26.3.2.2 Listing Firewall Rules

Use the iptables -L command to list firewall rules for the chains of the filter table. The following example shows the default rules for a newly installed system:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source       destination         
ACCEPT     all  --  anywhere     anywhere        state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere     anywhere            
ACCEPT     all  --  anywhere     anywhere            
ACCEPT     tcp  --  anywhere     anywhere        state NEW tcp dpt:ssh 
ACCEPT     udp  --  anywhere     anywhere        state NEW udp dpt:ipp 
ACCEPT     udp  --  anywhere     224.0.0.251     state NEW udp dpt:mdns 
ACCEPT     tcp  --  anywhere     anywhere        state NEW tcp dpt:ipp 
ACCEPT     udp  --  anywhere     anywhere        state NEW udp dpt:ipp 
REJECT     all  --  anywhere     anywhere        reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source       destination         
REJECT     all  --  anywhere     anywhere        reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source       destination

In this example, the default policy for each chain is ACCEPT. A more secure system could have a default policy of DROP, and the additional rules would only allow specific packets on a case-by-case basis.

If you want to modify the chains, specify the --line-numbers option to see how the rules are numbered.

# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source           destination         
1    ACCEPT     all  --  anywhere         anywhere        state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  anywhere         anywhere            
3    ACCEPT     all  --  anywhere         anywhere            
4    ACCEPT     tcp  --  anywhere         anywhere        state NEW tcp dpt:ssh 
5    ACCEPT     udp  --  anywhere         anywhere        state NEW udp dpt:ipp 
6    ACCEPT     udp  --  anywhere         224.0.0.251     state NEW udp dpt:mdns 
7    ACCEPT     tcp  --  anywhere         anywhere        state NEW tcp dpt:ipp 
8    ACCEPT     udp  --  anywhere         anywhere        state NEW udp dpt:ipp 
9    REJECT     all  --  anywhere         anywhere        reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source           destination         
1    REJECT     all  --  anywhere         anywhere        reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source           destination