27

i have 2 rules of iptables 

iptables -A INPUT -s 5.5.5.5 -j DROP
iptables -A INPUT -s 6.5.5.5 -j ACCEPT

is there a function or a command that will swap the rules to be like this:

iptables -A INPUT -s 6.5.5.5 -j ACCEPT 
iptables -A INPUT -s 5.5.5.5 -j DROP
Nidal
  • 1,717
  • 1
  • 27
  • 42
user1814662
  • 281
  • 1
  • 3
  • 5

7 Answers7

39

First check the line number:

iptables -nL --line-numbers

Delete based on line:

iptables -D INPUT {line}

Insert where you would like it to be:

iptables -I INPUT {line} -i lo -p tcp --dport {port} -j ACCEPT -m comment --comment "This rule is here for this reason"

Found at these sources:

Delete Rule

Insert Rule

d3vkit
  • 1,942
  • 1
  • 24
  • 36
  • Thank you. -I seem to be better than -A which is shown in most examples. – The Fool Mar 13 '21 at 18:30
  • Perhaps it's worth to mention that `-I {line}` and `-A {line}` add rule to specified line moving everything else down. For example, `-I INPUT 3` will move the previous `rule #3` to `rule #4`. – Artfaith Apr 27 '22 at 01:37
8

We had an issue with the order of some rules, and the most efficient way I found to change this was with two tools:

  1. iptables-save
  2. iptables-restore

First dump the rules into a file:

sudo iptables-save > /root/iptrules.txt

Then edit the file with your favorite text editor:

sudo vim /root/iptrules.txt

Make the necessary movements and then restore the rules:

sudo iptables-restore < /root/iptrules.txt
ms geek
  • 81
  • 1
  • 4
3

There is no such command to swap two iptables rules.

You can just delete and insert them into appropriate position.

Mandar Shinde
  • 1,735
  • 4
  • 20
  • 28
1

There is a program named iptables-persistent which make iptable's rules persistent as a os service. this service include a configuration file as the iptables-save export.

So you can reorder the lines in the configuration file and restart the service.

sudo service iptables-persistent restart

So easy!!!!!

shgnInc
  • 2,054
  • 1
  • 23
  • 34
0

Instead of -A use -D to delete and then add again

iptables -D INPUT -s 5.5.5.5 -j DROP

iptables -D INPUT -s 6.5.5.5 -j ACCEPT

Now add with swaped value

iptables -A INPUT -s 5.5.5.5 -j ACCEPT

iptables -A INPUT -s 6.5.5.5 -j DROP

arungiri_10
  • 988
  • 1
  • 11
  • 23
0

Let's assuem your INPUT chain has only these two rules, so their ID number would be 1 and 2 respectively for -A INPUT -s 5.5.5.5 -j DROP and -A INPUT -s 6.5.5.5 -j ACCEPT

Now, let's switch them: iptables -R INPUT 2 -s 5.5.5.5 -j DROP iptables -R INPUT 1 -s 6.5.5.5 -j ACCEPT

iptables -R is a command to Replace a rule already existed in iptables with another.

Its usage is: iptables -R [chain name] [line number] [new rule]

Datium
  • 93
  • 1
  • 7
0

Solution 1

If those rules are permanent and therefore located in the /etc/iptables/rules.v4 and etc/iptables/rules/v6 files, then you can just edit both files and move the rules to fit the desired order, something like:

-A INPUT -s 6.5.5.5 -j ACCEPT 
-A INPUT -s 5.5.5.5 -j DROP

Restart iptables (service iptables restart)

Solution 2

What I would do if there were only a few rules, like in your case, will be to delete the first rule and recreate it:

iptables -nL --line-numbers

Get the number of the rule you want to reorder (in your example would be 1) delete it and create it again, this will place the newlly created rule last in the table:

iptables -D INPUT 1
iptables -A INPUT -s 5.5.5.5 -j DROP`
AkuLink1
  • 123
  • 10