The purpose of this tutorial is to show how to remove iptables rules on a Linux system. It is possible to remove iptables rules one at a time or to clear all of the rules in any iptables chain at once. You will soon see how.
The iptables firewall on Linux systems is a very useful feature that allows system administrators to control, with granular precision, what network traffic is permitted or denied to the system.
Eventually, the time will come to remove rules that no longer pertain to your desired configuration. In this tutorial, you will see several different command line methods for removing iptables rules on Linux.
In this tutorial you will learn:
- How to remove iptables rules individually
- How to clear all configured rules for an iptables chain
- How to clear all configured rules for an iptables table
|Category||Requirements, Conventions or Software Version Used|
|System||Any Linux distro|
|Other||Privileged access to your Linux system as root or via the
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of
$ – requires given linux commands to be executed as a regular non-privileged user
How to remove iptables rules on Linux – example commands
Some iptables front ends, such as
firewalldfor Red Hat based systems and
ufwfor Ubuntu based systems, have their own commands used for removing firewall rules. If using an iptables front end, be sure to remove and configure your rules through that application rather than directly interacting with iptables.
Before proceeding, make sure that you already have some rules configured on your system. In particular, this tutorial assumes that you have configured the rules with
iptables, rather than a front end firewall application like
To see the rules on your system, you can use the following
iptables command. In order to remove a specific rule more easily, it is also recommended that you use the
--line-numbers option in your command.
$ sudo iptables -L
Example output of our configured iptables rules (notice the line number at the beginning of each rule):
Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 DROP all -- anywhere 10.0.0.0/8 2 DOCKER all -- anywhere anywhere 3 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED 4 ACCEPT all -- anywhere anywhere 5 ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain DOCKER (1 references) num target prot opt source destination 1 ACCEPT tcp -- anywhere 172.17.0.3 tcp dpt:https 2 ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:http 3 ACCEPT tcp -- anywhere 172.17.0.5 tcp dpt:4000 4 ACCEPT tcp -- anywhere 172.17.0.7 tcp dpt:mysql 5 ACCEPT tcp -- anywhere 172.17.0.7 tcp dpt:http 6 ACCEPT tcp -- anywhere 172.17.0.6 tcp dpt:3142
Before proceeding with the commands below, it is highly recommended that you back up your currently configured iptables rules. You can learn how to do this by following our other tutorial on how to make iptables rules persistent after reboot.
- Now that we have all line numbers, we can remove any of the iptables listed rules. As an example, we will remove the
DROP all -- anywhere 10.0.0.0/8rule from the
FORWARDchain, which happens to occupy line number 1. To remove this rule we enter the following
iptablescommand with the
$ sudo iptables -D FORWARD 1
It is not possible to delete multiple individual rules at once, unless you configure a Bash script to do so. However, the rule numbers will shift every time you delete a rule, and it would be tricky to configure a script to account for the always shifting rule numbers. Although inconvenient, it is recommended that you simply take the time to delete each undesired rule individually.
- You can also delete all the rules for an entire chain at once. For example, we could clear all 5 rules in our
FORWARDchain by simply executing the command below with the
$ sudo iptables -F FORWARD
- Using the
-Foption, without specifying any particular chain, will clear the rules for all of our iptables chains. Use caution when exeuting this command, since you could potentially clear a ton of rules.
$ sudo iptables -F
- You can also delete the chain itself with the
-Xoption. However, this will only work if you have already cleared out all referenced rules with a
iptables -F [chain]command first. For example, to delete the
DOCKERchain and all of its referenced rules on our system:
$ sudo iptables -F DOCKER $ sudo iptables -X DOCKER
To clear all empty chains, you can use the
-Xoption with no further arguments.
$ sudo iptables -X
- To delete all of the configured rules in the
mangletables, you will need to specify these tables separately with the
$ sudo iptables -t nat -F $ sudo iptables -t mangle -F
- To reset all your iptables configuration to defaults, you can use all of the following commands in conjunction. This will reset your default chain policies, clear all rules from every table, and then delete all the empty chains from each table.
$ sudo iptables -P INPUT ACCEPT $ sudo iptables -P FORWARD ACCEPT $ sudo iptables -P OUTPUT ACCEPT $ sudo iptables -F $ sudo iptables -X $ sudo iptables -t nat -F $ sudo iptables -t nat -X $ sudo iptables -t mangle -F $ sudo iptables -t mangle -X
- One last method is to manually edit the
iptables-saveoutput file, which is
/etc/iptables/rules.v4on DEB systems and
/etc/sysconfig/iptableson RPM based systems. After editing the files, you could use the
iptables-restorecommand to apply the new rules that you configured in the output files. Note that this method will only work if you have access to the
iptables-savecommand on your system. See our tutorial on how to make iptables rules persistent after reboot for more help.
In this tutorial, we saw how to remove iptables rules from the Linux command line. iptables is a complex but powerful firewall built in to the Linux kernel, and has a big learning curve even when it comes to the simplest of tasks, such as learning to delete a rule. As seen here, there are multiple options we can use – weather we need to clear all rules for a particular table, chain, or just remove a rule individually.