Iptables is a firewall that plays an essential role in network security for most Linux systems. This post will focus on listing and deleting rules in Iptables.
In this post, I will cover how to do the following iptables tasks:
- List rules
- Delete rules
Listing Rules by Specification
To list out all of the active iptables rules by specification, run the iptables
command with the -S
option:
sudo iptables -S
The output will look similar to this:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ICMP
-N TCP
-N UDP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
Listing a Specific Chain
If you want to limit the output to a specific chain (INPUT
, OUTPUT
, TCP
, etc.), you can specify the chain name directly after the -S
option. For example, to show all of the rule specifications in the TCP
chain, you would run this command:
sudo iptables -S TCP
The output will look similar to this:
-N TCP
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
Listing Rules as Tables
Listing the iptables rules in the table view can be useful for comparing different rules against each other,
To output all of the active iptables rules in a table, run the iptables
command with the -L
option:
sudo iptables -L
This will output all of current rules sorted by chain.
If you want to limit the output to a specific chain (INPUT
, OUTPUT
, TCP
, etc.), you can specify the chain name directly after the -L
option.
Let’s take a look at an example INPUT chain:
sudo iptables -L INPUT
The output will look similar to this:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
UDP udp -- anywhere anywhere ctstate NEW
TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ICMP icmp -- anywhere anywhere ctstate NEW
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
The first line of output indicates the chain name (INPUT
, in this case), followed by its default policy (DROP
). The next line consists of the headers of each column in the table, and is followed by the chain’s rules. Let’s go over what each header indicates:
target
: If a packet matches the rule, the target specifies what should be done with it. For example, a packet can be accepted, dropped, logged, or sent to another chain to be compared against more rulesprot
: The protocol, such astcp
,udp
,icmp
, orall
opt
: Rarely used, this column indicates IP optionssource
: The source IP address or subnet of the traffic, oranywhere
destination
: The destination IP address or subnet of the traffic, oranywhere
The last column, which is not labeled, indicates the options of a rule. That is, any part of the rule that isn’t indicated by the previous columns. This could be anything from source and destination ports, to the connection state of the packet.
Deleting Rules by Specification
One of the ways to delete iptables rules is by rule specification. To do so, you can run the iptables
command with the -D
option followed by the rule specification. If you want to delete rules using this method, you can use the output of the rules list, iptables -S
, for some help.
For example, if you want to delete the rule that drops invalid incoming packets (-A INPUT -m conntrack --ctstate INVALID -j DROP
), you could run this command:
sudo iptables -D INPUT -m conntrack --ctstate INVALID -j DROP
Note that the -A
option, which is used to indicate the rule position at creation time, should be excluded here.
Deleting Rules by Chain and Number
The other way to delete iptables rules is by its chain and line number. To determine a rule’s line number, list the rules in the table format and add the --line-numbers
option:
sudo iptables -L --line-numbers
The output will look similar to this:
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
2 ACCEPT all -- anywhere anywhere
3 DROP all -- anywhere anywhere ctstate INVALID
4 UDP udp -- anywhere anywhere ctstate NEW
5 TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
6 ICMP icmp -- anywhere anywhere ctstate NEW
7 REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
8 REJECT tcp -- anywhere anywhere reject-with tcp-reset
9 REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
10 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,ESTABLISHED
This adds the line number to each rule row, indicated by the num
header.
Once you know which rule you want to delete, note the chain and line number of the rule. Then run the iptables -D
command followed by the chain and rule number.
For example, if we want to delete the input rule that drops invalid packets, we can see that it’s rule 3
of the INPUT
chain. So we should run this command:
sudo iptables -D INPUT 3