Recipe 2.16 Listing Your Firewall Rules

2.16.1 Problem

You want to see your firewall rules.

2.16.2 Solution

For iptables:

# iptables -L [chain]

For ipchains:

# ipchains -L [chain]

For more detailed output, append the -v option.

If iptables takes a long time to print the rule list, try appending the -n option to disable reverse DNS lookups. Such lookups of local addresses, such as 192.168.0.2, may cause delays due to timeouts.

2.16.3 Discussion

An iptables rule like:

# iptables -A mychain -p tcp -s 1.2.3.4 -d 5.6.7.8 --dport smtp -j chain2

has a listing like:

Chain mychain (3 references)
target     prot opt source               destination
chain2     tcp  --  1.2.3.4              5.6.7.8            tcp dpt:smtp

which is basically a repeat of what you specified: any SMTP packets from IP address 1.2.3.4 to 5.6.7.8 should be forwarded to target chain2. Here's a similar ipchains rule that adds logging:

# ipchains -A mychain -p tcp -s 1.2.3.4 -d 5.6.7.8 --dport smtp -l -j chain2

Its listing looks like:

Chain mychain (3 references):
target   prot opt     source      destination    ports
chain2   tcp  ----l-  1.2.3.4     5.6.7.8        any -> smtp

A detailed listing (-L -v) adds packet and byte counts and more:

Chain mychain (3 references): 
pkts bytes  target  prot opt     tosa tosx ifname source   destination  ports
15   2640   chain2  tcp  ----l-  0xFF 0x00 any    1.2.3.4  5.6.7.8      any -> smtp

Another way to view your rules is in the output of iptables-save or ipchains-save [Recipe 2.19], but this more concise format is not as readable. It's meant only to be processed by iptables-restore or ipchains-restore, respectively:

# ipchains-save
 ... Saving 'mychain'.
-A foo -s 1.2.3.4/255.255.255.255 -d 5.6.7.8/255.255.255.255 25:25 -p 6 -j chain2 -l

2.16.4 See Also

iptables(8), ipchains(8).