Linux Security Cookbook [Electronic resources] نسخه متنی

Recipe 2.16 Listing Your Firewall Rules

2.16.1 Problem

You
want to see your firewall rules.

2.16.2 Solution

For
iptables:

# iptables -L [chain]

For
ipchains:

# ipchains -L [chain]

For more detailed output, append the -v option.

If
iptables takes a long
time to print the rule list, try appending the -n
option to disable reverse DNS lookups. Such lookups of local
addresses, such as 192.168.0.2, may cause delays due to timeouts.

2.16.3 Discussion

An iptables rule like:

# iptables -A mychain -p tcp -s 1.2.3.4 -d 5.6.7.8 --dport smtp -j chain2

has a listing like:

Chain mychain (3 references)
target     prot opt source               destination
chain2     tcp  --  1.2.3.4              5.6.7.8            tcp dpt:smtp

which is basically a repeat of what you specified: any SMTP packets
from IP address 1.2.3.4 to 5.6.7.8 should be forwarded to target
chain2. Here's a similar ipchains
rule that adds logging:

# ipchains -A mychain -p tcp -s 1.2.3.4 -d 5.6.7.8 --dport smtp -l -j chain2

Its listing looks like:

Chain mychain (3 references):
target   prot opt     source      destination    ports
chain2   tcp  ----l-  1.2.3.4     5.6.7.8        any -> smtp

A detailed listing (-L -v) adds packet and byte
counts and more:

Chain mychain (3 references): 
pkts bytes  target  prot opt     tosa tosx ifname source   destination  ports
15   2640   chain2  tcp  ----l-  0xFF 0x00 any    1.2.3.4  5.6.7.8      any -> smtp

Another way to view your rules is in the output of
iptables-save
or ipchains-save
[Recipe 2.19], but this more concise format is not as
readable. It's meant only to be processed by
iptables-restore or
ipchains-restore, respectively:

# ipchains-save
... Saving 'mychain'.
-A foo -s 1.2.3.4/255.255.255.255 -d 5.6.7.8/255.255.255.255 25:25 -p 6 -j chain2 -l

2.16.4 See Also

iptables(8), ipchains(8).