Linux Security Cookbook

2.16.1 Problem

You want to see your firewall rules.

2.16.2 Solution

For iptables:

# iptables -L [chain]

For ipchains:

# ipchains -L [chain]

For more detailed output, append the -v option.

If iptables takes a long time to print the rule list, try appending the -n option to disable reverse DNS lookups. Such lookups of local addresses, such as 192.168.0.2, may cause delays due to timeouts.

2.16.3 Discussion

An iptables rule like:

# iptables -A mychain -p tcp -s 1.2.3.4 -d 5.6.7.8 --dport smtp -j chain2

has a listing like:

Chain mychain (3 references) target prot opt source destination chain2 tcp -- 1.2.3.4 5.6.7.8 tcp dpt:smtp

which is basically a repeat of what you specified: any SMTP packets from IP address 1.2.3.4 to 5.6.7.8 should be forwarded to target chain2. Here's a similar ipchains rule that adds logging:

# ipchains -A mychain -p tcp -s 1.2.3.4 -d 5.6.7.8 --dport smtp -l -j chain2

Its listing looks like:

Chain mychain (3 references): target prot opt source destination ports chain2 tcp ----l- 1.2.3.4 5.6.7.8 any -> smtp

A detailed listing (-L -v) adds packet and byte counts and more:

Chain mychain (3 references): pkts bytes target prot opt tosa tosx ifname source destination ports 15 2640 chain2 tcp ----l- 0xFF 0x00 any 1.2.3.4 5.6.7.8 any -> smtp

Another way to view your rules is in the output of iptables-save or ipchains-save [Recipe 2.19], but this more concise format is not as readable. It's meant only to be processed by iptables-restore or ipchains-restore, respectively:

# ipchains-save ... Saving 'mychain'. -A foo -s 1.2.3.4/255.255.255.255 -d 5.6.7.8/255.255.255.255 25:25 -p 6 -j chain2 -l

2.16.4 See Also

iptables(8), ipchains(8).