How to List and Delete Iptables Firewall Rules

Introduction

Iptables is a firewall that plays a fundamental role in network security for most Linux systems. While many iptables tutorials teach you how to create firewall rules to secure your server, this one focuses on a different aspect of firewall management: listing and deleting rules.

In this tutorial, we will cover how to perform the following iptables tasks:

List the rules
Clear packet and byte counters
Delete rules
Flushing a chain (deleting all rules in a chain)
Clear all chains and tables, remove all chains, and accept all traffic

Prerequisites

This tutorial assumes that you are using a Linux server with the iptables command installed and that your user has sudo privileges. If you need help with this initial setup, please refer to the guide to initial server setup with Ubuntu 20.04.

Listing rules by specification

Let's first look at how to list rules. There are two different ways to view active iptables rules: in a table or as a list of rule specifications. Both methods provide roughly the same information in different formats.

To list all active iptables rules by specification, run the iptables command with the -S option:

sudo iptables -S

Output
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ICMP
-N TCP
-N UDP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
...

As you can see, the output is exactly like the commands used to create them, without the previous iptables command. If you have ever used iptables-persistent or iptables save, this will also be similar to the iptables rules configuration files.

Listing a specific chain

If you want to limit the output to a specific chain (INPUT, OUTPUT, TCP, etc.), you can specify the chain name directly after the option. -S For example, to show all the rules in the TCP chain, run this command:

sudo iptables -S TCP

Output
-N TCP
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT

Now let's take a look at an alternative way to view active iptables rules, as a rules table.

List rules in tables

Listing iptables rules in a table view can be useful for comparing different rules with each other. To output all active iptables rules in a table, run the iptables command with the -L option:

sudo iptables -L

This will generate all current rules sorted by chain.

If you want to limit the output to a specific chain (INPUT, OUTPUT, TCP, etc.), you can specify the chain name directly after the -L option.

Let's look at an input chain example:

sudo iptables -L INPUT

Output
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
UDP udp -- anywhere anywhere ctstate NEW
TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ICMP icmp -- anywhere anywhere ctstate NEW
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable

The first line of output shows the name of the chain (INPUT in this case) followed by its default policy (DROP). The next line contains the headers for each column in the table, followed by the chain rules. Let's review what each header represents:

target: If a packet matches a rule, the target specifies what to do with it. For example, a packet can be accepted, dropped, logged, or sent to another chain to be compared against more rules.
prot: protocol, such as tcp, udp, icmp, or all
opt: Rarely used, this column shows IP options
source: The source IP address or subnet of the traffic or anywhere
destination: The destination IP address or subnet of the traffic or anywhere

The last column, which is not labeled, shows the options for a rule. This is any part of the rule that is not shown in the previous columns. This can be anything from the source and destination ports to the state of the packet connection.

Display number of packages and total size

When listing iptables rules, it is possible to show the number of packets and the total size of the packets in bytes that match each particular rule. This is often useful when trying to get a general idea of which rules match which packets. To do this, use the -L and -v options together.

For example, let's look again at the INPUT chain with the -v option:

sudo iptables -L INPUT -v

Output
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
284K 42M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
396 63275 UDP udp -- any any anywhere anywhere ctstate NEW
17067 1005K TCP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
2410 154K ICMP icmp -- any any anywhere anywhere ctstate NEW
396 63275 REJECT udp -- any any anywhere anywhere reject-with icmp-port-unreachable
2916 179K REJECT all -- any any anywhere anywhere reject-with icmp-proto-unreachable
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh ctstate NEW,ESTABLISHED

Notice that the list now has two additional columns, pkts and bytes It is.

Now that you know how to list active firewall rules in different ways, let's see how you can reset the packet and byte counters.

Reset the number of packets and total size

If you want to clear or zero the packet and byte counters for your rules, use the -Z option. They will also reset on reboot. This is useful if you want to see if your server is receiving new traffic that matches your existing rules.

To clear the counters for all chains and rules, use the option -Z Use alone:

sudo iptables -Z

To clear the counters for all rules in a specific chain, use the option -Z Use and specify the chain. For example, to clear chain counters INPUT Run this command:

sudo iptables -Z INPUT

If you want to clear the counters for a specific rule, specify the chain name and rule number. For example, to clear the counters for the first rule in the chain, INPUT, run this:

sudo iptables -Z INPUT 1

Now that you know how to reset iptables packet and byte counters, let's take a look at two methods that can be used to remove them.

Delete rules based on specifications

One way to remove iptables rules is to specify the rules. To do this, you can run the iptables command with the -D option followed by the rule specification. If you want to remove rules using this method, you can use the output of the rule list, iptables -S , for help.

For example, if you want to remove a rule that drops invalid input packets (-A INPUT -m conntrack –ctstate INVALID -j DROP), you can run this command:

sudo iptables -D INPUT -m conntrack --ctstate INVALID -j DROP

Note that the -A option, which is used to indicate the position of the rule at the time of creation, should be omitted here.

Delete rules based on chain and number

Another way to remove iptables rules is by chain and line number. To specify the line number of a rule, list the rules in table format and add the --line-numbers option:

sudo iptables -L --line-numbers

Output
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
2 ACCEPT all -- anywhere anywhere
3 DROP all -- anywhere anywhere ctstate INVALID
4 UDP udp -- anywhere anywhere ctstate NEW
5 TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
6 ICMP icmp -- anywhere anywhere ctstate NEW
7 REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
8 REJECT tcp -- anywhere anywhere reject-with tcp-reset
9 REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
10 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,ESTABLISHED

This adds a line number to each rule line that is associated with the header. number It is shown.

Once you know which rule you want to remove, note down the chain number and rule line. Then run the command iptables -D followed by the chain number and rule.

For example, if we want to remove the inbound rule that drops invalid packets, we see that rule 3 is in the INPUT chain. So we need to run this command:

sudo iptables -D INPUT 3

Now that you know how to delete firewall rules, let's look at how to clear rule chains.

Flashing the chains

Iptables provides a way to remove all rules in a chain, or flush a chain. In this section we will cover a variety of ways to do this.

Flushing a chain

To flush a specific chain, which removes all rules in the chain, you can use the -F or equivalent -flush option and the chain name to flush.

For example, to delete all rules in the chain INPUT, run this command:

sudo iptables -F INPUT

Flashing all chains

To flush all chains, which removes all firewall rules, you can use the -F option or its equivalent -flush alone:

sudo iptables -F

Flush all rules, remove all chains, and accept all

This section shows you how to clear all your firewall rules, tables, and chains and allow all network traffic.

First, set the default policies for each of the internal chains to ACCEPT. The main reason for doing this is to ensure that you don't get locked out of your server via SSH:

sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

Then flush the nat and mangle tables, clear all chains (-F), and remove all non-default chains (-X):

sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X

Your firewall will now allow all network traffic. If you now list your rules, you will see that there are none, leaving only the three default chains (INPUT, FORWARD, and OUTPUT).

Result

After going through this tutorial, you have seen how to list and delete your iptables firewall rules. Remember that any iptables changes made via the iptables command are transient and must be saved to persist across server reboots. This is covered in the Saving Rules section of the Common Firewall Rules and Commands tutorial.

How to list and delete Iptables firewall rules

Introduction

Prerequisites

Listing rules by specification

Listing a specific chain

List rules in tables

Display number of packages and total size

Reset the number of packets and total size

Delete rules based on specifications

Delete rules based on chain and number

Flashing the chains

Flushing a chain

Flush all rules, remove all chains, and accept all

Result

In this article:

Post written by: Hadi Bahadori

Leave a Reply

EducationalHow to use Find and Locate to search for files in Linux

EducationalWhat is NodeJS?

How to create a dedicated CS2 (Counter Strike 2) server

Wbuntu: Ubuntu OS that looks like Windows 11

Virtual Box installation tutorial

How to use Netcat to create and test TCP and UDP connections

How to configure repositories in Ubuntu 20.04

Hosting an AI chatbot with Olama and Open WebUI

The story of the entire Dark Souls series

How to play audio with Python?

How to list and delete Iptables firewall rules

Introduction

Prerequisites

Listing rules by specification

Listing a specific chain

List rules in tables

Display number of packages and total size

Reset the number of packets and total size

Delete rules based on specifications

Delete rules based on chain and number

Flashing the chains

Flushing a chain

Flush all rules, remove all chains, and accept all

Result

In this article:

Post written by: Hadi Bahadori

Follow

Leave a Reply

You May Also Like