$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only

Show the nftables Input Chain

You need to inspect the nftables input chain policy and the key accept or drop rules.

Command

nft list ruleset | sed -n '/chain input/,/}/p'

Before you run this

System impact: Read-only. Low when scoped to the shown target.

When not to use it: Do not treat a simplified chain excerpt as a complete network policy audit on hosts with multiple tables or namespaces.

Expected output

The nftables input chain with policy and selected TCP port rules.

System impact

Read-only. Nothing changes. nftables prints rules and sed narrows the output to the input chain.

Recovery / rollback: no state is changed.

When to use it

Use when UFW output is not enough or you need to verify the lower-level packet filter shape.

When not to use it

Do not treat a simplified chain excerpt as a complete network policy audit on hosts with multiple tables or namespaces.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ nft list ruleset

table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;
    ct state established,related accept
    iif "lo" accept
    tcp dport 22 ip saddr 203.0.113.0/24 accept
    tcp dport { 80, 443 } accept
    tcp dport 25 accept
    tcp dport 5432 drop
  }
}

$ nft list ruleset | sed -n '/chain input/,/}/p'

  chain input {
    type filter hook input priority 0; policy drop;
    ct state established,related accept
    iif "lo" accept
    tcp dport 22 ip saddr 203.0.113.0/24 accept
    tcp dport { 80, 443 } accept
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. nft list ruleset
  2. nft list ruleset | sed -n '/chain input/,/}/p'

next steps

Related commands

Cybersecurity Triage Sensitive output

Count Failed SSH Login IPs

The loudest SSH source is usually visible with one count.

sed -n 's/.*Failed password .* from \([0-9.]*\) port.*/\1/p' logs/auth.log | sort | uniq -c | sort -nr
Cybersecurity Triage Sensitive output

Summarize sudo Commands by User

Privilege history is easier to review when users and commands are separated.

sed -n 's/.*sudo: *\([^: ]*\).*COMMAND=\(.*\)$/\1 -> \2/p' fixtures/user-access-audit/logs/auth.log | sort
Cybersecurity Triage Read-only

Prove a Package Candidate Is From Security

The package name is not enough; the candidate repository tells the patch story.

apt-cache policy openssl | sed -n '/Installed:/p;/Candidate:/p;/security/p'
Cybersecurity Triage State change

Inspect Container Environment Names

Check what environment variables exist without printing their secret values.

docker inspect --format '{{range .Config.Env}}{{println .}}{{end}}' api | sed 's/=.*$/=<redacted>/'
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.