1
How does one print or dump the firewall rules being used by iptables in an effort to trouble shoot connection problems?
I'm fairly certain its going to include -L or --list, but I'm not sure of other options that will be helpful in troubleshooting a connection problem because I rarely use iptables directly from the command line.
jww
Posted 2014-12-26T00:17:54.367
Reputation: 1
1
Are you taking about exporting them to a txt file?
If so, that would be iptables --list > /path/to/txt/file_name.txt
xR34P3Rx
Posted 2014-12-26T00:17:54.367
Reputation: 350
0
There are different ways of printing out an iptables rule set. You're right to include -L, but for troubleshooting this is not always sufficient. To have a full listing, use the -n and -v options with the -L:
iptables -n -v -L
iptables -t yourtablename -n -v -L
that you can send to a txt file.
The -v (verbose) option may be very useful in troubleshooting, as it shows the packets/byte counters for each rule. With it, one can often find a rule which doesn't catch anything. The -v option shows also the interfaces (in and out), which are not shown with a simple -L.
The -n option makes it faster as it will not try to resolve ips to hosts.
If no -t, then table filter is default.
There is also the command iptables-save -c that show the rules the same way as they are entered on the command line (which is used for saving a rule set, that can be understood by iptables-restore to reload the rule set)
Zimmi
Posted 2014-12-26T00:17:54.367
Reputation: 341
Will the command list most (all?) the information necessary to diagnose a typical connection problem? (Is 'typical' a bad word here?) For example, do I need another switch in addition to
--listto list other useful information? Will it keep extra noise to a minimum, or do I need another switch to remove extraneous information that pollutes output and confuses interpretation for someone not familiar with the output? – jww – 2014-12-26T00:47:54.480well, typical is a bit vague, which should be avoided here. Be specific. But yes, i understand what you mean by typical. Unless you are doing more in depth firewall rules like NATTING,
--listshould be fine. But you can specify which chain you can display. – xR34P3Rx – 2014-12-26T01:08:11.123iptables -L INPUTspecifies a chain to show. This one shows the INPUT chain – xR34P3Rx – 2014-12-26T01:09:20.873