How To List and Delete Iptables Firewall Rules

Darshita Daga -

Introduction

Before we start talking about how to list and delete iptables firewall rules, let's briefly understand-What is IPTables ?

Iptables is a powerful firewall utility available in many Linux distributions that allow you to manage network traffic by configuring rules for incoming and outgoing connections.

In this tutorial, you will list and delete iptables firewall rules. We will also address a few FAQs on how to list and delete iptables firewall rules.

💡
Note: Be careful when working with firewalls to avoid blocking SSH traffic (port :22 by default), which could prevent you from accessing your own server. If your firewall settings cause you to lose access, you might need to connect to it via an out-of-band console in order to restore it.

Prerequisites

The iptables command must be installed on your Linux server for this tutorial to work, and your user must have sudo privileges.

Listing Rules by Specification

Let's start by looking at how to list rules. Your active iptables rules can be viewed as a table or as a list of rule specifications in one of two distinct ways. Both approaches deliver essentially the same data in various formats.

Run the iptables command with the -S option to list all the active iptables rules by specification:

sudo iptables -S

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ICMP
-N TCP
-N UDP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
...

As you can see, the output, without the iptables command that preceded it, appears exactly like the commands that were used to create it. If you've ever used iptables-persistent or iptables save, these configuration files will also resemble those of iptables.

Listing a Specific Chain

You can enter the chain name immediately following the -S option if you want to restrict the output to a certain chain (INPUT, OUTPUT, TCP, etc.). For instance, you would issue the following command to display every rule specification in the TCP chain:

sudo iptables -S TCP

Output
-N TCP
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT

Let's now examine another perspective for the current iptables rules: as a table of rules.

Listing Rules as Tables

Comparing various rules against one another can be done by listing the iptables rules in the table view. Run the iptables command with the -L parameter to display a table containing all other active iptables rules:

sudo iptables -L

All the current rules will be produced, sorted by chain.

You can specify the chain name directly after the -L option if you need to restrict the output to a certain chain (INPUT, OUTPUT, TCP, etc.)

Let us take a look at an INPUT chain example:

sudo iptables -L INPUT

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
UDP        udp  --  anywhere             anywhere             ctstate NEW
TCP        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ICMP       icmp --  anywhere             anywhere             ctstate NEW
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable

The chain name (in this case, INPUT) and default policy (DROP) are both listed on the first line of output. The headers for each table column are listed on the following line, which is then followed by the chain's rules. Let's review what each header means:

  • target: The target identifies what should be done with a packet if it matches the rule. A packet might be accepted, dropped, logged, or transferred to another chain to be evaluated in light of additional rules.
  • prot: The protocol, includingtcp, udp, icmp, or all.
  • opt: This column lists the IP options, however it is rarely utilized.
  • source: The traffic's source IP address or subnet, or anywhere.
  • destination: The traffic's IP address, subnet, or anywhere.

The final column, which is unlabeled, lists a rule's possible outcomes. Any portion of the regulation not covered by the previous columns is included in here. This could be anything from the packet's connection state to the source and destination ports.

Showing Packet Counts and Aggregate Size

It is also possible to display the quantity of packets and the total number of bytes in the packets that matched each individual rule when listing iptables rules. When trying to acquire a general overview of which rules are matching against packets, this is frequently helpful. Use the -L and -v options in combination to do this.

Let's return to the INPUT chain as an illustration and use the -v option:

sudo iptables -L INPUT -v

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 284K   42M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
  396 63275 UDP        udp  --  any    any     anywhere             anywhere             ctstate NEW
17067 1005K TCP        tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
 2410  154K ICMP       icmp --  any    any     anywhere             anywhere             ctstate NEW
  396 63275 REJECT     udp  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable
 2916  179K REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-proto-unreachable
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh ctstate NEW,ESTABLISHED

The pkts and bytes columns have been added, as can be seen in the listing.

Let's look at how to reset the packet and byte counts now that you are aware of the various ways to list the active firewall rules.

Resetting Packet Counts and Aggregate Size

Use the -Z option to clear, or zero, the packet and byte counters for your rules. In the event of a reboot, they also reset. This is helpful if you want to check whether new traffic coming to your server matches the rules you currently have in place.

Use the -Z option by itself to remove all chains' and rules' counters:

sudo iptables -Z

Use the -Z option and the chain you want to clear the counts for every rule in that chain. For instance, execute the following command to clear the INPUT chain counters:

sudo iptables -Z INPUT

Indicate the chain name and the rule number to clear the counters for a given rule. Run the following, for instance, to zero the counters for the INPUT chain's first rule:

sudo iptables -Z INPUT 1

Let's look at the two approaches that may be used to delete the iptables packet and byte counters now that you know how to reset them.

A method of deleting iptables rules is through rule specification. You can do this by executing the iptables command with the -D option and the rule definition after it. iptables -S's output of the rules list can be used as guidance if you want to delete rules using this method.

For instance, you may issue the following command to remove the rule that drops inbound invalid packets (-A INPUT -m conntrack --ctstate INVALID -j DROP):

sudo iptables -D INPUT -m conntrack --ctstate INVALID -j DROP

Keep in mind that you should not use the -A option here, which is used to specify the rule position at creation time.

Deleting Rules by Chain and Number

Iptables rules can also be deleted by chain and line number. List the rules in table format and provide the --line-numbers option to find a rule's line number:

sudo iptables -L --line-numbers

Output
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
2    ACCEPT     all  --  anywhere             anywhere
3    DROP       all  --  anywhere             anywhere             ctstate INVALID
4    UDP        udp  --  anywhere             anywhere             ctstate NEW
5    TCP        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
6    ICMP       icmp --  anywhere             anywhere             ctstate NEW
7    REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
8    REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
9    REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable
10   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW,ESTABLISHED
...

Each rule row will now have the line number, as given by the num header, added to it.

Once you've decided which rule to remove, make a note of the chain and line number. Run the iptables -D command after entering the rule number and chain.

For instance, we can observe that rule 3 of the INPUT chain is the input rule that drops erroneous packets and should be removed. So, let's execute the following command:

sudo iptables -D INPUT 3

Having learned how to remove certain firewall rules, let's discuss how you can flush chains of rules.

Flushing Chains

Iptables provides the option to flush a chain or delete every rule in it. The many methods for doing this will be covered in this section.

Warning: A chain with a default policy of drop or deny should never be flushed in order to avoid locking yourself out of your server through SSH. If so, to fix your access, you might need to connect to it via the console.

Flushing a Single Chain

You can use the -F option, or its equivalent --flush option, along with the name of the chain you want to flush, to erase all the rules in that chain.

Run this command, for instance, to eliminate every rule in the INPUT chain:

sudo iptables -F INPUT

Flushing All Chains

You can use the -F, or the equivalent --flush, option by itself to flush all chains, which will remove any firewall rules:

sudo iptables -F

Flushing All Rules, Deleting All Chains, and Accepting All

You will learn how to flush all of your firewall rules, tables, and chains in this section, as well as how to permit all network traffic.

Warning: Your firewall will be effectively disabled by this. This section should only be used if you want to reset your firewall's setup.

First, change each built-in chain's default policy to ACCEPT. The main goal of doing this is to prevent SSH lockouts from happening to you:

sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

Next, flush all chains (-F), delete all non-default chains (-X), and flush the nat and mangle tables:

sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X

All network traffic will now be permitted by your firewall. The three default chains (INPUT, FORWARD, and OUTPUT) are the only ones left if you describe your rules now.

FAQs to List and Delete Iptables Firewall Rules

How can I check if iptables is installed on my system? 

Open a terminal and run the command iptables --version. If iptables is installed, it will display the version information.

What are the different tables in iptables? 

Iptables uses different tables to categorize rules based on the types of network packets they handle. The main tables are filter (default), nat, and mangle.

What are the default policies for the filter table? 

The default policies determine the actions taken when a packet doesn't match any existing rules within a chain. The default policies for the filter table are usually set to ACCEPT or DROP.

How can I delete a specific rule in iptables? 

To delete a specific rule, you need to identify its line number or write a matching rule to find and delete it. Use the command iptables -D <chain-name> <rule-number> or iptables -D <chain-name> -s <source-ip> -j <target>.

What happens if all rules are deleted from a chain? 

If all rules are deleted from a chain and the default policy is set to DROP, all traffic for that chain will be dropped.

Can I reset iptables to its default rules? 

Yes, you can reset iptables to its default rules by flushing all existing rules using the command iptables -F and setting the default policies to ACCEPT.

Can I disable or turn off iptables completely? 

Yes, iptables can be disabled or turned off by setting the default policies to ACCEPT for all chains in all tables using the command iptables -P <chain-name> ACCEPT and iptables -t <table-name> -P <chain-name> ACCEPT.

Conclusion

You now know how to list and delete your iptables firewall rules after reading this tutorial.

Keep in mind that any iptables changes made with the iptables command are temporary and must be stored in order to persist through server restarts.

If you have any queries, please leave a comment below, and we’ll be happy to respond to them for sure.