31

I want to know how can I find out which rule was accessed and how many times, from the access list I have created using iptables.

My firewall has over 1000 input and output rules in iptbales; I want to find how many times each of them were accessed.

For example, suppose I have the following rules:

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

I want to find out how many times each of the rules 1, 2, 3, 4, 5 and 6 were hit.

Denis Rasulev
  • 3,744
  • 4
  • 33
  • 47
apps
  • 413
  • 1
  • 4
  • 6

3 Answers3

46

iptables will list packet and byte counters if you specify option -v for verbose, e.g. iptables -vL. Likewise iptables-save will list all entries including the mentioned counters for each chain, but not for each table entry (on some systems iptables-save requires option -c to include counters).

scai
  • 20,297
  • 4
  • 56
  • 72
  • i also noticed that option and executed it and thought its wrong as its not showing anythign expect rules.. strange thing is that its showing 0 packets and 0 bytes on all the rules. this servers is used as linux firewall and there are almost 20 servers behind it and everthing is workig fine, but there is no packet or byte corosponding to any INPUT or OUTPUT chain ? Am i doing something wrong ? – apps Jul 10 '13 at 20:05
  • 1
    ohh something is there now, when i looked with my eyes open `:INPUT DROP [0:0] :FORWARD ACCEPT [74684295:91842276117] :OUTPUT DROP [0:0] :LOGGING - [0:0]` – apps Jul 10 '13 at 20:16
  • So your forward chain has a total of 74684295 packets and a total of 91842276117 bytes. – scai Jul 10 '13 at 20:35
  • does this mean all the rules which i have written on firewall(in iptables) with INPUT and OUTPUT are useless ? Do i have to write all these rules again for forward because its working as gateway/firewall for a network – apps Jul 10 '13 at 20:49
  • The manpage of `iptables` explains (for the `filter` table): `INPUT` (for packets destined to local sockets), `FORWARD` (for packets being routed through the box), and `OUTPUT` (for locally-generated packets). So yes, you want these rules for the FORWARD table if this box does only do forwarding and nothing else. And be aware that `iptables-save` only lists counters for chains, not for each individual table entry. – scai Jul 11 '13 at 06:50
  • 5
    To view hits live, `watch` can highlight them in a nice way: `sudo watch -d iptables -v -L` (the `-d` makes it show the difference). – Luc May 29 '19 at 15:34
9

I use the following to check on my iptables rules:

iptables -nvL [INPUT|FORWARD|OUTPUT|myCHAINNAME] --line-numbers | less

The -n speeds up the process by not doing hostname lookups

The line numbers help with deleting rules:

iptables -D [INPUT|FORWARD|OUTPUT|myCHAINNAME] [Rule#]
Robert
  • 33,429
  • 8
  • 90
  • 94
Bob Holden
  • 91
  • 1
  • 3
2

You can also use collectds iptables module to aggregate the counters:

https://collectd.org/wiki/index.php/Iptables

dothebart
  • 5,972
  • 16
  • 40