Listing and Deleting Iptables Firewall Rules - راهنمای فنی ابر آروان

Iptables is a firewall providing an important role in network security for the majority of Linux systems. This guide will tell you how to list and delete Iptables firewall rules.

Note: If you are working with firewalls, make sure that you are not blocking your instance by not allowing SSH traffic (port 22 by default) to access the instance. In case you have lost your access as a result of firewall settings, you must connect to the instance through the console to resolve your access issue.

In this guide, we will run the commands on a Linux instance that has Iptables installed and has a user with sudo permissions. But if you don’t have Iptables already installed on your instance, refer to our “guide on the Iptables firewall and how it works.”

Viewing the List of Rules Based on the Specs

To begin, let’s see how to list the rules. You have two different options for listing active Iptables rules: using a table or as a list of rule specifications. Both of the methods will provide almost the same information in varying formats.

If you want to list all active Iptables rules by specification, run the iptables command using the -S flag:

sudo iptables -S

Listing a Specific Chain

To limit the output to a specific chain (INPUT, OUTPUT, TCP, etc.), you can enter the name of the chain after the -S. As an example, to list all rule specifications in a TCP chain, use this command:

sudo iptables -S TCP

List Rules in Table View

You may find listing Iptables rules in a table view helpful for comparing different rules with each other. To list all active Iptables rules in a table, simply run the Iptables command with -L:

sudo iptables -L

This will display all current rules in chained order in the output.

When you want to limit the output to a specific chain (INPUT, OUTPUT, TCP, etc.), it is possible to enter the name of the chain after the -L flag.

sudo iptables -L INPUT

In the first line of the output, there is the name of the chain (in this case INPUT) which is followed by its default policy (DROP). On the next line are the names of each column in the table, which are followed by the chaining rules:

target: When a packet matches the rule, the target indicates what to do with it. As an example, a packet may be accepted, rejected, logged, or sent to another chain for comparison with other rules.
prot: Protocol, such as tcp, udp, icmp or all.
opt: This column is used rarely and shows the IP options.
source: The source IP address or traffic subnet or anywhere.
destination: Destination IP address or traffic subnet or anywhere.

The final column, which does not have a name, indicates the options for a rule, which is any part of the rule not indicated in the previous columns. This column’s value may be anything from the source and destination ports to the connection status of the packet.

Display the Number of Packets and Total Size

It is possible when listing Iptables rules to show the number of packets and the total size of packets matching a particular rule in bytes. Doing this can be useful if you want to have an overview of which rules match which packets. For this purpose, you will have to use the L- and v- options together. As an example, let’s look again at the INPUT chain with the -v flag:

sudo iptables -L INPUT -v

Now, the list has two more columns, which are pkts and bytes.

Resetting the Number of Packets and Total Size

When you want to reset the packet and byte counters for your rules, you can use the -Z flag. These will also automatically reset when you restart. Doing this is useful when you want to see if your instance is receiving new traffic matching existing rules.

Similarly, to reset the counters for all chains and rules, use the -Z flag alone:

sudo iptables -Z

To reset the counters related to all rules in a specific chain, use -Z and indicate the chain. For example, to reset the counters for the INPUT chain, run the following command:

sudo iptables -Z INPUT

For clearing the counters of a specific rule, enter the name of the chain followed by the number of the rule. As an example, to reset the counters of the first rule in the INPUT chain, run this command:

sudo iptables -Z INPUT 1

Deleting Rules Based on Spec

An option to remove iptables rules is by rule specification. You can do this by running the iptables command with the -D flag that is followed by the rule specification. You can use the rule list output (Iptables -S) if you would like to remove rules using this method.

To remove a rule that drops invalid input packets (-A INPUT -m conntrack –ctstate INVALID -j DROP), for example, you can run the following command:

sudo iptables -D INPUT -m conntrack --ctstate INVALID -j DROP

Be aware that the A- flag, which is used to specify the position of the rule at the time of creation, has to be omitted here.

Removing Rules Based on Chain and Number

A different way to delete Iptables rules is to use the chain and line number. You can specify the line number of a rule by inserting the rules in the list table format and by using the line-numbers– option:

sudo iptables -L --line-numbers

With this command, a line number will be added to each rule line that is specified by the num header line.

As soon as you know which rule you want to delete, write down the chain number followed by the line of the rule. Then run the iptables -D command and type the chain number and the rule.

If we want to delete an inbound rule that is dropping invalid packets, for example, we could see that is rule 3 in the INPUT chain. Therefore, we will have to run the command below:

sudo iptables -D INPUT 3

Removing All Chain Rules

Iptables offers a way to delete all rules in a chain. Remember that you may not block the SSH connection of your instance with a default drop or deny policy. When you do, you will have to connect via the console to fix the inaccessibility issue.

Deleting All Rules on a Single Chain

You can use F- or the equivalent flush– and the name of the chain to flush a certain chain, thereby removing all rules in the chain.

To flush all rules from the INPUT chain, for example, run this command:

sudo iptables -F INPUT

Deleting All Rules From All Chains

You can use F- or the equivalent flush– alone to flush all chains, which will remove all firewall rules, run the following command:

sudo iptables -F

Deleting All Rules and All Chains and Accepting All

The purpose of this section is to explain to you how to delete all firewall rules, tables and chains and accept all network traffic.

Be aware that by doing this, you are disabling your firewall. Only perform this section when you want to reconfigure your firewall from scratch.

To begin, change the default policy for each internal chain to ACCEPT. This is primarily to ensure that you will not lose your SSH connection to your instance.

sudo iptables -P INPUT ACCEPT

sudo iptables -P FORWARD ACCEPT

sudo iptables -P OUTPUT ACCEPT

After that, flush the nat and mangle tables, remove all chains (-F), and then delete any non-default chains (-X):

sudo iptables -t nat -F

sudo iptables -t mangle -F

sudo iptables -F

sudo iptables -X

At this point, your firewall is allowing all network traffic in and out. By listing your rules, you can see that there are none, and you are left with only the three default chains (INPUT, FORWARD, and OUTPUT).

Keep in mind that whatever changes you made using the iptables command will be temporary and will need to be saved so that they are preserved even after a reboot.