15.6 C
Jaipur
Thursday, December 2, 2021

Linux Iptables List and Show All NAT IPTables Rules Command

Must read

I am using /sbin/iptables -L -v -n | more command. However, I am unable to list NAT rules. How do I use the iptables command to view or list NAT rules stored in NAT tables? How do I see all the rules in NAT tables under CentOS / RHEL / Debian / Ubuntu Linux based server?

/sbin/iptables command for IPv4 packet filtering and NAT. Network address translation (NAT) imodifyies IP address information in IP packet headers while in transit across a routing device.

Tutorial details
Difficulty level Easy
Root privileges Yes
Requirements Linux iptables
Est. reading time 4 minutes

Show/Display Iptables NAT rules
To see NAT rules type any one of the following command.

Syntax

The syntax is as follows for iptables command as root user to display IPv4 rules:
iptables -t nat -L
iptables -t nat -L -n -v | grep 'something'
iptables -t nat -L -n -v

Sample outputs:

Chain PREROUTING (policy ACCEPT 867 packets, 146K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  vlan2  *       0.0.0.0/0            192.168.1.0/24      
 
Chain POSTROUTING (policy ACCEPT 99 packets, 6875 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0           
 
Chain OUTPUT (policy ACCEPT 99 packets, 6875 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 
Chain WANPREROUTING (0 references)
 pkts bytes target     prot opt in     out     source               destination         
[email protected]:/tmp/home/root#

Understanding iptables nat rules listing options

  1. -t nat : This option specifies the packet matching table which the command should operate on. In this example, I am working on nat table. It is consulted when a packet that creates a new connection is encountered. It consists of four built-ins:
    • PREROUTING for altering packets as soon as they come in
    • INPUT for altering packets destined for local sockets
    • OUTPUT for altering locally-generated packets before routing
    • POSTROUTING for altering packets as they are about to go out
  2. -L : List all rules in the selected chain.
  3. -n : Numeric output. IP addresses and port numbers will be printed in numeric format. By default, the program will try to display them as host names, network names, or services (whenever applicable).
  4. -v : Verbose output. This option makes the list command show the interface name, the rule options (if any), and the TOS masks. The packet and byte counters are also listed, with the suffix ‘K’, ‘M’ or ‘G’ for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.

Linux Iptables List and Show All NAT IPTables IPv6 Rules Command

IPv6 NAT support is available since the Linux kernel version 3.7. Listing all IPv6 NAT iptables rules as follows:
ip6tables -t nat -L
ip6tables -t nat -L -n -v | grep 'something'
ip6tables -t nat -L -n -v

Outputs:


Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all      fd9d:bc11:xxx::/48  anywhere             policy match dir out pol none

Here is another command:
$ sudo iptables -t nat -L -n -v
Sample outputs:

Chain PREROUTING (policy ACCEPT 294K packets, 17M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 165K 9879K DNAT       tcp  --  *      *       0.0.0.0/0            192.168.203.146      tcp dpt:443 to:10.105.28.42:443
 166K 9982K DNAT       tcp  --  *      *       0.0.0.0/0            192.168.203.146      tcp dpt:80 to:10.105.28.42:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.203.146      tcp dpt:443 to:10.105.28.42:443
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.203.146      tcp dpt:80 to:10.105.28.42:80
22034 1322K DNAT       tcp  --  *      *       0.0.0.0/0            192.168.203.146      tcp dpt:444 to:10.105.28.45:444
22073 1324K DNAT       tcp  --  *      *       0.0.0.0/0            192.168.203.146      tcp dpt:81 to:10.105.28.45:81
31328 1880K DNAT       tcp  --  *      *       0.0.0.0/0            192.168.203.146      tcp dpt:445 to:10.105.28.44:445
19424 1165K DNAT       tcp  --  *      *       0.0.0.0/0            192.168.203.146      tcp dpt:82 to:10.105.28.44:82
 
Chain INPUT (policy ACCEPT 199K packets, 12M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 
Chain OUTPUT (policy ACCEPT 387 packets, 24906 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 
Chain POSTROUTING (policy ACCEPT 252K packets, 15M bytes)
 pkts bytes target     prot opt in     out     source               destination         
93223 5593K MASQUERADE  all  --  *      *       10.105.28.0/24      !10.105.28.0/24       /* generated for LXD network lxdbr0 */

Say hello netstat-nat

The netstat-nat command display the natted connections on a Linux iptable firewall:
# netstat-nat -n
To display SNAT connections, run:
# netstat-nat -S
To display DNAT connections, type:
# netstat-nat -D
Please note that you may get the following message on the latest version of Linux:

Could not read info about connections from the kernel, make sure netfilter is enabled in kernel or by modules.

Patreon supporters only guides 🤓

  • No ads and tracking
  • In-depth guides for developers and sysadmins at Opensourceflare
  • Join my Patreon to support independent content creators and start reading latest guides:

Join Patreon

Then use the conntrack command:
sudo conntrack -L # List/dump
sudo conntrack -L -n # Filter source NAT connections
sudo conntrack -L -g # Filter destination NAT connections
sudo conntrack -L -j # Filter any NAT connection

Summing up

You need to use either iptables or ip6tables command as follows:
sudo iptables -t nat -L # IPv4 rules
sudo ip6tables -t nat -L # IPv6 rules
sudo conntrack -L -j

For more information see the following man pages using the man command as follows:
man iptables #IPv4
man ip6tables #IPv6


ADVERTISEMENT

Source link

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisement -

Latest article