8

If I type iptables -L there is this line in the output :

Chain DOCKER (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:http-alt

My container is exposed publicly and I can request a dummy http server from everywhere (tested). I try to remove that rule so only 80 is only exposed inside my server (localhost:80). I tried :

root@ns25252:~# iptables -D DOCKER  --destination 172.17.0.2 -p tcp --dport 80 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).

As the error implies, it can't find the matching rule.. How should I type to remove the line ?

vdegenne
  • 12,272
  • 14
  • 80
  • 106

3 Answers3

11

It's usually easier to delete by number, unless there is a chance that the number could change between the time you listed the rules and the time you delete the rule.

Here's how to delete by line number:

# iptables -L --line-numbers
(snip)
Chain DOCKER (2 references)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:http
(snip)
# iptables -D DOCKER 1

Alternatively, you can get the full specification by doing iptables -S. Example:

# iptables -S
(snip)
-A DOCKER -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j ACCEPT
(snip)

Turn the -A into a -D and use this as the args to iptables to delete the rule:

# iptables -D DOCKER -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j ACCEPT

NOTE: This answer perplexingly still gets upvotes from time to time. I have no idea what everyone is trying to actually accomplish, I just blindly answered an iptables-related question. If you want to start a Docker container that is not accessible to the outside world, that's an entirely different topic, and this is not an appropriate answer in your case. (Maybe start by not exposing/publishing the port.)

sneep
  • 1,828
  • 14
  • 19
  • 4
    Not only you helped me to resolve the issue but also you provided some good tricks about iptables. Sharing for a better world, thanks man. – vdegenne Apr 29 '18 at 13:16
  • how to remove -N flags – Khaled AbuShqear Sep 23 '18 at 11:34
  • @Shqear Hmm? What -N flags? – sneep Sep 24 '18 at 02:35
  • Coming [from here](https://askubuntu.com/questions/935569/how-to-completely-uninstall-docker#comment2015986_1021506). If you `sudo iptables -S | grep -i docker` you get four (new/`-N`) docker chains. We should [`-N`→`-F`](https://serverfault.com/a/375996/407820) after deleting the rules? – Pablo Bianchi Feb 15 '21 at 05:27
  • Ah, now I understand. Yes, -F will work if there are no other rules jumping to that chain. – sneep Feb 16 '21 at 06:45
1

This is a bit old but in case someone else is looking for how to remove docker completely from your iptables rules here's how I did it, also keep in mind this is on debian so your files/paths may differ.

  1. edit your /etc/iptables.up.rules file, back up file then remove everything with docker in it - there may also be a few additional lines with the local docker subnet (mine was 172.17.x and 172.19.x) - remove them all
  2. flush iptables: iptables -P INPUT ACCEPT && iptables -P OUTPUT ACCEPT && iptables -P FORWARD ACCEPT && iptables -F
  3. reload iptables rules: iptables-restore < /etc/iptables.up.rules
  4. verify/check your rules: iptables -L -n (should no longer have any docker chains or rules)
DRAD
  • 127
  • 4
-1

If you have deleted the docker package than just restart iptables service and it will deleted default docker iptables-

systemctl restart iptables.service

prakhar_budholiya
  • 1