Introduction
Iptables is a firewall that plays an essential role in network security for most Linux systems. While many iptables tutorials will teach you how to create firewall rules to secure your server, this one will focus on a different aspect of firewall management: listing and deleting rules.
In this tutorial, we will cover how to do the following iptables tasks:
- List rules
- Clear Packet and Byte Counters
- Delete rules
- Flush chains (delete all rules in a chain)
- Flush all chains and tables, delete all chains, and accept all traffic
Note: When working with firewalls, take care not to lock yourself out of your own server by blocking SSH traffic (port 22, by default). If you lose access due to your firewall settings, you may need to connect to it via the console to fix your access. Once you are connected via the console, you can change your firewall rules to allow SSH access (or allow all traffic). If your saved firewall rules allow SSH access, another method is to reboot your server.
Prerequisites
Before you start using this tutorial, you should have a separate, non-root superuser account—a user with sudo privileges—set up on your server. If you need to set this up, follow the appropriate guide:
Let’s look at how to list rules first. There are two different ways to view your active iptables rules: in a table or as a list of rule specifications. Both methods provide roughly the same information in different formats.
List Rules by Specification
To list out all of the active iptables rules by specification, run the iptables
command with the -S
option:
Example: Rule Specification Listing
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ICMP
-N TCP
-N UDP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
As you can see, the output looks just like the commands that were used to create them, without the preceding iptables
command. This will also look similar to the iptables rules configuration files, if you’ve ever used iptables-persistent
or iptables save
.
List Specific Chain
If you want to limit the output to a specific chain (INPUT
, OUTPUT
, TCP
, etc.), you can specify the chain name directly after the -S
option. For example, to show all of the rule specifications in the TCP
chain, you would run this command:
Example: TCP Chain Rule Specification Listing
-N TCP
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
Let’s take a look at the alternative way to view the active iptables rules, as a table of rules.
List Rules as Tables
Listing the iptables rules in the table view can be useful for comparing different rules against each other, Continue reading List and Delete Iptables Firewall Rules →