Introduction
Before we start talking about how to list and delete iptables firewall rules, let's briefly understand-What is IPTables ?
Iptables is a powerful firewall utility available in many Linux distributions that allow you to manage network traffic by configuring rules for incoming and outgoing connections.
In this tutorial, you will list and delete iptables firewall rules. We will also address a few FAQs on how to list and delete iptables firewall rules.
:22
by default), which could prevent you from accessing your own server. If your firewall settings cause you to lose access, you might need to connect to it via an out-of-band console in order to restore it.Prerequisites
The iptables
command must be installed on your Linux server for this tutorial to work, and your user must have sudo
privileges.
Listing Rules by Specification
Let's start by looking at how to list rules. Your active iptables rules can be viewed as a table or as a list of rule specifications in one of two distinct ways. Both approaches deliver essentially the same data in various formats.
Run the iptables
command with the -S
option to list all the active iptables rules by specification:
sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ICMP
-N TCP
-N UDP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
...
As you can see, the output, without the iptables
command that preceded it, appears exactly like the commands that were used to create it. If you've ever used iptables-persistent
or iptables save
, these configuration files will also resemble those of iptables.
Listing a Specific Chain
You can enter the chain name immediately following the -S option if you want to restrict the output to a certain chain (INPUT
, OUTPUT
, TCP
, etc.). For instance, you would issue the following command to display every rule specification in the TCP
chain:
sudo iptables -S TCP
Output
-N TCP
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
Let's now examine another perspective for the current iptables rules: as a table of rules.
Listing Rules as Tables
Comparing various rules against one another can be done by listing the iptables rules in the table view. Run the iptables
command with the -L
parameter to display a table containing all other active iptables rules:
sudo iptables -L
All the current rules will be produced, sorted by chain.
You can specify the chain name directly after the -L
option if you need to restrict the output to a certain chain (INPUT
, OUTPUT
, TCP
, etc.)
Let us take a look at an INPUT
chain example:
sudo iptables -L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
UDP udp -- anywhere anywhere ctstate NEW
TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ICMP icmp -- anywhere anywhere ctstate NEW
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
The chain name (in this case, INPUT
) and default policy (DROP
) are both listed on the first line of output. The headers for each table column are listed on the following line, which is then followed by the chain's rules. Let's review what each header means:
target
: The target identifies what should be done with a packet if it matches the rule. A packet might be accepted, dropped, logged, or transferred to another chain to be evaluated in light of additional rules.prot
: The protocol, includingtcp
,udp
,icmp
, orall
.opt
: This column lists the IP options, however it is rarely utilized.source
: The traffic's source IP address or subnet, oranywhere
.destination
: The traffic's IP address, subnet, oranywhere
.
The final column, which is unlabeled, lists a rule's possible outcomes. Any portion of the regulation not covered by the previous columns is included in here. This could be anything from the packet's connection state to the source and destination ports.
Showing Packet Counts and Aggregate Size
It is also possible to display the quantity of packets and the total number of bytes in the packets that matched each individual rule when listing iptables rules. When trying to acquire a general overview of which rules are matching against packets, this is frequently helpful. Use the -L
and -v
options in combination to do this.
Let's return to the INPUT
chain as an illustration and use the -v
option:
sudo iptables -L INPUT -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
284K 42M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
396 63275 UDP udp -- any any anywhere anywhere ctstate NEW
17067 1005K TCP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
2410 154K ICMP icmp -- any any anywhere anywhere ctstate NEW
396 63275 REJECT udp -- any any anywhere anywhere reject-with icmp-port-unreachable
2916 179K REJECT all -- any any anywhere anywhere reject-with icmp-proto-unreachable
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh ctstate NEW,ESTABLISHED
The pkts
and bytes
columns have been added, as can be seen in the listing.
Let's look at how to reset the packet and byte counts now that you are aware of the various ways to list the active firewall rules.
Resetting Packet Counts and Aggregate Size
Use the -Z
option to clear, or zero, the packet and byte counters for your rules. In the event of a reboot, they also reset. This is helpful if you want to check whether new traffic coming to your server matches the rules you currently have in place.
Use the -Z
option by itself to remove all chains' and rules' counters:
sudo iptables -Z
Use the -Z
option and the chain you want to clear the counts for every rule in that chain. For instance, execute the following command to clear the INPUT
chain counters:
sudo iptables -Z INPUT
Indicate the chain name and the rule number to clear the counters for a given rule. Run the following, for instance, to zero the counters for the INPUT
chain's first rule:
sudo iptables -Z INPUT 1
Let's look at the two approaches that may be used to delete the iptables packet and byte counters now that you know how to reset them.
A method of deleting iptables
rules is through rule specification. You can do this by executing the iptables command with the -D
option and the rule definition after it. iptables -S
's output of the rules list can be used as guidance if you want to delete rules using this method.
For instance, you may issue the following command to remove the rule that drops inbound invalid packets (-A INPUT -m conntrack --ctstate INVALID -j DROP
):
sudo iptables -D INPUT -m conntrack --ctstate INVALID -j DROP
Keep in mind that you should not use the -A
option here, which is used to specify the rule position at creation time.
Deleting Rules by Chain and Number
Iptables rules can also be deleted by chain and line number. List the rules in table format and provide the --line-numbers
option to find a rule's line number:
sudo iptables -L --line-numbers
Output
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
2 ACCEPT all -- anywhere anywhere
3 DROP all -- anywhere anywhere ctstate INVALID
4 UDP udp -- anywhere anywhere ctstate NEW
5 TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
6 ICMP icmp -- anywhere anywhere ctstate NEW
7 REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
8 REJECT tcp -- anywhere anywhere reject-with tcp-reset
9 REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
10 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,ESTABLISHED
...
Each rule row will now have the line number, as given by the num
header, added to it.
Once you've decided which rule to remove, make a note of the chain and line number. Run the iptables -D
command after entering the rule number and chain.
For instance, we can observe that rule 3
of the INPUT
chain is the input rule that drops erroneous packets and should be removed. So, let's execute the following command:
sudo iptables -D INPUT 3
Having learned how to remove certain firewall rules, let's discuss how you can flush chains of rules.
Flushing Chains
Iptables provides the option to flush a chain or delete every rule in it. The many methods for doing this will be covered in this section.
drop
or deny
should never be flushed in order to avoid locking yourself out of your server through SSH. If so, to fix your access, you might need to connect to it via the console.Flushing a Single Chain
You can use the -F
option, or its equivalent --flush
option, along with the name of the chain you want to flush, to erase all the rules in that chain.
Run this command, for instance, to eliminate every rule in the INPUT
chain:
sudo iptables -F INPUT
Flushing All Chains
You can use the -F
, or the equivalent --flush
, option by itself to flush all chains, which will remove any firewall rules:
sudo iptables -F
Flushing All Rules, Deleting All Chains, and Accepting All
You will learn how to flush all of your firewall rules, tables, and chains in this section, as well as how to permit all network traffic.
First, change each built-in chain's default policy to ACCEPT
. The main goal of doing this is to prevent SSH lockouts from happening to you:
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
Next, flush all chains (-F
), delete all non-default chains (-X
), and flush the nat
and mangle
tables:
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X
All network traffic will now be permitted by your firewall. The three default chains (INPUT
, FORWARD
, and OUTPUT
) are the only ones left if you describe your rules now.
FAQs to List and Delete Iptables Firewall Rules
How can I check if iptables is installed on my system?
Open a terminal and run the command iptables --version
. If iptables is installed, it will display the version information.
What are the different tables in iptables?
Iptables uses different tables to categorize rules based on the types of network packets they handle. The main tables are filter (default), nat, and mangle.
What are the default policies for the filter table?
The default policies determine the actions taken when a packet doesn't match any existing rules within a chain. The default policies for the filter table are usually set to ACCEPT or DROP.
How can I delete a specific rule in iptables?
To delete a specific rule, you need to identify its line number or write a matching rule to find and delete it. Use the command iptables -D <chain-name> <rule-number>
or iptables -D <chain-name> -s <source-ip> -j <target>
.
What happens if all rules are deleted from a chain?
If all rules are deleted from a chain and the default policy is set to DROP, all traffic for that chain will be dropped.
Can I reset iptables to its default rules?
Yes, you can reset iptables to its default rules by flushing all existing rules using the command iptables -F
and setting the default policies to ACCEPT.
Can I disable or turn off iptables completely?
Yes, iptables can be disabled or turned off by setting the default policies to ACCEPT for all chains in all tables using the command iptables -P <chain-name> ACCEPT
and iptables -t <table-name> -P <chain-name> ACCEPT
.
Conclusion
You now know how to list and delete your iptables firewall rules after reading this tutorial.
Keep in mind that any iptables changes made with the iptables
command are temporary and must be stored in order to persist through server restarts.
If you have any queries, please leave a comment below, and we’ll be happy to respond to them for sure.