How to remove iptables rule

The purpose of this tutorial is to show how to remove iptables rules on a Linux system. It is possible to remove iptables rules one at a time or to clear all of the rules in any iptables chain at once. You will soon see how.

The iptables firewall on Linux systems is a very useful feature that allows system administrators to control, with granular precision, what network traffic is permitted or denied to the system.

Eventually, the time will come to remove rules that no longer pertain to your desired configuration. In this tutorial, you will see several different command line methods for removing iptables rules on Linux.

In this tutorial you will learn:

  • How to remove iptables rules individually
  • How to clear all configured rules for an iptables chain
  • How to clear all configured rules for an iptables table
How to remove iptables rule
How to remove iptables rule
Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Any Linux distro
Software iptables
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

How to remove iptables rules on Linux – example commands



DID YOU KNOW?
Some iptables front ends, such as firewalld for Red Hat based systems and ufw for Ubuntu based systems, have their own commands used for removing firewall rules. If using an iptables front end, be sure to remove and configure your rules through that application rather than directly interacting with iptables.

Before proceeding, make sure that you already have some rules configured on your system. In particular, this tutorial assumes that you have configured the rules with iptables, rather than a front end firewall application like firewalld or ufw.

To see the rules on your system, you can use the following iptables command. In order to remove a specific rule more easily, it is also recommended that you use the --line-numbers option in your command.

$ sudo iptables -L

Example output of our configured iptables rules (notice the line number at the beginning of each rule):

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       all  --  anywhere             10.0.0.0/8          
2    DOCKER     all  --  anywhere             anywhere            
3    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
4    ACCEPT     all  --  anywhere             anywhere            
5    ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain DOCKER (1 references)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:https
2    ACCEPT     tcp  --  anywhere             172.17.0.4           tcp dpt:http
3    ACCEPT     tcp  --  anywhere             172.17.0.5           tcp dpt:4000
4    ACCEPT     tcp  --  anywhere             172.17.0.7           tcp dpt:mysql
5    ACCEPT     tcp  --  anywhere             172.17.0.7           tcp dpt:http
6    ACCEPT     tcp  --  anywhere             172.17.0.6           tcp dpt:3142
NOTE
Before proceeding with the commands below, it is highly recommended that you back up your currently configured iptables rules. You can learn how to do this by following our other tutorial on how to make iptables rules persistent after reboot.
  1. Now that we have all line numbers, we can remove any of the iptables listed rules. As an example, we will remove the DROP all -- anywhere 10.0.0.0/8 rule from the FORWARD chain, which happens to occupy line number 1. To remove this rule we enter the following iptables command with the -D (delete) option:
    $ sudo iptables -D FORWARD 1
    
    WARNING
    It is not possible to delete multiple individual rules at once, unless you configure a Bash script to do so. However, the rule numbers will shift every time you delete a rule, and it would be tricky to configure a script to account for the always shifting rule numbers. Although inconvenient, it is recommended that you simply take the time to delete each undesired rule individually.
  2. You can also delete all the rules for an entire chain at once. For example, we could clear all 5 rules in our FORWARD chain by simply executing the command below with the -F (flush) option:
    $ sudo iptables -F FORWARD
    
  3. Using the -F option, without specifying any particular chain, will clear the rules for all of our iptables chains. Use caution when exeuting this command, since you could potentially clear a ton of rules.


    $ sudo iptables -F
    
  4. You can also delete the chain itself with the -X option. However, this will only work if you have already cleared out all referenced rules with a iptables -F [chain] command first. For example, to delete the DOCKER chain and all of its referenced rules on our system:
    $ sudo iptables -F DOCKER
    $ sudo iptables -X DOCKER
    

    To clear all empty chains, you can use the -X option with no further arguments.

    $ sudo iptables -X
    
  5. To delete all of the configured rules in the nat or mangle tables, you will need to specify these tables separately with the -t (tables) option.
    $ sudo iptables -t nat -F
    $ sudo iptables -t mangle -F
    
  6. To reset all your iptables configuration to defaults, you can use all of the following commands in conjunction. This will reset your default chain policies, clear all rules from every table, and then delete all the empty chains from each table.
    $ sudo iptables -P INPUT ACCEPT
    $ sudo iptables -P FORWARD ACCEPT
    $ sudo iptables -P OUTPUT ACCEPT
    $ sudo iptables -F
    $ sudo iptables -X
    $ sudo iptables -t nat -F
    $ sudo iptables -t nat -X
    $ sudo iptables -t mangle -F
    $ sudo iptables -t mangle -X
    
  7. One last method is to manually edit the iptables-save output file, which is /etc/iptables/rules.v4 on DEB systems and /etc/sysconfig/iptables on RPM based systems. After editing the files, you could use the iptables-restore command to apply the new rules that you configured in the output files. Note that this method will only work if you have access to the iptables-save command on your system. See our tutorial on how to make iptables rules persistent after reboot for more help.

Closing Thoughts




In this tutorial, we saw how to remove iptables rules from the Linux command line. iptables is a complex but powerful firewall built in to the Linux kernel, and has a big learning curve even when it comes to the simplest of tasks, such as learning to delete a rule. As seen here, there are multiple options we can use – weather we need to clear all rules for a particular table, chain, or just remove a rule individually.



Comments and Discussions
Linux Forum