Linux Deleting Firewall Rules

by on June 28, 2011 · 1 comment· LAST UPDATED June 28, 2012

in

I would like to to delete my iptables based firewall rules under Linux. How do I delete rules individually or all at once under CentOS or Fedora Linux or RHEL based servers?

You can use the following commands to delete firewall rules under RHEL / Fedora / CentOS / Scientific / Red Hat Enterprise Linux:

Linux IPv4 Firewall Commands

  1. /sbin/iptables - Manage IPv4 based firewall i.e. add / delete / modify firewall rules.
  2. /sbin/chkconfig iptables on - Turn on IPv4 firewall on boot.
  3. /sbin/chkconfig iptables off - Turn off IPv4 firewall on boot.
  4. /sbin/service iptables start - Start the IPv4 based firewall and read configuration stored in /etc/sysconfig/iptables file.
  5. /sbin/chkconfig iptables stop - Stop the IPv4 firewall and flush all rules.
  6. /sbin/chkconfig iptables restart - Restart the IPv4 firewall.
  7. /sbin/chkconfig iptables save - Save the IPv4 based firewall in /etc/sysconfig/iptables file.
  8. /sbin/chkconfig iptables status - See the status of IPv4 based firewall.

Linux IPv6 Firewall Commands

  1. /sbin/ip6tables - Manage IPv6 based firewall i.e. add / delete / modify firewall rules.
  2. /sbin/chkconfig ip6tables on - Turn on IPv6 firewall on boot.
  3. /sbin/chkconfig ip6tables off - Turn off IPv6 firewall on boot.
  4. /sbin/service ip6tables start - Start the IPv6 based firewall and read configuration stored in /etc/sysconfig/iptables file.
  5. /sbin/chkconfig ip6tables stop - Stop the IPv6 firewall and flush all rules.
  6. /sbin/chkconfig ip6tables restart - Restart the IPv6 firewall.
  7. /sbin/chkconfig ip6tables save - Save the IPv6 based firewall in /etc/sysconfig/iptables file.
  8. /sbin/chkconfig ip6tables status - See the status of IPv6 based firewall.

Examples

You must type the following command as the root user:

Delete firewall at once

First, save existing firewall (optional):
# /sbin/service iptables save
Next, stop the firewall:
# /sbin/service iptables stop
See the current status of the firewall:
# /sbin/service iptables status
OR
# /sbin/iptables -v -n

To start firewall At Once

# /sbin/service iptables start
# /sbin/iptables -v -n

Delete firewall individually (i.e. single rule at a time)

First, list the rules along with line numbers:
# /sbin/iptables -L -v -n --line-numbers
Sample outputs:

Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      207 15336 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 reject-with icmp-host-prohibited
3        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 12 reject-with icmp-host-prohibited
4        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 5 reject-with icmp-host-prohibited
5        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 9 reject-with icmp-host-prohibited
6        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 10 reject-with icmp-host-prohibited
7        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 4 reject-with icmp-host-prohibited
8        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 reject-with icmp-host-prohibited
9        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
10       0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
11       0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
12       0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
13       0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
14       2    96 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 reject-with icmp-host-prohibited
3        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 12 reject-with icmp-host-prohibited
4        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 5 reject-with icmp-host-prohibited
5        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 9 reject-with icmp-host-prohibited
6        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 10 reject-with icmp-host-prohibited
7        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 4 reject-with icmp-host-prohibited
8        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 reject-with icmp-host-prohibited
9        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

To delete rule number 6 on the INPUT chain, enter:
# /sbin/iptables -D INPUT 6
You can only list rules from OUTPUT or INPUT or custom chain as follows:
# /sbin/iptables -L INPUT -v -n --line-numbers
OR
# /sbin/iptables -L OUTPUT -v -n --line-numbers

A note about other Linux distributions

You can use the following command or script to stop the rules:

 
#!/bin/sh
echo "Saving current firewall rules at /root/current.firewall file..."
iptables-save > /root/current.firewall
echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
 

Check out related media

See all commands featured in this tutorial:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 1 comment… read it below or add one }

1 mett March 16, 2014 at 2:39 am

Hi,
Does sby know if there is a way to delete many rules at once in a chain, using the rule number?
iptables -t filter INPUT -D 156 155 123
or without the -t filter part as filter is the default table.
According to man it seems possible but I get an error each time I try it. One by One OK, many not.
From man:”
-D, –delete chain rulenum
Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for
the first rule) or a rule to match.”

From my terminal:”
iptables -t filter -D INPUT 159 155
Bad argument `155′ ”

TIA

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: