# how to check if iptables work?

## askar

Hello!

I have just installed iptables and typed below in command line as shown in handbook:

iptables -F; iptables -t nat -F; iptables -t mangle -F

 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

 echo 1 > /proc/sys/net/ipv4/conf/all/forwarding

 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT

 iptables -A INPUT -p icmp -j ACCEPT

 iptables -P INPUT DROP

Do I need to place this rule to some file and where this file is?

Is there way to check if my firewall works?

thanks,

askar

----------

## bunder

 *askar wrote:*   

> Is there way to check if my firewall works?
> 
> thanks,
> 
> askar

 

iptables -L should dump the entire rulelist... other than that, the only way is to test it.   :Cool: 

cheers

----------

## depontius

Note that "iptables -L" will not only list your rules, but list how many packets have traversed each rule.

You should have some sort if idea where your traffic will be going, what rule counts should be big, which ones small, and which ones zero.

There is also "-Z", which will zero all counts after listing, and "-n" which lists things by IP instead of name, and may be faster because it doesn't do reverse DNS lookups.

So in general, "iptables -nZL" first gives you a list and zeros out.  Then run your tests, then run the command again, to see the results of your tests.

----------

## Hu

 *askar wrote:*   

> 
> 
> Do I need to place this rule to some file and where this file is?
> 
> 

 

Run /etc/init.d/iptables save to persist your rules.  Run rc-update add iptables default to automatically load the rules on startup.  Rules can be automatically persisted at shutdown, which is useful if you frequently make minor tweaks and do not wish to explicitly save the rules every time.  See /etc/conf.d/iptables for ways to configure the behavior of the init script.

 *bunder wrote:*   

> iptables -L should dump the entire rulelist... other than that, the only way is to test it.  
> 
> 

 

That only dumps the rules of the requested table, which is filter if not specified.  Use iptables-save to see the entire rulelist.  Include -c to see counters for every rule.

----------

