what the listing output looks like using the -n numeric option: > iptables -n -L INPUT 1 INPUT (policy DROP) 2 target prot opt source destination 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 LOG icmp -f 0.0.0.0/0 0.0.0.0/0 \ LOG flags 0 level 4 prefix `Fragmented ICMP: ' 5 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 \ tcp flags:0x023F/0x020 6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 \ state RELATED,ESTABLISHED 7 ACCEPT udp -- 192.168.1.0/25 192.168.1.2 \ udp spts:1024:65535 dpt:53 state NEW 8 REJECT tcp -- 0.0.0.0/0 192.168.1.254 \ tcp dpt:113 reject-with icmp-port-unreachable 9 ACCEPT tcp -- 192.168.1.0/25 192.168.1.2 \ multiport dports 80,443 tcp spts:1024:65535 flags:0x0216/0x022 state NEW Line 1 identifies the listing as being for the INPUT chain. The INPUT chain's default policy is DROP. Line 2 contains these column headings:
Line 3 illustrates how the simple -L list command, without qualifying arguments, lacks some important detail. The rule appears to accept all incoming packetstcp, udp, and icmpfrom anywhere. The missing detail, in this case, is the interface, lo. This is the rule accepting all input on the loopback interface. Line 4 is a rule to log any (second and subsequent) fragmented ICMP packets. The default logging level for syslog is warn. The LOG rule has an associated --log-prefix string defined for it. The flags value0, in this caseis an internal value representing which of the logging options was specified, --log-ip-options, --log-tcp-options, or --log-tcp-sequence. Line 5 is a rule that drops TCP packets without any state flags set. The leading 2 in the mask and comparison fields appears to be a bug in the printing code. It appears that the intent was to define the field as two hexadecimal digits long, with a leading 0, but the length indication (2) was misplaced. So the actual mask value is 0x03F, and the actual comparison value is 0x000. Line 6 is a rule that accepts any incoming packet that is part of an ESTABLISHED connection, or a packet RELATED to such a connection (that is, an associated ICMP error or FTP data connection). Line 7 is a rule that accepts incoming UDP DNS requests from hosts in the local network, 192.168.1.0/25. Notice that the network is divided into two subnets, so the hosts could range from 192.168.1.1 to 192.168.1.126. Line 8 is a rule that rejects incoming TCP auth requests or queries to the local identd server. The ICMP Type 3 error message returned contains the default port-unreachable code. It isn't evident in the listing that the machine has two network interfaces. Requests are rejected from the "external" subnet. Those hosts' IP addresses can range from 129 to 254. Line 9 accepts incoming TCP connection requests from the local LAN for standard HTTP web connections and HTTPS web connections. A destination port list was defined with the multiport match option. SYN's bit value in the state field is 0x02. (Remember that the leading 2 in both flag fields is a typo in the code.) The 0x016 represents the FIN, SYN, RST, and ACK fields that are being inspected; out of these, only the SYN flag must be set. iptables -v -L INPUTThe -v option produces more verbose output, including the interface name. Reporting the interface name is especially helpful when the machine has more than one network interface. Using the same seven sample rules from the INPUT chain, the following shows what the listing output looks like using the -v verbose option: > iptables -v -L INPUT 1 INPUT (policy DROP 0 packets, 0 bytes) 2 pkts bytes target prot opt in out source \ destination 3 32 3416 ACCEPT all -- lo any anywhere \ anywhere 4 0 0 LOG icmp -f any any anywhere \ anywhere LOG level warning prefix `Fragmented ICMP: ' 5 0 0 DROP tcp -- any any anywhere \ anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 6 94 6586 ACCEPT all -- any any anywhere \ anywhere state RELATED,ESTABLISHED 7 1 65 ACCEPT udp -- eth0 any 192.168.1.0/25 \ my.host.domain udp spts:1024:65535 dpt:domain state NEW 8 0 0 REJECT tcp -- eth1 any anywhere \ my.host.domain2 tcp dpt:auth reject-with icmp-port-unreachable 9 1 48 ACCEPT tcp -- eth0 any 192.168.1.0/25 \ my.host.domain multiport dports http,https tcp spts:1024:65535\ flags:SYN,RST,ACK/SYN state NEW Line 1 identifies the listing as being for the INPUT chain. The INPUT chain's default policy is DROP. 0 packets have been dropped by the default policy, accounting for 0 bytes of network traffic. Line 2 contains the following column headings:
Line 3 is more useful with the -v list option. The loopback interface is clearly being referred to. This is the rule accepting all input on the loopback interface. Line 4 is a rule to log any (second and subsequent) fragmented ICMP packets arriving on any network interface. The default logging level for syslog is warning. The LOG rule has an associated --log-prefix string defined for it. Line 5 is a rule that drops TCP packets arriving on any network interface that doesn't have any state flags set. Line 6 is a rule that accepts any incoming packet arriving on any network interface that is part of an ESTABLISHED connection or a packet RELATED to such a connection (such as an associated ICMP error or FTP data connection). Line 7 is a rule that accepts incoming UDP DNS requests from hosts in the local network, 192.168.1.0/25. Notice that the network is divided into two subnets, so the hosts could range from 192.168.1.1 to 192.168.1.126. Line 8 is a rule that rejects incoming TCP auth requests, or queries to the local identd server. The ICMP Type 3 error message returned contains the default port-unreachable code. It isn't evident in the listing that the machine has two network interfaces. Requests are rejected from the "external" network, domain2. Line 9 accepts incoming TCP connection requests from the local LAN for standard HTTP web connections and HTTPS web connections. A destination port list was defined with the multiport match option. nat Table Listing FormatsThe basic format of the nat table list command to list all rules on all nat table chains is shown here: iptables -t nat -vn -L PREROUTING iptables -t nat -vn -L POSTROUTING iptables -t nat -vn -L OUTPUT or iptables -t nat -vn -L Notice that the preceding list commands show only the rules in the nat table chains. What follows are four sample NAT rules, two on the PREROUTING chain and two on the POSTROUTING chain. In the interest of brevity, only the -v output is presented: > iptables -t nat -v -L 1 PREROUTING (policy DROP 0 packets, 0 bytes) 2 pkts bytes target prot opt in out source \ destination 3 0 0 DNAT tcp -- eth1 any 192.168.1.129 \ this.host tcp spts:1020:65535 dpt:ssh to:hostA.lan 4 0 0 REDIRECT tcp -- eth0 any anywhere \ anywhere tcp spts:1024:65535 dpt:http 5 POSTROUTING (policy DROP 0 packets, 0 bytes) 6 pkts bytes target prot opt in out source \ destination 7 0 0 SNAT tcp -- any eth1 hostA.lan \ 192.168.1.129 tcp spts:1024:65535 dpt:21 to:this.host 8 0 0 MASQUERADE all -- any ppp0 lan_network \ anywhere Line 1 identifies the listing as being for the PREROUTING chain, the point where destination NAT is applied. The PREROUTING chain's default policy is DROP. Line 2 contains these column headings:
Line 3 is a DNAT rule to alter the destination address in incoming SSH packets. SSH client connections from external host 192.168.1.129 addressed to the local host are redirected to host A on the LAN. Line 4 is an example of the specialized form of DNAT, REDIRECT, which redirects packets to the local host. In this case, any HTTP packets arriving on the eth0 interface, presumably to be forwarded to a remote web server, are redirected to a local proxy server listening on this host's TCP port 80. Line 5 identifies the next listing as being for the POSTROUTING chain, the point where source NAT is applied. The POSTROUTING chain's default policy is DROP. Line 6 contains the column headings and is identical to Line 2. Line 7 is an SNAT rule to alter the source address in outgoing FTP client packets. FTP client connections from Host A on the LAN addressed to host 192.168.1.129 on the external LAN are modified to appear to be originating from this host. Line 8 is an example of the specialized form of SNAT, MASQUERADE, which is intended for temporary connections with changeable IP addresses. In this case, all outgoing packets on the ppp0 interface are masqueraded as coming from this host. Remember that forward rules are also necessary in these cases. mangle Table Listing FormatsThe basic format of the mangle table list command to list all rules on the mangle table chains is as follows: iptables -t mangle -vn -L PREROUTING iptables -t mangle -vn -L OUTPUT or iptables -t mangle -vn -L Notice that the preceding list commands show only the rules in the mangle table chains. What follows are two sample mangle table rules, a MARK rule on the PREROUTING chain and a TOS rule on the OUTPUT chain. In the interest of brevity, only the -v output is presented: > iptables -t mangle -v L 1 PREROUTING (policy DROP 0 packets, 0 bytes) 2 pkts bytes target prot opt in out source \ destination 3 0 0 MARK tcp -- eth0 any laptop.private.lan \ anywhere tcp spts:1024:65535 dpt:ssh MARK set 0x10070 4 OUTPUT (policy DROP 0 packets, 0 bytes) 5 pkts bytes target prot opt in out source \ destination 6 0 0 TOS tcp -- any eth1 bastion.firewall.lan \ anywhere tcp spts:1024:65535 dpt:ssh TOS set Minimize-Delay Line 1 identifies the listing as being for the PREROUTING chain, the point where MANGLE is applied. The PREROUTING chain's default policy is DROP. Line 2 contains these column headings:
Line 3 is a MARK rule to alter the mark value that iptables associates with SSH packets arriving on the incoming interface. SSH client connections from the local laptop addressed to anywhere are assigned the mark value 0x10070. Line 4 identifies the listing as being for the OUTPUT chain, the chain where mangle table operations are applied to locally generated packets. The OUTPUT chain's default policy is DROP. Line 5 contains the same column headings as Line 2. Line 6 is a TOS rule to alter the tos value in the IP packet header of outgoing SSH client packets. SSH client connections from the local host addressed to the local bastion firewall are assigned the tos value minimize-delay. |