How to check if a network packet filter is active in Linux

Introduction

In this lab, you will learn how to check if a network packet filter is active in Linux. You will explore traditional methods using iptables to list firewall rules and examine the newer nftables framework by listing its ruleset. Finally, you will verify filter settings by inspecting relevant files within the /proc/sys/net directory, gaining a comprehensive understanding of how to determine the status of network packet filtering on a Linux system.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL linux(("Linux")) -.-> linux/BasicFileOperationsGroup(["Basic File Operations"]) linux(("Linux")) -.-> linux/FileandDirectoryManagementGroup(["File and Directory Management"]) linux(("Linux")) -.-> linux/UserandGroupManagementGroup(["User and Group Management"]) linux(("Linux")) -.-> linux/RemoteAccessandNetworkingGroup(["Remote Access and Networking"]) linux/BasicFileOperationsGroup -.-> linux/cat("File Concatenating") linux/FileandDirectoryManagementGroup -.-> linux/cd("Directory Changing") linux/UserandGroupManagementGroup -.-> linux/sudo("Privilege Granting") linux/RemoteAccessandNetworkingGroup -.-> linux/ifconfig("Network Configuring") linux/RemoteAccessandNetworkingGroup -.-> linux/netstat("Network Monitoring") linux/RemoteAccessandNetworkingGroup -.-> linux/ip("IP Managing") subgraph Lab Skills linux/cat -.-> lab-558739{{"How to check if a network packet filter is active in Linux"}} linux/cd -.-> lab-558739{{"How to check if a network packet filter is active in Linux"}} linux/sudo -.-> lab-558739{{"How to check if a network packet filter is active in Linux"}} linux/ifconfig -.-> lab-558739{{"How to check if a network packet filter is active in Linux"}} linux/netstat -.-> lab-558739{{"How to check if a network packet filter is active in Linux"}} linux/ip -.-> lab-558739{{"How to check if a network packet filter is active in Linux"}} end

List iptables rules with iptables -L

In this step, you will learn how to view the current firewall rules using the iptables command. iptables is a traditional command-line utility used to configure the Linux kernel firewall.

Firewalls are essential for network security. They control incoming and outgoing network traffic based on a set of rules. These rules determine whether to allow or block specific connections.

To list the current iptables rules, you will use the -L option. This option tells iptables to list the rules in the specified chains.

Open the terminal if you haven't already. Type the following command and press Enter:

sudo iptables -L

You need to use sudo because viewing firewall rules requires administrative privileges.

You will see output similar to this:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

This output shows the rules for the three default chains: INPUT, FORWARD, and OUTPUT.

INPUT: Controls traffic destined for the local machine.
FORWARD: Controls traffic passing through the machine (used for routing).
OUTPUT: Controls traffic originating from the local machine.

The policy ACCEPT means that by default, traffic is allowed in these chains if no specific rule matches it.

If there were specific rules configured, they would be listed under each chain, showing details like the target (e.g., ACCEPT, DROP), protocol (e.g., tcp, udp), source and destination IP addresses, and ports.

For now, the default configuration is simple, but you've successfully used iptables to view the current rules.

Click Continue to proceed to the next step.

Check nftables with nft list ruleset

In this step, you will explore nftables, the successor to iptables. While iptables is still widely used, nftables offers a more flexible and efficient framework for packet filtering and network address translation (NAT).

nftables uses the nft command-line utility to manage rulesets. A ruleset is a collection of tables, chains, and rules that define how network traffic is handled.

To view the current nftables ruleset, you will use the list ruleset command.

Type the following command in your terminal and press Enter:

sudo nft list ruleset

Again, sudo is required because viewing firewall rules requires administrative privileges.

You might see output similar to this, or it might be empty if no nftables rules are configured:

table ip filter {
	chain INPUT {
		type filter hook input priority 0; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority 0; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority 0; policy accept;
	}
}

This output shows a basic nftables ruleset with a table named filter for the ip address family. Within this table, there are three chains: INPUT, FORWARD, and OUTPUT, similar to iptables.

table ip filter: Defines a table named filter for IPv4 traffic.
chain INPUT { ... }: Defines the input chain.
type filter hook input priority 0;: Specifies that this is a filter chain hooked into the input network path with a priority of 0.
policy accept;: Sets the default policy for this chain to accept traffic.

If there were specific rules defined, they would be listed within the chain blocks.

Comparing the output of iptables -L and nft list ruleset can give you an idea of which firewall system is actively managing rules on the system, or if both are present. On modern systems, nftables is becoming the default.

You have now successfully used nft to view the current nftables ruleset.

Click Continue to move on.

Verify filter settings in /proc/sys/net

In this step, you will explore some kernel-level network filtering settings by examining files in the /proc/sys/net directory. The /proc filesystem is a virtual filesystem that provides information about processes and other system information. The /proc/sys directory contains files that allow you to view and modify kernel parameters at runtime.

Specifically, we will look at settings related to network filtering and forwarding.

Navigate to the relevant directory using the cd command:

cd /proc/sys/net/ipv4/conf/all/

The /proc/sys/net/ipv4/conf/all/ directory contains configuration files that apply to all network interfaces.

Now, let's view the content of a file related to forwarding. Use the cat command to display the content of the forwarding file:

cat forwarding

The output will likely be either 0 or 1:

0: Indicates that IP forwarding is disabled. This means the system will not forward packets between different network interfaces.
1: Indicates that IP forwarding is enabled. This is necessary for routers or systems acting as gateways.

Next, let's look at a setting related to filtering incoming packets with a source route option. This option can sometimes be used in malicious ways. View the content of the accept_source_route file:

cat accept_source_route

The output will likely be 0:

0: Indicates that the system will ignore packets with the source route option. This is a common security measure.
1: Indicates that the system will accept packets with the source route option.

These files in /proc/sys/net provide a low-level view of how the kernel is configured to handle network traffic. While iptables and nftables manage the rules for filtering, these kernel parameters control fundamental network behavior like forwarding and how certain packet options are treated.

You have now successfully examined kernel network filtering settings using the /proc filesystem.

Click Continue to complete the lab.

Summary

In this lab, you learned how to check if a network packet filter is active in Linux by examining the configuration of common firewall tools. You started by using the iptables -L command to list the current rules configured with the traditional iptables utility, understanding the default chains (INPUT, FORWARD, OUTPUT) and their policies.

Next, you explored nftables, the modern replacement for iptables, by using the nft list ruleset command to view its configuration. Finally, you learned how to verify filter settings at a lower level by checking relevant parameters within the /proc/sys/net directory, which exposes kernel network configuration.