Delete a iptables chain with its all rules

You can't delete chains when rules with '-j CHAINTODELETE' are referencing them. Figure out what is referencing your chain (the link), and remove that. Also, flush then kill.

-F, --flush [chain]

Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.

-X, --delete-chain [chain]

Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. The chain must be empty, i.e. not contain any rules. If no argument is given, it will attempt to delete every non-builtin chain in the table.

This is potentially off-topic, but it's what I did after I found this post! For some use cases the iptables -D option might be useful. Since it allows you to clear out referring rules added programmatically with -A (if you know precisely how you added them).

E.g

    iptables -N MYCHAIN
    iptables -A INPUT -i interface -j MYCHAIN
    iptables -A MYCHAIN -j ACCEPT

can be reversed with

   iptables -D INPUT -i interface -j MYCHAIN
   iptables --flush MYCHAIN
   iptables -X MYCHAIN

You need two steps, but this does it in one command.

Create a file, and place this in it.

# Empty the entire filter table
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

Save the file as "clear-all-rules". Now, do this command:

iptables-restore < clear-all-rules

Now you can clear it anytime with just one command.

Here's an alternate plan. It involves three commands, not one, but with luck, it should work.

Dump your iptables ruleset to a file:

iptables-save > /tmp/iptables.txt

Remove ALL uses of (and references to) the offending chain:

sed -i '/i_XXXXX_i/d' /tmp/iptables.txt

Then reload the ruleset:

iptables-restore < /tmp/iptables.txt && rm /tmp/iptables.txt

In the iptables man file there is an option -S

S, --list-rules [chain] Print all rules in the selected chain. If no chain is selected, all chains are printed like iptables-save. Like every other iptables command, it applies to the specified table (filter is the default).

By using iptables -S | grep <CHAINNAMEHERE>. For examples:

root@root:~# iptables -S | grep TRAFFICLOG

-N TRAFFICLOG

-A FORWARD -i eth0 -j TRAFFICLOG

you can then see which rules are blocking the deletion of the chain from the table. Go through each rule (except the iptables -N <CHAINNAMEHERE> and delete the rule by using the -D option

-D, --delete chain rulenum Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match.

For example iptables -D FORWARD -i eth0 -j TRAFFICLOG. After you have deleted each rule for your chain flush the chain with the -F option, iptables -F <CHAINNAMEHERE>.

-F, --flush [chain] Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.

Then delete your chain with the -X option, iptables -X <CHAINNAMEHERE>

-X, --delete-chain [chain] Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. The chain must be empty, i.e. not contain any rules. If no argument is given, it will attempt to delete every non-builtin chain in the table.

Iptables is a complicated tool set so an ideal tutorial is needed. You can try one out at www.iptables.info

Something along these lines will get all of them in a single line without taking iptables down in any way.

for chain in `iptables -L |grep i_XXXXX_i|awk '{ print $2 }'`; do iptables -X $chain; done

This will spit out chains and delete them

for i in $(iptables -S | awk '{print $2}' | uniq ); do iptables -F $i && iptables -Z $i && iptables -X $i  ; done

I have found that you can remove the rules and chain by editing the rules file in /etc/iptables/rules.v4. If you delete the unwanted chain in this file and then reload iptables, you should no longer see the chain when doing a iptables -L.