Listing iptables rules

When monitoring traffic tcpdump comes is quite useful as it shows the traffic entering or leaving a server interface. However this is no guarantee that the traffic actually reaches the application.

After the network stack receives the packet its passed to iptables which then permits or denys the traffic based on its rule base. There are few tables to look at:

filter: (think ACLs)
It contains the built-in chains
INPUT (for packets from the network destined to local sockets/applications)
FORWARD (for packets being routed through the box)
OUTPUT (for locally-generated packets being sent out)

nat:
This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins:
PREROUTING (for altering packets as soon as they come in)
OUTPUT (for altering locally-generated packets before routing)
POSTROUTING (for altering packets as they are  about to go out)

mangle:
This  table  is  used  for  specialized packet alteration.  Until linux kernel 2.4.17 it had two built-in chains:
PREROUTING (for altering incoming packets before routing)
OUTPUT (for altering locally- generated  packets before routing)

Since kernel 2.4.18, three other built-in chains are also sup- ported:
INPUT (for packets coming into the box itself)
FORWARD (for altering packets being routed through the box)
POSTROUTING (for altering packets as they are about to go out).

raw:
This  table  is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target.  It registers a the netfilter hooks with higher priority and  is  thus  called before ip_conntrack, or any other IP tables.  It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)

You can easily look at the contents of a table using the command “iptables -t xxx -L -n -v”. For example:

root@hostname:~ # iptables -t filter -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  643 53797 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
 162K   56M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   82  5009 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast
   20   640 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = multicast
   10   520 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8080
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:161
   13  1790 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:162
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `INPUT DROP: '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `FORWARD DROP: '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 165K   56M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `OUTPUT DROP: '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

root@hostname:~ # iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 354 packets, 23490 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain POSTROUTING (policy ACCEPT 17376 packets, 1361K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 17376 packets, 1361K bytes)
 pkts bytes target     prot opt in     out     source               destination

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s