best way to clear all iptables rules

Question

I currently have this snippet:

# flush all chains
iptables -F
iptables -t nat -F
iptables -t mangle -F
# delete all chains
iptables -X

Is there a possibility that some impervious rule will stay alive after running this?

The idea is to have a completely clean iptables config, that can be easily replaced by new ruleset (nevermind routes/ifconfig's parameters).

score 191 · Accepted Answer · edited Feb 19 '17 at 04:03

191

To answer your question succinctly, no: there would not be any "leftover" rules after flushing every table. In the interest of being thorough however, you may want to set the policy for the built-in INPUT and FORWARD chains to ACCEPT, as well:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

Clear ip6tables rules:

ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X

...and that should do it. iptables -nvL should produce this (or very similar) output:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

edited Feb 19 '17 at 04:03

Aalex Gabi

147
1
7

answered Nov 11 '10 at 05:52

Sam Halicke

6,222
1
25
35

12

you forgot about 'raw': iptables -t raw -F iptables -t raw -X – kK-Storm Nov 12 '15 at 12:59
`there would not be any "leftover" rules after flushing every table` OP doesn't flush **every** table. Neither do you. Here's what it looks like if you want to be [thorough](https://gist.github.com/x-yuri/da5de61959ae118900b685fed78feff1). And you might want to add `iptables -t "$table" -Z`. Do note that this way you're hardcoding the list of the tables and their chains. So I would seriously consider [save-restore solution](https://serverfault.com/a/200642/162443). Or you can just [unload iptables](https://serverfault.com/a/973412/162443). – x-yuri Jun 29 '19 at 20:34
Some distros have both `iptables` and `iptables-legacy` (e.g. NixOS), thus you need to flush using both. – AleXoundOS May 16 '22 at 08:14

Jerub · Answer 2 · 2010-11-11T04:11:29.523

43

This will correctly totally reset your iptables system to a very basic state:

iptables-save | awk '/^[*]/ { print $1 } 
                     /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; }
                     /COMMIT/ { print $0; }' | iptables-restore

All policies will be reset to ACCEPT as well as flushing every table in current use. All chains other than the built in chains will no longer exist.

edited Nov 11 '10 at 04:11

answered Nov 11 '10 at 03:57

Jerub

563
4
9

2

Neat hack! I wouldn't depend on it though, since it's always possible that subtle changes to the save/restore format might break it. Probably best to stick to the API that the `iptables` tool explicitly provides, IMO. – Steven Monday Nov 11 '10 at 04:44
3

I changed my mind: the data format is unlikely to change much any more, since it's used so widely. +1. – Steven Monday Nov 11 '10 at 04:54
2

+1, interesting hack – Sam Halicke Nov 11 '10 at 05:55
This managed to get rid of leftover UFW chains, something the accepted answer did not. – l0b0 Jun 20 '19 at 11:06
That's a minor detail, but you might want to replace the first `print $1` with `print $0` to be consistent :) – x-yuri Jun 28 '19 at 15:40
And this one seems safer than doing it in a series of `iptables` commands. You might lock yourself out in the latter case. Also, you can just [unload `iptables`](https://serverfault.com/a/973412/162443). – x-yuri Jun 29 '19 at 20:44
This is the only way I could solve a `ipset v7.15: Set cannot be destroyed: it is in use by a kernel component` error! Thanks! – Dr. Gianluigi Zane Zanettini Jun 03 '22 at 07:33

score 4 · Answer 3 · answered Apr 29 '17 at 05:13

One can do this in 1 or 2 commands:

 $ sudo iptables-save > iptables.bak
 $ sudo iptables -F

Result:

$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 3138 packets, 5567K bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3602 packets, 6547K bytes)
pkts bytes target     prot opt in     out     source               destination

If the default policies are currently set to DROP, this is a quick way to get locked out of the server. So, no, it's not a 1 or 2 command process. You need to first set to ACCEPT if it's not currently. — RyanH, May 17 '18 at 16:35

score 4 · Answer 4 · answered Apr 12 '19 at 13:54

4

Backups configuration to iptables_backup.conf and clean all rules.

iptables-save | tee iptables_backup.conf | grep -v '\-A' | iptables-restore

To restore previous configuration:

iptables-restore < iptables_backup.conf

answered Apr 12 '19 at 13:54

Zibri

321
2
6

score 3 · Answer 5 · edited Apr 06 '17 at 03:38

3

Whenever I need the firewall disabled is something like this:

iptables-save > iptables.bak
service iptables stop (i'm on fedora)

edited Apr 06 '17 at 03:38

nhed

590
1
8
14

answered Nov 11 '10 at 05:13

Realn0whereman

153
4

x-yuri · Answer 6 · 2019-06-30T05:49:05.813

You can just unload iptables' modules from the kernel:

modprobe -r iptable_raw iptable_mangle iptable_security iptable_nat iptable_filter

UPD Unfortunately, too good to be true. As long as there's a rule or a user-defined chain in a table, corresponding module's reference count is 1, and modprobe -r fails. You might delete rules and user-defined chains like so:

echo $'*raw\nCOMMIT\n*mangle\nCOMMIT\n*security\nCOMMIT\n*nat\nCOMMIT\n*filter\nCOMMIT' | iptables-restore

or:

iptables-save | awk '/^[*]/ { print $1 "\nCOMMIT" }' | iptables-restore

Also, you might want to unload modules this way (no hardcoding module names):

lsmod | egrep ^iptable_ | awk '{print $1}' | xargs -rd\\n modprobe -r

On the bright side, after this iptables-save produces nice empty output :)

That could be the hammer here. Thx. – Konrad Gajewski Jun 29 '19 at 21:45 — Konrad Gajewski, Jun 29 '19 at 21:45

score 1 · Answer 7 · answered Feb 09 '20 at 22:40

1

Here is how I remove all DROP rules:

iptables -S |grep DROP| sed 's/-A/-D/' >rules  # -A becomes -D: delete
nano rules  # check that everything is correct
cat rules | while read line; do iptables $line; done
iptables-save

Done!

answered Feb 09 '20 at 22:40

Basj

709
3
11
29

Boschko · Answer 8 · 2018-11-05T20:05:12.190

I've had to block all connections recently what I ended up doing was

iptables-policy INPUT DROP
iptables-policy OUTPUT DROP
iptables-policy FORWARD DROP

as for saving I'd recommend the following

Ubuntu:

/etc/init.d/iptables save
/sbin/service iptables save

RedHat/CentOS:

/etc/init.d/iptables save
/sbin/iptables-save

In addition to backup all current ufw rules Ive used this in the past

cp /lib/ufw/{user.rules,user6.rules} /<BACKUP LOCATION> 
cp /lib/ufw/{user.rules,user6.rules} ./

I think this may be useful for future reference. Thought I would share.

score 1 · Answer 9 · answered Jan 11 '20 at 18:48

This worked for me (on Ubuntu 18.04):

sudo bash -c "ufw -f reset && iptables -F && iptables -X && ufw allow 22 && ufw -f enable"

It resets (and disables) ufw and then resets iptables clearing and removing all chains. Then it enables the ufw again, but not before it allows port 22 for remote access. The two commands that require user confirmation are "forced" ensuring no input is required. I was able to run this over an active SSH connection.

(source)

nvd · Answer 10 · 2021-10-31T20:19:18.450

0

sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -t filter -F
sudo iptables -t raw -F

sudo iptables -t nat -X
sudo iptables -t mangle -X
sudo iptables -t filter -X
sudo iptables -t raw -X

echo "=== NAT ==="; sudo iptables -t nat -S; echo "\n=== MANGLE ==="; sudo iptables -t mangle -S; echo "\n=== FILTER ==="; sudo iptables -t filter -S; echo "\n=== RAW ==="; sudo iptables -t raw -S

edited Oct 31 '21 at 20:19

answered Oct 31 '21 at 20:14

nvd

101
2

score 0 · Answer 11 · answered Aug 21 '22 at 20:59

Newbie Necro-post:

Lately, I'm finding that nf/iptables reports it's busy so whatever --delete, --flush, or -X argument that was issued with the iptables command simply has no effect. Thereby, I sometimes do end up with some mixture of new configuration rules, along with some unwanted artifact rules from a previous iptables configuration, getting saved with iptables-save.

While it's not a 100% cure, I suffix any iptables commands with --wait, along with whatever other arguments I intend, such as -X.

I think it's still worthwhile to augment -X precautions with --flush, --delete and maybe make a null-firewall .rules file to restore with iptables-restore.

I can check in a bash shell script, using awk, if there's more than the default 38 lines resulting from an iptables --list command showing an empty configuration


EXITCOND1=0
iptables --list | awk '{ ++cnt; /
if (cnt < 40 ) exit level 1: /
print } '
EXITCOND1=$(echo $?)
if [ $EXITCOND1 == 0 ];
then
echo "There are firewall rules"
else
echo "There are no firewall rules"
fi

Obviously you all know to replace the "echo" statements with your own handling code. You can also use similar code to check line length and --log-prefix content in case you coincidentally do have only 38-40 lines of code in your iptables configuration.

(I'm typing this on my phone. I hope spell check didn't help me screw this up.)

Great ideas in your posts folks. Thanks.

best way to clear all iptables rules

11 Answers11

Linked