Do you use Iptables and are looking to check the loaded rules? In this post, we first touch on some background, such as how to make sure you aren’t using a firewall frontend, and then get into checking firewall rules. In this post, we will touch on a few different ways of checking iptables rules from pulling everything to looking at specific sections.
What Is Iptables?
The Iptables command is a utility that allows system administrators to configure Linux kernel packet filtering rules. To simplify it acts as a firewall.
What Are Firewall Chains?
Chains are a list of rules that specify how packets are handled.
What Are Iptables Tables?
In Iptables, chains and tables are different concepts, tables are categories that group related chains together for specific functionality (think filtering or NAT).
Checking For Firewall Frontends
Before getting started be aware that you should only be interacting directly with iptables if you aren’t using a firewall frontend, and you aren’t using iptables replacement nftables.
You can use the one-liner below to check if you use the more common firewall front ends.
{
front_end_found=0; WARN="\e[31;1m" RESET="\e[0m"
# Check if iptables is installed
command -v iptables >/dev/null || { echo -e "\n${WARN}=== WARNING ===${RESET}\nIptables is not installed. Please install it before proceeding.\n${WARN}================${RESET}\n"; exit 1; }
# Check for active front-ends
for cmd in ufw csf firewalld iptables-persistent shorewall apf fail2ban-client; do
command -v $cmd >/dev/null && { echo -e "\n${WARN}=== WARNING ===${RESET}\n$cmd is active. Avoid direct modifications to iptables rules.\n${WARN}================${RESET}"; front_end_found=1; }
done
# Check for nftables if no front-end is active
[ $front_end_found -eq 0 ] && command -v nft >/dev/null && echo -e "\n${WARN}=== WARNING ===${RESET}\nNftables is installed and is a replacement for iptables. If you encounter issues using iptables please consiter using nftables directly.\n${WARN}================${RESET}\n"
}
Note: This only looks for specific firewall front ends. Please keep this in mind if you aren’t using one defined above.
Checking Active Iptables Rules
Here are some different examples of listing iptables rules.
Listing All Firewall Rules
Below are two different ways to list iptables firewall rules:
iptables --list
iptables -L
Both these function the same, one is just the short form of the other.
Listing A Specific Chain
If you would like to list a specific chain, you can append the chain name to the command like this:
sudo iptables -L [chain_here]
This is really helpful when working with system with large rule sets.
Saving Rules
To list all rules in a way they can be used elsewhere, use the iptables save command iptables-save.
iptables-save
Decoding Rules
Need some help understanding the output here are some of the more common things you will see:
- Chain Name : Indicates the name of the chain (e.g., INPUT, OUTPUT, FORWARD) for which the rules are listed.
- Default Policy : Shows the default action taken when packets do not match any rules in this chain (e.g., ACCEPT, DROP). It also includes the number of packets and bytes counted by this default policy.
- Rule Columns : When options like -v (verbose) and –line-numbers are used, various columns will be present:
- num : Number of the rule in the chain. This is particularly useful for identifying rules for editing or deletion.
- pkts : The total number of packets that have matched this rule since it was added.
- bytes : The total amount of data (in bytes) that has matched this rule since it was added.
- target : The action taken on a packet that matches this rule (e.g., ACCEPT, DROP, REJECT).
- prot : The protocol the rule applies to (e.g., TCP, UDP, ICMP). This signifies what kind of traffic the rule is monitoring or filtering.
- opt : Options related to the protocol being filtered, usually displaying –, indicating that there are no specific options applied in this rule.
- in : The network interface this rule applies to for incoming packets, where * means all interfaces.
- out : The network interface this rule applies to for outgoing packets, with * indicating all interfaces.
- source : The source IP address for packets to which this rule applies. Can be a specific IP address, subnet, or range.
- destination : The destination IP address or network for packets matching this rule. 0.0.0.0/0 refers to any destination address.
If you don’t see the option above check out the documentation.
Checking Iptables, Tables
To view different tables use the -t flag appended by the table.
The different tables are listed below:
- filter – General packet filtering.
- nat – Network Address Translation.
- mangle – Packet alteration, marking, and QoS.
- raw – Bypasses connection tracking.
- security – Implements MAC rules.
So here is an example of listing nat rules:
sudo iptables -t nat -L
Conclusion
Iptables can often seem more complex compared to other firewall solutions. This complexity has led to the development of various front-end interfaces designed to simplify the management of firewall rules. In this post, rather than focusing on those front-end alternatives, we will focus on the necessary background, checking for common iptables frontends, how to list active rules, how to read them, ending with tables in case you’re looking for things not in the default filtering table.
Looking For More
Done and looking for more content why not check out these other firewall related posts?
Embracing a lifelong passion for technology since childhood, CJ delved into the intricate workings of systems, captivated by the desire to understand the unknown. This innate curiosity led to his discovery of Linux, a revelation that resonated deeply. With more than 7 years of on the job experience, he’s honed his technical skills as a Geek and Senior Linux Systems Administrator.
Leave a Reply