Five chains (chains):<\/p>\n
- \n
- - PREROUTING: Processing of packets whose destination address is local;<\/li>\n
- - INPUT: Processing of packets that enter the machine and are routed locally;<\/li>\n
- - FORWARD: For all forwarded packets;<\/li>\n
- - OUTPUT: Processing of locally generated outgoing packets;<\/li>\n
- - POSTROUTING: Handling of packets leaving the machine.<\/li>\n<\/ul>\n
The default order of the four tables is: raw -> mangle -> nat -> filter
\nAbbreviation: rmnf->guidance (five-stroke code)<\/p>\n![\"\"](\"https:\/\/www.08host.com\/wp-content\/uploads\/2025\/06\/40e9add5bbc0fd84d35af7a8421ff24c.png\")
![\"\"](\"https:\/\/www.08host.com\/wp-content\/uploads\/2025\/06\/5debdac631187b8a43fa50dcdfa7f002.png\")
<\/p>\n\u258cPre-Routing Phase of Inbound Routing (PREROUTING)<\/h4>\n
External traffic coming in \u2192 \u251c\u2500 raw table (priority 1): handle connection tracking exceptions \u251c\u2500 mangle table (priority 2): modify packet headers for TOS\/TTL, etc. \u2514\u2500 nat table (priority 3): perform DNAT destination address translation Sequence: 123<\/pre>\n
\u258cRouting Decision Phase<\/h4>\n
mangle table (priority 2): supports complex packet modification \u2514\u2500 filter table (priority 4): defines forwarding policy (default deny) \u2502 \u2514\u2500 filter table (priority 4): defines forwarding policy (default deny) \u2502 \u2514\u2500 order: 24<\/pre>\n
\u258cLocal Outgoing Phase (OUTPUT)<\/h4>\n
Local processes generate traffic \u2192 \u251c\u2500 raw table (priority 1): outbound connection tracking exceptions \u251c\u2500 mangle table (priority 2): modify outbound packet headers \u251c\u2500 nat table (priority 3): perform SNAT source address translation \u2514\u2500 filter table (priority 4): final outbound filtering Sequence 1234<\/pre>\n
\u258cPost Outbound Routing Phase (POSTROUTING)<\/h4>\n
Prepare to leave the machine \u2192 \u251c\u2500 mangle table (priority 2): last chance to modify (e.g., TTL) \u2514\u2500 nat table (priority 3): complete SNAT\/MASQUERADE Order 23<\/pre>\n
iptables command format<\/h3>\n
iptables -t table-name [-A|-D|-F|-L|-Z|-N|-X|-P|-E|-I] chain-name [match-criteria] [-j process-action]<\/pre>\n
- \n
- - table name\n
- \n
- -t: -table, specifies the table to be manipulated. If not added, it defaults to the filter table.<\/li>\n<\/ul>\n<\/li>\n
- - commands\n
- \n
- -A: -append, appends a rule to the specified chain.<\/li>\n
- -D: -delete, removes a rule from the specified chain.<\/li>\n
- -F: -flush, clear all rules in the specified chain.<\/li>\n
- -L: -list, list all rules in the specified chain.<\/li>\n
- -Z: -zero, clear the counter of the specified chain.<\/li>\n
- -N: -new-chain, create a new chain.<\/li>\n
- -X: -delete-chain, deletes a customized chain.<\/li>\n
- -P: -policy, sets the default policy for the chain.<\/li>\n
- -E: -rename-chain, rename a chain.<\/li>\n
- -I: -insert, inserts a rule in the specified chain.<\/li>\n<\/ul>\n<\/li>\n
- - match condition\n
- \n
- -p: -protocol, specifies the protocol type. For example, -p tcp indicates that only packets of the TCP protocol are matched.<\/li>\n
- -s: -source, specifies the source IP address. For example, -s 192.168.1.100 means that only packets from that IP are matched.<\/li>\n
- -d: -destination, specifies the destination IP address. For example, -d 192.168.1.100 means that only packets to that IP are matched.<\/li>\n
- -i: -in-interface, specifies the network interface into the machine. For example, -i eth0 means that only packets passing through that interface are matched.<\/li>\n
- -o: -out-interface, specifies the network interface leaving the machine. For example, -o eth0 indicates that only packets passing through that interface are matched.<\/li>\n
- -sport, -sport: Specifies the source port. For example, -sport 80 means that only TCP packets from that port are matched.<\/li>\n
- -dport, -dport: Specifies the destination port. For example, -dport 80 means that only TCP packets to that port are matched.<\/li>\n<\/ul>\n<\/li>\n
- - Processing actions\n
- \n
- -j: -jump, specifies the processing action. For example, -j ACCEPT means to accept packets, -j DROP means to drop packets. -j LOG means logging. -j RETURN means return without continuing to match subsequent rules.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
iptables common commands<\/h3>\n
- \n
- - Viewing iptables rules\n
- \n
- - View rules for all chains (-L without chain is rules for all chains, without -t is default filter table)\n
iptables -L<\/pre>\n<\/li>\n
- - View rules for a specified table\n
iptables -t nat -L<\/pre>\n<\/li>\n
- - View the rules for a given chain\n
iptables -L INPUT<\/pre>\n<\/li>\n
- - View the rule number of the specified chain\n
iptables -L INPUT --line-numbers<\/pre>\n<\/li>\n
- - View rule numbers and counters for a given chain\n
iptables -L INPUT --line-numbers --verbose<\/pre>\n<\/li>\n
- - View the rule numbers and counters for the specified chain, displayed in a tree\n
iptables -L INPUT --line-numbers --verbose --list<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
scripts<\/h2>\n
In the face of the troubleshooting dilemma brought about by massive iptables rules, traditional command-line tools expose three core flaws:<\/p>\n
- \n
- - Information overload problem: thousands of rules are presented in linear text and the logic of jumping between chains is difficult to trace<\/li>\n
- - Semantic breaks: -j Lack of contextual interpretation of target chains such as KUBE-SERVICES<\/li>\n
- - Risk of change: direct editing of production rules can lead to service disruptions<\/li>\n
- To address the above issues, write the following script, the script through the tree visualization and color marking, intelligent detection of circular references, support for interactive selection, compatible with multiple environments, automatic cleanup of temporary files, significantly improve the efficiency of iptables rule scheduling.
\nThe following script only passed experimentally on centos 7.6 (3.10.0-957.el7.x86_64).<\/li>\n<\/ul>\nScript content<\/h3>\n
vim show_iptables.sh #<\/span>! \/bin\/bash #<\/span>Script to dynamically analyze the chaining of a specified iptables table and display it in a tree structure #<\/span>set<\/span>-x #<\/span>Define color (compatible with more terminals) RED=$'\\033[31m' GREEN=$'\\033[32m' YELLOW=$'\\033[33m' BLUE=$'\\033[34m' PURPLE=$'\\033[35m' CYAN=$'\\ 033[36m' GRAY=$'\\033[90m' NC=$'\\033[0m' #<\/span>Temporary file TEMP_FILE=\"\/tmp\/iptables_rules.txt\" #<\/span>Global associative array (explicitly declared) declare -A VISITED_CHAINS #<\/span>Get all available tables get_tables() { if [[ -f \/proc\/net\/ip_tables_names ]]; then cat \/proc\/net\/ip_tables_names 2>\/dev\/null else # Compatible with older systems iptables -L -n 2>\/dev\/ null | grep -Po 'Table: \\K\\w+' | sort -u fi } #<\/span>Extract chain names (add filter) extract_chains() { grep -E \"^:[A-Za-z0-9_-]+ \" \"$TEMP_FILE\" | cut -d ' ' -f 1 | tr -d ':' | grep -v '^$' } #<\/span>Get rules for chain (enhanced filtering) find_rules_for_chain() { local chain=$1 [[ -z \"$chain\" ] ] && return grep -E \"^-A $chain \" \"$TEMP_FILE\" | sed '\/^#\/d' } #<\/span>Extract target chain (strict checksum) extract_targets() { local rule=$1 echo \"$rule\" | grep -oP '\\s-(j|g)\\s+\\K[^\\s]+' | grep -E '^[A-Za-z0-9_-]+$' } #<\/span>Rule formatting (defensive processing) format_rule() { local rule=$1 # Remove chain declarations and comments rule=$(echo \"$rule\" | sed -E 's\/^-A [^ ]* \/\/; s\/(--comment \"[^\"]*\")\/\/g') # Highlight key elements echo \"$rule\" | sed -E \\ -e \"s\/(-j |-g )([^ ]+)\/${RED}\\1${YELLOW}\\2${NC}\/g\" \\ -e \"s\/(-[pm] |--(src|dport|sport|destination| match))\/${CYAN}\\1${NC}\/g\" } #<\/span>Tree printing (critical fix) print_tree() { local chain=$1 local prefix=$2 local visited=$3 local depth=$4 # Null chain name defense if [[ -z \"$chain\" ]]; then echo -e \"${prefix}${RED} Invalid null link name ${NC}\" return fi # Loop detection if [[ \"$visited\" == *\"|$chain|\"* ]]; then echo -e \"${prefix}$ {RED}\u2514\u2500\u2500 Circular reference: $chain${NC}\" return fi # Depth limit if (( depth > 15 )); then echo -e \"${prefix}${YELLOW}\u2514\u2500\u2500 Maximum depth reached ${NC}\" return fi # Record access chain (secure write) if [[ -n \"$chain\" ]]; then VISITED_CHAINS[\"$chain\"]=1 fi # Get rules local rules=() while IFS= read -r rule; do rules+=(\" $rule\") done <<< "$(find_rules_for_chain "$chain")" # Extract subchain local targets=() for rule in "${rules[@]}"; do while IFS= read -r target; do if [[ -n "$target" && ! " ${targets[*]} " =~ " $target " ]]; then targets+=("$target") fi done <<< "$(extract_targets "$rule")" done # print current chain local color case $((depth % 6)) in 0) color=$BLUE;; 1) color=$GREEN;; 2) color=$PURPLE;; 3) color=$CYAN;; 4) color=$YELLOW. ; *) color=$RED;; esac echo -e "${prefix}${color}\u251c\u2500\u2500 ${chain}${NC}" # Print rules local rule_prefix="\u2502 " for rule in "${rules [@]}"; do echo -e "${prefix}${rule_prefix}${GRAY}\u251c\u2500\u2500 \u25aa ${NC}$(format_rule "$rule")" done # prints the subchain local total=${ #targets[@]} for i in "${!targets[@]}"; do local target=${targets[$i]} if (( i == total - 1 )); then print_tree "$target" "${ prefix} \u2514\u2500\u2500 " "${visited}|$chain|" $((depth + 1)) else print_tree "$target" "${prefix} \u251c\u2500\u2500 " "${visited}|$chain|" $((depth + 1)) fi done } #<\/span>Main Program main() { echo -e \"${GREEN} \u25aa iptables chain relationship topology (rule inline display) \u25aa ${NC}\" echo -e \"${YELLOW} description:\" echo -e \" ${GRAY} \u25aa Gray entry for rule ${NC}\" echo -e \" ${RED} red entry for rule ${NC} indicates jump target\" echo -e \" ${CYAN} cyan entry for rule ${NC} indicates match condition \\n\" echo -e \"${BLUE} \u258f chain [${selected_chain}] topology: ${NC}\" print_ tree \"$selected_chain\" \"\" \"\" 0 echo \"\" } #<\/span>Implementation process #<\/span>1. select_table tables=($(get_tables)) if [[ ${#tables[@]} -eq 0 ]]; then echo -e \"${RED} error: no iptables table ${NC} found\" exit 1 fi echo \"Available iptables table:\" select selected_table in \"${tables[@]}\"; do if [[ -n \"$selected_table\" ]]; then break else echo -e \"${RED} Invalid selection, please retype ${ NC}\" fi done #<\/span>2. select_chains iptables-save -t \"$selected_table\" > \"$TEMP_FILE\" chains=($(extract_chains)) if [[ ${#chains[@]} -eq 0 ]]; then echo -e \"${RED} error: no chain ${NC} found in table ${selected_table}\" rm -f \"$TEMP_FILE\" exit 1 fi echo \"Chains available in table ${selected_table}:\" selected_chain in \"${#{#chains[@]} -eq 0 ]; then echo -e chain in \"${chains[@]}\"; do if [[ -n \"$selected_chain\" ]]; then break else echo -e \"${RED} is not validly selected, please re-enter ${NC}\" fi done #<\/span>3. Execution analysis main rm -f \"$TEMP_FILE\"<\/pre>\ntest (machinery etc)<\/h3>\n
- \n
- - Generate two rules to view the output<\/li>\n<\/ul>\n
#<\/span>Create a test rule in the INPUT chain of the filter table sudo iptables -t filter -A INPUT -p tcp --sport 12345 -j LOG --log-prefix \"FILTER_TEST \" #<\/span>Create test rule (logs but never matches actual traffic) sudo iptables -t filter -A cali-INPUT -p tcp --sport 65535 -j LOG --log-prefix \"CALI_TEST_RULE \"<\/pre>\n- \n
- - Execution Script<\/li>\n<\/ul>\n
. \/show_iptables.sh Available iptables tables: 1) raw 2) mangle 3) filter 4) nat #<\/span>? 3 Available chains for table filter: 1) INPUT 19) cali-from-hep-forward 2) FORWARD 20) cali-from-host-endpoint 3) OUTPUT 21) cali-from-wl-dispatch 4) DOCKER 22) cali-fw- cali163c2dd037c 5) DOCKER-ISOLATION-STAGE-1 23) cali-fw-caliceb7f36db92 6) DOCKER-ISOLATION-STAGE-2 24) cali-pri-_56duOTW9GxmBnwvgZx 7) DOCKER-USER 25) cali-pri-_RRPF6JYgiXDfvzOhm- 8) KUBE-EXTERNAL-SERVICES 26) cali-pri-_pJvVwNmnIJS_Hgp2My 9) KUBE-FIREWALL 27) cali-pro-_ 56duOTW9GxmBnwvgZx 10) KUBE-FORWARD 28) cali-pro-_RRPF6JYgiXDfvzOhm- 11) KUBE-KUBELET-CANARY 29) cali-pro-_pJvVwNmnIJS_Hgp2My 12) KUBE- NODEPORTS 30) cali-to-hep-forward 13) KUBE-PROXY-CANARY 31) cali-to-host-endpoint 14) KUBE-SERVICES 32) cali-to-wl-dispatch 15) cali-FORWARD 33 ) cali-tw-cali163c2dd037c 16) cali-INPUT 34) cali-tw-caliceb7f36db92 17) cali-OUTPUT 35) cali-wl-to-host 18) cali-cidr-block #<\/span>\u258fChain [INPUT] topology: \u25aa Gray entries are rules. m conntrack --ctstate NEW -m comment -j KUBE-EXTERNAL-SERVICES \u2502 \u251c\u2500 \u25aa -j KUBE-FIREWALL \u2502 \u251c\u2500 \u25aa -p tcp -m tcp --sport 12345 -j LOG --log-prefix \"FILTER_TEST \" \u251c\u2500\u2500 \u251c\u2500\u2500 cali-INPUT \u251c\u2500\u2500 \u2502 \u251c\u2500\u2500 \u25aa -p ipv4 -m comment -m comment -m set --match-set cali40all-hosts-net src -m addrtype --dst-type LOCAL -j ACCEPT \u251c\u2500\u2500 \u2502 \u251c\u2500\u2500 \u25aa -p ipv4 -m comment -m comment -j DROP \u251c\u2500\u2500 \u2502 \u251c\u2500\u2500 \u25aa -i cali+ -m comment -g cali-wl-to-host \u251c\u2500\u2500 \u2502 \u251c\u2500\u2500 \u25aa -m comment -m mark --mark 0x10000\/0x10000 -j ACCEPT \u251c\u2500\u2500 \u2502 \u251c\u2500\u2500 \u25aa -m comment -j mark --set-xmark 0x0\/0xf0000 \u251c\u2500\u2500 \u2502 \u251c\u2500\u2500 \u25aa -m comment -j cali-from-host-endpoint \u251c\u2500\u2500 \u2502 \u251c\u2500\u2500 \u25aa -m comment -m comment -m mark --mark 0x10000\/0x10000 -j ACCEPT \u251c\u2500\u2500 \u2502 \u251c\u2500\u2500 \u25aa -p tcp -m tcp --sport 65535 -j LOG --log-prefix \"CALI_TEST_RULE \"<\/pre>\n- \n
- - Clearance test rules<\/li>\n<\/ul>\n
sudo iptables -t filter -D INPUT -p tcp --sport 12345 -j LOG --log-prefix \"FILTER_TEST \" sudo iptables -t filter -D cali-INPUT -p tcp --sport 65535 -j LOG -- log-prefix \"CALI_TEST_RULE \"<\/pre>\n
The above script enables you to quickly view the topological relationships of iptables rules for easy understanding and debugging.<\/p>","protected":false},"excerpt":{"rendered":"
From K8s Troubleshooting to iptables In-Depth Analysis: Hands-On Linux Firewall Rules Background After dealing with a Kuber [...] yesterday.<\/p>","protected":false},"author":1,"featured_media":11014,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-11013","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.08host.com\/en\/wp-json\/wp\/v2\/posts\/11013","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.08host.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.08host.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.08host.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.08host.com\/en\/wp-json\/wp\/v2\/comments?post=11013"}],"version-history":[{"count":2,"href":"https:\/\/www.08host.com\/en\/wp-json\/wp\/v2\/posts\/11013\/revisions"}],"predecessor-version":[{"id":11017,"href":"https:\/\/www.08host.com\/en\/wp-json\/wp\/v2\/posts\/11013\/revisions\/11017"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.08host.com\/en\/wp-json\/wp\/v2\/media\/11014"}],"wp:attachment":[{"href":"https:\/\/www.08host.com\/en\/wp-json\/wp\/v2\/media?parent=11013"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.08host.com\/en\/wp-json\/wp\/v2\/categories?post=11013"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.08host.com\/en\/wp-json\/wp\/v2\/tags?post=11013"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- - Clearance test rules<\/li>\n<\/ul>\n
- - Execution Script<\/li>\n<\/ul>\n
- - Generate two rules to view the output<\/li>\n<\/ul>\n
- - View rules for all chains (-L without chain is rules for all chains, without -t is default filter table)\n
- - Viewing iptables rules\n
- -j: -jump, specifies the processing action. For example, -j ACCEPT means to accept packets, -j DROP means to drop packets. -j LOG means logging. -j RETURN means return without continuing to match subsequent rules.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- - table name\n