Learn to Manage Iptables Firewall Rules in Linux
In this article we are knowing about he how we list and delete Iptables Firewall rules in Linux operating system .In the Field of Netwotk security Iptables plays an essential role. In this article we are focusing on different aspect of firewall management: listing and deleting rules.
In this Article , we will cover how to do the following iptables tasks
- List rules
- Clear Packet and Byte Counters
- Delete rules
- Flush chains (delete all rules in a chain)
- Flush all chains and tables, delete all chains, and accept all traffic
- A user with sudo privileges.
List Rules by Specification
To list out all of the active iptables rules by specification, run the iptables command with the -S option
# iptables -S
P INPUT DROP P FORWARD DROP P OUTPUT ACCEPT N ICMP N TCP N UDP A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT A INPUT -i lo -j ACCEPT A INPUT -m conntrack --ctstate INVALID -j DROP A INPUT -p udp -m conntrack --ctstate NEW -j UDP A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable A INPUT -p tcp -j REJECT --reject-with tcp-reset A INPUT -j REJECT --reject-with icmp-proto-unreachable A TCP -p tcp -m tcp --dport 22 -j ACCEPT
List Specific Chain
If you want to limit the output to a specific chain (INPUT, OUTPUT, TCP, etc.), you can specify the chain name directly after the -S option. For example, to show all of the rule specifications in the TCP chain, you would run this command:
# iptables -S TCP
A TCP -p tcp -m tcp --dport 22 -j ACCEPT
List Rules as Tables
Listing the iptables rules in the table view can be useful for comparing different rules against each other,
To output all of the active iptables rules in a table, run the iptables command with the -L option:
# iptables -L
This will output all of current rules sorted by chain.
If you want to limit the output to a specific chain (INPUT, OUTPUT, TCP, etc.), you can specify the chain name directly after the -L option.
Let’s take a look at an example INPUT chain:
# iptables -L INPUT
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere ctstate INVALID UDP udp -- anywhere anywhere ctstate NEW TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW ICMP icmp -- anywhere anywhere ctstate NEW REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
The first line of output indicates the chain name (INPUT, in this case), followed by its default policy (DROP). The next line consists of the headers of each column in the table, and is followed by the chain’s rules. Let’s go over what each header indicates:
-target: If a packet matches the rule, the target specifies what should be done with it.
For example, a packet can be accepted, dropped, logged, or sent to another chain to be compared against more rules
-prot: The protocol, such as tcp, udp, icmp, or all
-opt: Rarely used, this column indicates IP options
-source: The source IP address or subnet of the traffic, or anywhere
-destination: The destination IP address or subnet of the traffic, or anywhere
The last column, which is not labeled, indicates the options of a rule. That is, any part of the rule that isn’t indicated by the previous columns. This could be anything from source and destination ports, to the connection state of the packet.
Show Packet Counts and Aggregate Size
When listing iptables rules, it is also possible to show the number of packets, and the aggregate size of the packets in bytes, that matched each particular rule. This is often useful when trying to get a rough idea of which rules are matching against packets. To do so, simply use the -L and -v option together.
For example, let’s look at the INPUT chain again, with the -v option:
# iptables -L INPUT -v
Reset Packet Counts and Aggregate Size
If you want to clear, or zero, the packet and byte counters for your rules, use the -Z option. They also reset if a reboot occurs. This is useful if you want to see if your server is receiving new traffic that matches your existing rules.
To clear the counters for all chains and rules, use the -Z option by itself:
# iptables -Z
To clear the counters for all rules in a specific chain, use the -Z option and specify the chain. For example, to clear the INPUT chain counters run this command:
# iptables -Z INPUT
If you want to clear the counters for a specific rule, specify the chain name and the rule number. For example, to zero the counters for the 1st rule in the INPUT chain, run this:
# iptables -Z INPUT 1
Delete Rule by Specification
One of the ways to delete iptables rules is by rule specification. To do so, you can run the iptables command with the -D option followed by the rule specification. If you want to delete rules using this method, you can use the output of the rules list, iptables -S, for some help.
For example, if you want to delete the rule that drops invalid incoming packets (-A INPUT -m conntrack –ctstate INVALID -j DROP), you could run this command:
# iptables -D INPUT -m conntrack --ctstate INVALID -j DROP
Delete Rule by Chain and Number
The other way to delete iptables rules is by its chain and line number. To determine a rule’s line number, list the rules in the table format and add the –line-numbers option:
# iptables -L –Line-numbers
Iptables offers a way to delete all rules in a chain, or flush a chain. This section will cover the variety of ways to do this.
Flush a Single Chain
To flush a specific chain, which will delete all of the rules in the chain, you may use the –F, or the equivalent –flush, option and the name of the chain to flush.
For example, to delete all of the rules in the INPUT chain, run this command:
# iptables -F INPUT
Flush All Chains
To flush all chains, which will delete all of the firewall rules, you may use the -F, or the equivalent –flush, option by itself:
# iptables -F
Flush All Rules, Delete All Chains, and Accept All
This section will show you how to flush all of your firewall rules, tables, and chains, and allow all network traffic.
First, set the default policies for each of the built-in chains to ACCEPT. The main reason to do this is to ensure that you won’t be locked out from your server via SSH:
# iptables -P INPUT ACCEPT # iptables -P FORWARD ACCEPT # iptables -P OUTPUT ACCEPT
Then flush the nat and mangle tables, flush all chains (-F), and delete all non-default chains (-X):
# iptables -t nat -F # iptables -t mangle -F # iptables -F # iptables -X
Your firewall will now allow all network traffic. If you list your rules now, you will will see there are none, and only the three default chains (INPUT, FORWARD, and OUTPUT) remain.
After going through this tutorial, you should be familiar with how to list and delete your iptables firewall rules.