How To List and Delete Iptables Firewall Rules

By Mitchell Anicas

Last Validated onNovember 11, 2020 Originally Published onAugust 14, 2015 2.7mviews

Introduction

Iptables is a firewall that plays an essential role in network security for most Linux systems. While many iptables tutorials will teach you how to create firewall rules to secure your server, this one will focus on a different aspect of firewall management: listing and deleting rules.

In this tutorial, we will cover how to do the following iptables tasks:

• List rules

• Clear Packet and Byte Counters

• Delete rules

• Flush chains (delete all rules in a chain)

• Flush all chains and tables, delete all chains, and accept all traffic

Note:

Prerequisites

-of-

When working with firewalls, take care not to lock yourself out of your own server by

blocking SSH traffic (port 22, by default). If you lose access due to your firewall settings, you

may need to connect to it via an out

band console to fix your access.

This tutorial assumes you are using a Linux server with the iptables command installed, and that your user has sudo privileges.

If you need help with this initial setup, please refer to our Initial Server Setup with Ubuntu 20.04 guide. It is also available for Debian and CentOS

Let’s look at how to list rules first. There are two different ways to view your active iptables rules: in a table or as a list of rule specifications. Both methods provide roughly the same information in different formats.

Listing Rules by Specification

To list out all of the active iptables rules by specification, run the iptables command with the -S option:

• sudo iptables -S Copy

-

-

-P OUTPUT ACCEPT

Output

P INPUT DROP

P FORWARD DROP

CLI Page 44

-

-

-N TCP

-N UDP

- - --

- -i lo - --- --- -jUDP

-j ACCEPT

-m conntrack --ctstate

P OUTPUT ACCEPT

N ICMP

A INPUT

A INPUT

A INPUT

A INPUT

A INPUT

m conntrack

j ACCEPT

m conntrack

--

NEW -j TCP

- - - -- -

- --tcp-

flags FIN,SYN,RST,ACK SYN

A INPUT

A INPUT

A INPUT

A INPUT

p icmp

m conntrack

ctstate NEW

--

--

--

- - - -- -

As you can see, the output looks just like the commands that were used to create them, without the preceding iptables command. This will also look similar to the iptables rules configuration files, if you’ve ever used iptables-persistent or iptables save.

Listing a Specific Chain

If you want to limit the output to a specific chain (INPUT, OUTPUT, TCP, etc.), you can specify the chain name directly after the -S option. For example, to show all of the rule specifications in the TCP chain, you would run this command:

• sudo iptables -S TCP Copy

Output

-N TCP

-A TCP -p tcp -m tcp --dport 22 -j ACCEPT

Now let’s take a look at the alternative way to view the active iptables rules, as a table of rules.

Listing Rules as Tables

Listing the iptables rules in the table view can be useful for comparing different rules against each other,

To output all of the active iptables rules in a table, run the iptables command with the - L option:

• sudo iptables -L Copy

This will output all of current rules sorted by chain.

If you want to limit the output to a specific chain (INPUT, OUTPUT, TCP, etc.), you can

specify the chain name directly after the -L option. Let’s take a look at an example INPUT chain:

• sudo iptables -L INPUT Copy

--

ACCEPT all -- anywhere anywhere

CLI Page 45

--

ctstate RELATED,ESTABLISHED

ctstate INVALID

j DROP

p udp p tcp

m conntrack

--

ctstate NEW

m tcp

j ICMP

p udp p tcp

- -

j REJECT

j REJECT

-- -- -

reject

reject

- -

with icmp

-port-

-reset

unreachable

with tcp

j REJECT

--

reject

dport 22

with icmp

-proto-unreachable

A TCP

p tcp

m tcp

j ACCEPT

Output

Chain INPUT (policy DROP)

target prot opt source destination

ACCEPT all

RELATED,ESTABLISHED

anywhere anywhere ctstate

ACCEPT all

DROP all

UDP udp

TCP tcp

anywhere anywhere

anywhere anywhere ctstate INVALID

anywhere anywhere ctstate NEW

anywhere anywhere tcp

flags:FIN,SYN,RST,ACK/SYN ctstate NEW

ICMP icmp

REJECT udp

anywhere anywhere ctstate NEW

unreachable

anywhere anywhere reject

with icmp

REJECT tcp

port-

reset

-- -- -- --

-- --

-- --

anywhere

anywhere

anywhere

anywhere

-- reject-with tcp-

reject-with icmp-

REJECT all

proto-

The first line of output indicates the chain name (INPUT, in this case), followed by its default policy (DROP). The next line consists of the headers of each column in the table, and is followed by the chain’s rules. Let’s go over what each header indicates:

• target: If a packet matches the rule, the target specifies what should be done with it. For example, a packet can be accepted, dropped, logged, or sent to another chain to be compared against more rules

• prot: The protocol, such as tcp, udp, icmp, or all

• opt: Rarely used, this column indicates IP options

• source: The source IP address or subnet of the traffic, or anywhere

• destination: The destination IP address or subnet of the traffic, or anywhere

The last column, which is not labeled, indicates the options of a rule. That is, any part of the rule that isn’t indicated by the previous columns. This could be anything from source and destination ports, to the connection state of the packet.

Showing Packet Counts and Aggregate Size

When listing iptables rules, it is also possible to show the number of packets, and the aggregate size of the packets in bytes, that matched each particular rule. This is often useful when trying to get a rough idea of which rules are matching against packets. To do so, use the -L and -v option together.

For example, let’s look at the INPUT chain again, with the -v option: • sudo iptables -L INPUT -v

Copy

unreachable

Output

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

284K 42M ACCEPT all

any any anywhere anywhere

ctstate RELATED,ESTABLISHED

0 0 ACCEPT all

0 0 DROP all

ctstate INVALID

396 63275 UDP udp

ctstate NEW

17067 1005K TCP tcp

any any anywhere anywhere

tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW

2410 154K ICMP icmp

any any anywhere anywhere

ctstate NEW

396 63275 REJECT udp

any any anywhere anywhere

reject

-

with icmp

-port-

unreachable

2916 179K REJECT all

-

-proto-

--

any any anywhere anywhere

reject

with icmp

unreachable

0 0 ACCEPT tcp

--

any any anywhere anywhere

tcp dpt:ssh ctstate NEW,ESTABLISHED

--

-- --

-- any any anywhere

--

--

--

anywhere

lo any anywhere anywhere

any any anywhere anywhere

Note that the listing now has two additional columns, pkts and bytes.

Now that you know how to list the active firewall rules in a variety of ways, let’s look at

how you can reset the packet and byte counters.

Resetting Packet Counts and Aggregate Size

CLI Page 46


Resetting Packet Counts and Aggregate Size

If you want to clear, or zero, the packet and byte counters for your rules, use the - Z option. They also reset if a reboot occurs. This is useful if you want to see if your server is receiving new traffic that matches your existing rules.

To clear the counters for all chains and rules, use the -Z option by itself:

• sudo iptables -Z

Copy

To clear the counters for all rules in a specific chain, use the -Z option and specify the chain. For example, to clear the INPUT chain counters run this command:

• sudo iptables -Z INPUT

Copy

If you want to clear the counters for a specific rule, specify the chain name and the rule number. For example, to zero the counters for the 1st rule in the INPUT chain, run this:

• sudo iptables -Z INPUT 1

Copy

Now that you know how to reset the iptables packet and byte counters, let’s look at the two methods that can be used to delete them.

Deleting Rules by Specification

One of the ways to delete iptables rules is by rule specification. To do so, you can run the iptables command with the -D option followed by the rule specification. If you want to delete rules using this method, you can use the output of the rules list, iptables -S, for some help.

For example, if you want to delete the rule that drops invalid incoming packets (-A INPUT -m conntrack --ctstate INVALID -j DROP), you could run this command:

• sudo iptables -D INPUT -m conntrack --ctstate INVALID -j DROP

Copy

Note that the -A option, which is used to indicate the rule position at creation time, should be excluded here.

Deleting Rules by Chain and Number

The other way to delete iptables rules is by its chain and line number. To determine a rule’s line number, list the rules in the table format and add the --line-numbers option:

• sudo iptables -L --line-numbers Copy

--

-- --

udp -- anywhere

[secondary_output Output]

Chain INPUT (policy DROP)

num target prot opt source destination

1 ACCEPT all

4 UDP

anywhere

ctstate NEW

CLI Page 47

anywhere anywhere ctstate

RELATED,ESTABLISHED

2 ACCEPT all

3 DROP all

INVALID

anywhere anywhere

anywhere anywhere ctstate


4 UDP udp

5 TCP tcp

6 ICMP icmp

7 REJECT udp

icmp-port-

tcp-reset

icmp-proto-

anywhere

anywhere

anywhere

anywhere

anywhere

unreachable

-- --

-- --

-with reject-with reject-with tcp dpt:ssh

anywhere anywhere ctstate NEW

anywhere anywhere tcp

flags:FIN,SYN,RST,ACK/SYN ctstate NEW

anywhere anywhere ctstate NEW

anywhere anywhere reject

8 REJECT tcp

--

--

-- anywhere

9 REJECT all

unreachable

10 ACCEPT tcp

ctstate NEW,ESTABLISHED

...

This adds the line number to each rule row, indicated by the num header.

Once you know which rule you want to delete, note the chain and line number of the rule. Then run the iptables -D command followed by the chain and rule number.

For example, if we want to delete the input rule that drops invalid packets, we can see that it’s rule 3 of the INPUT chain. So we should run this command:

• sudo iptables -D INPUT 3

Copy

Now that you know how to delete individual firewall rules, let’s go over how you can flush chains of rules.

Flushing Chains

Iptables offers a way to delete all rules in a chain, or flush a chain. This section will cover the variety of ways to do this.

Note:

drop or deny Flushing a Single Chain

To flush a specific chain, which will delete all of the rules in the chain, you may use the - F, or the equivalent --flush, option and the name of the chain to flush.

For example, to delete all of the rules in the INPUT chain, run this command: • sudo iptables -F INPUT

Copy

Flushing All Chains

To flush all chains, which will delete all of the firewall rules, you may use the -F, or the equivalent --flush, option by itself:

• sudo iptables -F Copy

Flushing All Rules, Deleting All Chains, and Accepting

All

This section will show you how to flush all of your firewall rules, tables, and chains, and allow all network traffic.

Be careful to not lock yourself out of your server, via SSH, by flushing a chain with a

default policy of

your access.

. If you do, you may need to connect to it via the console to fix

CLI Page 48


allow all network traffic.

Note:

First, set the default policies for each of the built-in chains to ACCEPT. The main reason to do this is to ensure that you won’t be locked out from your server via SSH:

• sudo -

• sudo -

• sudo -

Copy

Then flush the nat and mangle tables, flush all chains (-F), and delete all non-default chains (-X):

This will effectively disable your firewall. You should only follow this section if you want

to start over the configuration of your firewall.

iptables

iptables

iptables

P INPUT ACCEPT

P FORWARD ACCEPT

P OUTPUT ACCEPT

iptables

iptables

iptables

iptables

• sudo

• sudo

• sudo

• sudo

Copy

- -F

- -F -F

-X

t nat

t mangle

Your firewall will now allow all network traffic. If you list your rules now, you will will see there are none, and only the three default chains (INPUT, FORWARD, and OUTPUT) remain.

Conclusion

After going through this tutorial, you should be familiar with how to list and delete your iptables firewall rules.

Remember that any iptables changes via the iptables command are ephemeral, and need to be saved to persist through server reboots. This is covered in the Saving Rules section of the Common Firewall Rules and Commands tutorial.

https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules