Home / server / Questions / 200635
Accepted
kagali-san
Asked: 2010-11-11 19:18:02 +0800 CST

best way to clear all iptables rules

  • 772

I currently have this snippet:

# flush all chains
iptables -F
iptables -t nat -F
iptables -t mangle -F
# delete all chains
iptables -X

Is there a possibility that some impervious rule will stay alive after running this?

The idea is to have a completely clean iptables config, that can be easily replaced by new ruleset (nevermind routes/ifconfig's parameters).

firewall linux iptables

11 Answers

  1. Best Answer

    To answer your question succinctly, no: there would not be any "leftover" rules after flushing every table. In the interest of being thorough however, you may want to set the policy for the built-in INPUT and FORWARD chains to ACCEPT, as well:

    iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

    Clear ip6tables rules:

    ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X

    ...and that should do it. iptables -nvL should produce this (or very similar) output:

    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    • 184

  2. This will correctly totally reset your iptables system to a very basic state:

    iptables-save | awk '/^[*]/ { print $1 } 
                     /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; }
                     /COMMIT/ { print $0; }' | iptables-restore

    All policies will be reset to ACCEPT as well as flushing every table in current use. All chains other than the built in chains will no longer exist.

    • 42

  3. One can do this in 1 or 2 commands:

     $ sudo iptables-save > iptables.bak
 $ sudo iptables -F

    Result:

    $ sudo iptables -nvL
Chain INPUT (policy ACCEPT 3138 packets, 5567K bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3602 packets, 6547K bytes)
pkts bytes target     prot opt in     out     source               destination
    • 4

  4. Backups configuration to iptables_backup.conf and clean all rules.

    iptables-save | tee iptables_backup.conf | grep -v '\-A' | iptables-restore

    To restore previous configuration:

    iptables-restore < iptables_backup.conf
    • 4

  5. Whenever I need the firewall disabled is something like this:

    • iptables-save > iptables.bak
    • service iptables stop (i'm on fedora)
    • 3

  6. You can just unload iptables' modules from the kernel:

    modprobe -r iptable_raw iptable_mangle iptable_security iptable_nat iptable_filter

    UPD Unfortunately, too good to be true. As long as there's a rule or a user-defined chain in a table, corresponding module's reference count is 1, and modprobe -r fails. You might delete rules and user-defined chains like so:

    echo $'*raw\nCOMMIT\n*mangle\nCOMMIT\n*security\nCOMMIT\n*nat\nCOMMIT\n*filter\nCOMMIT' | iptables-restore

    or:

    iptables-save | awk '/^[*]/ { print $1 "\nCOMMIT" }' | iptables-restore

    Also, you might want to unload modules this way (no hardcoding module names):

    lsmod | egrep ^iptable_ | awk '{print $1}' | xargs -rd\\n modprobe -r

    On the bright side, after this iptables-save produces nice empty output :)

    • 3

  7. I've had to block all connections recently what I ended up doing was 

    iptables-policy INPUT DROP
iptables-policy OUTPUT DROP
iptables-policy FORWARD DROP

    as for saving I'd recommend the following

    Ubuntu:

    /etc/init.d/iptables save
/sbin/service iptables save

    RedHat/CentOS:

    /etc/init.d/iptables save
/sbin/iptables-save

    In addition to backup all current ufw rules Ive used this in the past

    cp /lib/ufw/{user.rules,user6.rules} /<BACKUP LOCATION> 
cp /lib/ufw/{user.rules,user6.rules} ./

    I think this may be useful for future reference. Thought I would share.

    • 1

  8. This worked for me (on Ubuntu 18.04):

    sudo bash -c "ufw -f reset && iptables -F && iptables -X && ufw allow 22 && ufw -f enable"

    It resets (and disables) ufw and then resets iptables clearing and removing all chains. Then it enables the ufw again, but not before it allows port 22 for remote access. The two commands that require user confirmation are "forced" ensuring no input is required. I was able to run this over an active SSH connection.

    (source)

    • 1

  9. Here is how I remove all DROP rules:

    iptables -S |grep DROP| sed 's/-A/-D/' >rules  # -A becomes -D: delete
nano rules  # check that everything is correct
cat rules | while read line; do iptables $line; done
iptables-save

    Done!

    • 1 
  10. sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -t filter -F
sudo iptables -t raw -F

sudo iptables -t nat -X
sudo iptables -t mangle -X
sudo iptables -t filter -X
sudo iptables -t raw -X

echo "=== NAT ==="; sudo iptables -t nat -S; echo "\n=== MANGLE ==="; sudo iptables -t mangle -S; echo "\n=== FILTER ==="; sudo iptables -t filter -S; echo "\n=== RAW ==="; sudo iptables -t raw -S
    • 0