To list your currently active rule-set you run a special option to the
iptables command, which we have discussed briefly previously
in the How a rule is built chapter. This would look like the
following:
iptables -L
This command should list your currently active rule-set, and translate
everything possible to a more readable form. For example, it will
translate all the different ports according to the
/etc/services file as well as DNS
all the IP addresses to get DNS records instead. The
latter can be a bit of a problem though. For example, it will try to resolve
LAN IP addresses, i.e.
192.168.1.1, to something useful.
192.168.0.0/16 is a private range though and
should not resolve to anything and the command will seem to hang while resolving
the IP. To get around this problem we would do something like the following:
iptables -L -n
Another thing that might be interesting is to see a few statistics about
each policy, rule and chain. We could get this by adding the verbose
flag. It would then look something like this:
iptables -L -n -v
Don't forget that it is also possible to list the nat and mangle tables. This
is done with the -t switch, like this:
iptables -L -t nat
There are also a few files that might be interesting to look at in the
/proc file system. For example, it might be interesting
to know what connections are currently in the conntrack table. This table
contains all the different connections currently tracked and serves as a basic
table so we always know what state a connection currently is in. This table
can't be edited and even if it was possible, it would be a bad idea. To
see the table you can run the following command:
cat /proc/net/ip_conntrack | less
The above command will show all currently tracked connections even though
it might be a bit hard to understand everything.
