How to List and Delete Iptables Firewall Rules

Iptables is a firewall that plays an essential role in network security for most Linux systems. This post will focus on listing and deleting rules in Iptables.

In this post, I will cover how to do the following iptables tasks:

  • List rules
  • Delete rules

Listing Rules by Specification

To list out all of the active iptables rules by specification, run the iptables command with the -S option:

sudo iptables -S

The output will look similar to this:

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ICMP
-N TCP
-N UDP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT

Listing a Specific Chain

If you want to limit the output to a specific chain (INPUTOUTPUTTCP, etc.), you can specify the chain name directly after the -S option. For example, to show all of the rule specifications in the TCP chain, you would run this command:

sudo iptables -S TCP

The output will look similar to this:

-N TCP
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT

Listing Rules as Tables

Listing the iptables rules in the table view can be useful for comparing different rules against each other,

To output all of the active iptables rules in a table, run the iptables command with the -L option:

sudo iptables -L

This will output all of current rules sorted by chain.

If you want to limit the output to a specific chain (INPUTOUTPUTTCP, etc.), you can specify the chain name directly after the -L option.

Let’s take a look at an example INPUT chain:

sudo iptables -L INPUT

The output will look similar to this:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
UDP        udp  --  anywhere             anywhere             ctstate NEW
TCP        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ICMP       icmp --  anywhere             anywhere             ctstate NEW
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable

The first line of output indicates the chain name (INPUT, in this case), followed by its default policy (DROP). The next line consists of the headers of each column in the table, and is followed by the chain’s rules. Let’s go over what each header indicates:

  • target: If a packet matches the rule, the target specifies what should be done with it. For example, a packet can be accepted, dropped, logged, or sent to another chain to be compared against more rules
  • prot: The protocol, such as tcpudpicmp, or all
  • opt: Rarely used, this column indicates IP options
  • source: The source IP address or subnet of the traffic, or anywhere
  • destination: The destination IP address or subnet of the traffic, or anywhere

The last column, which is not labeled, indicates the options of a rule. That is, any part of the rule that isn’t indicated by the previous columns. This could be anything from source and destination ports, to the connection state of the packet.

Deleting Rules by Specification

One of the ways to delete iptables rules is by rule specification. To do so, you can run the iptables command with the -D option followed by the rule specification. If you want to delete rules using this method, you can use the output of the rules list, iptables -S, for some help.

For example, if you want to delete the rule that drops invalid incoming packets (-A INPUT -m conntrack --ctstate INVALID -j DROP), you could run this command:

sudo iptables -D INPUT -m conntrack --ctstate INVALID -j DROP

Note that the -A option, which is used to indicate the rule position at creation time, should be excluded here.

Deleting Rules by Chain and Number

The other way to delete iptables rules is by its chain and line number. To determine a rule’s line number, list the rules in the table format and add the --line-numbers option:

sudo iptables -L --line-numbers

The output will look similar to this:

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
2    ACCEPT     all  --  anywhere             anywhere
3    DROP       all  --  anywhere             anywhere             ctstate INVALID
4    UDP        udp  --  anywhere             anywhere             ctstate NEW
5    TCP        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
6    ICMP       icmp --  anywhere             anywhere             ctstate NEW
7    REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
8    REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
9    REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable
10   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW,ESTABLISHED

This adds the line number to each rule row, indicated by the num header.

Once you know which rule you want to delete, note the chain and line number of the rule. Then run the iptables -D command followed by the chain and rule number.

For example, if we want to delete the input rule that drops invalid packets, we can see that it’s rule 3 of the INPUT chain. So we should run this command:

sudo iptables -D INPUT 3

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.