Once I set iptables to reroute a port, how do I undo it?

Question

I've been reading on many sites how to use iptables to reroute one port to another in Linux. For instance, rerouting port 80 to 8080 would look like this...

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080

My concern is, what if I change my mind? I haven't read anywhere that gives syntax for correcting it. I assume there is a (simple?) way to do it, but I'm too new at Linux to intuitively figure out how to restore port 80 to its original behavior without reinstalling the OS.

score 26 · Answer 1 · answered Aug 16 '12 at 19:32

26

If you are scripting, it's easier to remove by definition:

Example:

To add:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080

Notice the -A? it means add.

To remove:

iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080

Notice the -D? it means delete.

answered Aug 16 '12 at 19:32

bithavoc

361
3
5

1

This was very useful! – MadPhysicist Nov 22 '16 at 18:25

user9517 · Accepted Answer · 2011-07-10T09:30:09.883

You can use the -D option to iptables to delete rules from your chains. For example

First list the chain you want to remove a rule from, use --line-numbers

sudo iptables -L RH-Firewall-1-INPUT  -n --line-numbers

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
4    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
6    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
7    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
8    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631
9    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
11   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

To delete line 6

sudo iptables -D RH-Firewall-1-INPUT 6
sudo iptables -L RH-Firewall-1-INPUT  -n --line-numbers

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
4    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631
8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
10   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

If you have your iptables configuration saved in a file don't forget to update the file (iptables-save, service iptables save etc.)

score 3 · Answer 3 · answered Jul 10 '11 at 03:06

http://linux.die.net/man/8/iptables:

ahem

iptables -L, --list [chain]
    List all rules in the selected chain. If no chain is selected, all chains are listed. As every other iptables command, it applies to the specified table (filter is the default), so NAT rules get listed by

    iptables -t nat -n -L

    Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups. It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given. The exact rules are suppressed until you use

    iptables -L -v

...

iptables -D, --delete chain rule-specification
iptables -D, --delete chain rulenum
    Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match.

score 0 · Answer 4 · answered Jun 28 '17 at 07:32

The answer by bithavoc is the correct one. Since I still don't have enough points to comment on it, I am adding the additional information over as a new answer:

Add a new reroute rule

$ sudo iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to 5671

List NAT Rules

$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:https redir ports 5671

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

The -t nat switch is necessary to be able to routing rules.

Delete the Rule

$ sudo iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to 5671
[ec2-user@ip-172-31-27-46 ~]$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Once I set iptables to reroute a port, how do I undo it?

4 Answers4