Связаться по:
vkarabedyants Telegram Viber
+7 (499) 350-10-69

Блог о системном администрировании серверов и сайтов

Установка, настройка программного обеспечения Linux, Windows операционных систем

Как получить список правил iptables с номерами строк на Linux

Недавно я добавил NAT правила в моей системе RHEL 6.x. Как просмотреть правило, включая номер строки, которое я только что добавил?

Вы можете легко просматривать ваши правила, используя следующие команды на Linux:

iptables command - IPv4 netfilter admin tool.
ip6tables command - IPv6 netfilter admin tool.

Просмотр всех Iptables правила в Linux

Синтаксис команды следующий

iptables --list
iptables -L
iptables --table NameHere --list
iptables -t NameHere -L -n -v --line-numbers

Например, выполните следующую команду под root пользователем

# iptables -L

Результат

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  google-public-dns-a.google.com  anywhere            tcp dpt:domain
ACCEPT     udp  --  google-public-dns-a.google.com  anywhere            udp dpt:domain
ACCEPT     tcp  --  google-public-dns-a.google.com  anywhere            tcp spt:domain
ACCEPT     udp  --  google-public-dns-a.google.com  anywhere            udp spt:domain
LOCALINPUT  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
INVALID    tcp  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:cdc
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:atmtcp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:mysql
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:5666
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpts:50000:51000
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ftp-data
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:domain
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request limit: avg 1/sec burst 5
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply limit: avg 1/sec burst 5
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
LOGDROPIN  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             google-public-dns-a.google.com tcp dpt:domain
ACCEPT     udp  --  anywhere             google-public-dns-a.google.com udp dpt:domain
ACCEPT     tcp  --  anywhere             google-public-dns-a.google.com tcp spt:domain
ACCEPT     udp  --  anywhere             google-public-dns-a.google.com udp spt:domain
LOCALOUTPUT  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:domain
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain
ACCEPT     all  --  anywhere             anywhere
INVALID    tcp  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:auth
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:atmtcp
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ftp-data
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:auth
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ntp
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
LOGDROPOUT  all  --  anywhere             anywhere

Chain ALLOWIN (1 references)
target     prot opt source               destination
ACCEPT     all  --  static.88-198-34-170.clients.your-server.de  anywhere
ACCEPT     all  --  193.42.148.113       anywhere

Как увидеть NAT правила:

По умолчанию используется фильтр таблицы. Чтобы увидеть правила NAT, введите:

# iptables -t nat -L

Другие варианты

# iptables -t filter -L 
# iptables -t raw -L 
# iptables -t security -L 
# iptables -t mangle -L 
# iptables -t nat -L

Как увидеть NAT правила с номерами строк:

Используйте опцию —line-numbers:

# iptables -t nat -L --line-numbers -n

Результат:

Chain PREROUTING (policy ACCEPT 28M packets, 1661M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       tcp  --  eth0   *       10.10.29.68          0.0.0.0/0            tcp dpt:3306 to:10.0.3.19:3306
2        0     0 DNAT       tcp  --  eth0   *       10.10.29.68          0.0.0.0/0            tcp dpt:11211 to:10.0.3.20:11211
3        0     0 DNAT       udp  --  eth0   *       10.10.29.68          0.0.0.0/0            udp dpt:11211 to:10.0.3.20:11211

Chain INPUT (policy ACCEPT 18M packets, 1030M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 23M packets, 1408M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 33M packets, 1979M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    38927 2336K MASQUERADE  all  --  *      *       10.0.3.0/24         !10.0.3.0/24
2        0     0 MASQUERADE  all  --  *      *       10.0.3.0/24         !10.0.3.0/24

Как увидеть правила NAT со счетчиками (байтов и пакетов)
Используйте опцию -v для команды Iptables:

# iptables -t nat -L -n -v

linux-view-nat-rules

Для ip6tables

ip6tables это инструмент администрирования для пакета IPv6 фильтрации и NAT. Чтобы увидеть таблицы IPv6, введите:

# ip6tables -L -n -v

Результат:

Chain INPUT (policy DROP 239 packets, 16202 bytes)
 pkts bytes target     prot opt in     out     source               destination
 136K   30M ufw6-before-logging-input  all      *      *       ::/0                 ::/0
 136K   30M ufw6-before-input  all      *      *       ::/0                 ::/0
  241 16360 ufw6-after-input  all      *      *       ::/0                 ::/0
  239 16202 ufw6-after-logging-input  all      *      *       ::/0                 ::/0
  239 16202 ufw6-reject-input  all      *      *       ::/0                 ::/0
  239 16202 ufw6-track-input  all      *      *       ::/0                 ::/0
Chain FORWARD (policy DROP 483 packets, 32628 bytes)
 pkts bytes target     prot opt in     out     source               destination
  483 32628 ufw6-before-logging-forward  all      *      *       ::/0                 ::/0
  483 32628 ufw6-before-forward  all      *      *       ::/0                 ::/0
  483 32628 ufw6-after-forward  all      *      *       ::/0                 ::/0
  483 32628 ufw6-after-logging-forward  all      *      *       ::/0                 ::/0
  483 32628 ufw6-reject-forward  all      *      *       ::/0                 ::/0
  483 32628 ufw6-track-forward  all      *      *       ::/0                 ::/0
Chain OUTPUT (policy ACCEPT 122 packets, 8555 bytes)
 pkts bytes target     prot opt in     out     source               destination
 136K   30M ufw6-before-logging-output  all      *      *       ::/0                 ::/0
 136K   30M ufw6-before-output  all      *      *       ::/0                 ::/0
  183 14107 ufw6-after-output  all      *      *       ::/0                 ::/0
  183 14107 ufw6-after-logging-output  all      *      *       ::/0                 ::/0
  183 14107 ufw6-reject-output  all      *      *       ::/0                 ::/0
  183 14107 ufw6-track-output  all      *      *       ::/0                 ::/0
Chain ufw6-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
...
....
..
 pkts bytes target     prot opt in     out     source               destination
   19  1520 ACCEPT     tcp      *      *       ::/0                 ::/0                 ctstate NEW
   42  4032 ACCEPT     udp      *      *       ::/0                 ::/0                 ctstate NEW
Chain ufw6-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw6-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw6-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all      *      *       ::/0                 ::/0                 limit: avg 3/min burst 5 LOG flags 0
level 4 prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all      *      *       ::/0                 ::/0                 reject-with icmp6-port-unreachable
Chain ufw6-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      *      *       ::/0                 ::/0
Chain ufw6-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw6-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw6-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw6-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Чтобы увидеть NAT правила и номера строк, введите:

# ip6tables -L -n -v -t nat --line-numbers

 

Оставить комментарий

Лимит времени истёк. Пожалуйста, перезагрузите CAPTCHA.