Viewing all iptables rules

Is there a way to view iptables rules in a bit more detail?

I recently added masquerade to a range of IPs:

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
service iptables save
service iptables restart

Which has done what I want it to, but when I use:

iptables -L

I get the same output as I normally get:

Chain INPUT (policy ACCEPT)
target    prot opt source        destination

Chain FORWARD (policy ACCEPT)
target    prot opt source        destination

Chain OUTPUT (policy ACCEPT)
target    prot opt source        destination

How can I see the rules including the ones I add? (system is CentOS 6)

Asked By: TheLovelySausage


When using the -L, --list option to list the current firewall rules, you also need to specify the appropriate Netfilter table (one of filter, nat, mangle, raw or security). So, if you’ve added a rule for the nat table, you should explicitly specify this table using the -t, --table option:

iptables --table nat --list

Or using the options short form:

iptables -t nat -L

If you don’t specify a specific table, the filter table is used as the default.

For faster results, it can be useful to also include the -n, --numeric option to print numeric IP addresses instead of hostnames, thus avoiding the need to wait for reverse DNS lookups.

You can get even more information by including the -v, --verbose option.

Answered By: Anthony Geoghegan

The iptables command also requires you to specify the table otherwise it defaults to filter table. So try:

iptables -t nat -L
Answered By: user425

What I do is to execute iptables-save > iptables_bckp, this would backup all the layers, then edit the file and restore the iptables iptables-restore < iptables_bckp

# iptables-save > iptables_bckp
# vim iptables_bckp
# iptables-restore < iptables_bckp

You can make a double backup so you modify one of them without losing your past iptables.

This is a personal practice, I’m not saying this is the best way but for me works great.

Give a try

Answered By: tachomi

iptables controls five different tables: filter, nat, mangle, raw and security. On a given call, iptables only displays or modifies one of these tables, specified by the argument to the option -t (defaulting to filter). To see the complete state of the firewall, you need to call iptables on each of the tables successively.

Additionally, to get an accurate representation of the rules, you need to pass the option -v. Otherwise some important criteria are omitted in the output, such as the interface in filter rules (e.g. a rule that says “accept everything” and a rule that says “accept everything on the loopback interface” can only be distinguished with -v).

Thus, to get a complete presentation of the netfilter rules, you need

iptables -vL -t filter
iptables -vL -t nat
iptables -vL -t mangle
iptables -vL -t raw
iptables -vL -t security

Alternatively, you can call the iptables-save program, which displays all the rules in all tables in a format that can be parsed by iptables-restore. This format is also reasonably readable by humans (it’s pretty much like a series of calls to the iptables command to build the table).

iptables -S does the trick for me. It seems to list all the active rules, even when the service is off.

From the man page:

-S, –list-rules [chain]
Print all rules in the selected chain. If no chain is selected, all chains are printed like iptables-save. Like every other iptables command, it applies to the specified table (filter is the default).

Answered By: Cameron

If it will really help you could write a bash script and put it in a folder that is reference by your path or reference it via an alias in the ~/.bashrc file.


 echo "Filter table:"
 iptables -t filter -vL

 echo "Nat table:"
 iptables -t nat -vL

 echo "Mangle table:"
 iptables -t mangle -vL

 echo "Raw table:"
 iptables -t raw -vL

 echo "Security table:"
 iptables -t security -vL

 echo "All rules in all tables printed"

Remember to give your new bash script execute permissions with chmod

If permission is an issue you may have to add sudo in front of all the iptables commands.

Answered By: ob1

You can use:

# lsmod | grep ip_tables
ip_tables              13193  4 iptable_raw,iptable_mangle,iptable_nat,iptable_filter

To find all tables and show specific rule in table.

Answered By: Tur Le
iptables -vnxL
iptables -vnxL -tnat

possibly additionally, though these are very very rarely used:

iptables -vnxL -traw
iptables -vnxL -tmangle
iptables -vnxL -tsecuriy
Answered By: sjas
Categories: Answers Tags:
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.