List Rules by Specification
To list out all of the active iptables rules by specification, run the¬†iptables¬†command with the¬†-S¬†option:
Example: Rule Specification Listing
-P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -N ICMP -N TCP -N UDP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p udp -m conntrack --ctstate NEW -j UDP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP -A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -j REJECT --reject-with icmp-proto-unreachable -A TCP -p tcp -m tcp --dport 22 -j ACCEPT
As you can see, the output looks just like the commands that were used to create them, without the preceding¬†iptables¬†command. This will also look similar to the iptables rules configuration files, if you've ever used¬†iptables-persistent¬†or¬†iptables save.
List Specific Chain
If you want to limit the output to a specific chain (INPUT,¬†OUTPUT,¬†TCP, etc.), you can specify the chain name directly after the¬†-S¬†option. For example, to show all of the rule specifications in the¬†TCP¬†chain, you would run this command:
Example: TCP Chain Rule Specification Listing
-N TCP -A TCP -p tcp -m tcp --dport 22 -j ACCEPT
Let's take a look at the alternative way to view the active iptables rules, as a table of rules.
List Rules as Tables
Listing the iptables rules in the table view can be useful for comparing different rules against each other,
To output all of the active iptables rules in a table, run the¬†iptables¬†command with the¬†-L¬†option:
This will output all of current rules sorted by chain.
If you want to limit the output to a specific chain (INPUT,¬†OUTPUT,¬†TCP, etc.), you can specify the chain name directly after the¬†-L¬†option.
Let's take a look at an example INPUT chain:
Example: Input Chain Rule Table Listing
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere ctstate INVALID UDP udp -- anywhere anywhere ctstate NEW TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW ICMP icmp -- anywhere anywhere ctstate NEW REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
The first line of output indicates the chain name (INPUT, in this case), followed by its default policy (DROP). The next line consists of the headers of each column in the table, and is followed by the chain's rules. Let's go over what each header indicates:
- target: If a packet matches the rule, the target specifies what should be done with it. For example, a packet can be accepted, dropped, logged, or sent to another chain to be compared against more rules
- prot: The protocol, such as¬†tcp,¬†udp,¬†icmp, or¬†all
- opt: Rarely used, this column indicates IP options
- source: The source IP address or subnet of the traffic, or¬†anywhere
- destination: The destination IP address or subnet of the traffic, or¬†anywhere
The last column, which is not labeled, indicates the¬†options¬†of a rule. That is, any part of the rule that isn't indicated by the previous columns. This could be anything from source and destination ports, to the connection state of the packet.
Show Packet Counts and Aggregate Size
When listing iptables rules, it is also possible to show the number of packets, and the aggregate size of the packets in bytes, that matched each particular rule. This is often useful when trying to get a rough idea of which rules are matching against packets. To do so, simply use the¬†-L¬†and¬†-v¬†option together.
For example, let's look at the INPUT chain again, with the¬†-v¬†option:
- sudo iptables -L INPUT -v
Example: Verbose Listing
Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 284K 42M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 DROP all -- any any anywhere anywhere ctstate INVALID 396 63275 UDP udp -- any any anywhere anywhere ctstate NEW 17067 1005K TCP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW 2410 154K ICMP icmp -- any any anywhere anywhere ctstate NEW 396 63275 REJECT udp -- any any anywhere anywhere reject-with icmp-port-unreachable 2916 179K REJECT all -- any any anywhere anywhere reject-with icmp-proto-unreachable 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh ctstate NEW,ESTABLISHED
Note that the listing now has two additional columns,¬†pkts¬†and¬†bytes.
Now that you know how to list the active firewall rules in a variety of ways, let's look at how you can reset the packet and byte counters.
Reset Packet Counts and Aggregate Size
If you want to clear, or zero, the packet and byte counters for your rules, use the¬†-Z¬†option. They also reset if a reboot occurs. This is useful if you want to see if your server is receiving new traffic that matches your existing rules.
To clear the counters for all chains and rules, use the¬†-Z¬†option by itself:
To clear the counters for all rules in a specific chain, use the¬†-Z¬†option and specify the chain. For example, to clear the INPUT chain counters run this command:
If you want to clear the counters for a specific rule, specify the chain name and the rule number. For example, to zero the counters for the 1st rule in the INPUT chain, run this:
Now that you know how to reset the iptables packet and byte counters, let's look at the two methods that can be used to¬†