Ubuntu: Stat / Stop / Restart Iptables Firewall Service

last updated in Categories , ,

I am a new Ubuntu Linux version 12.04 LTS user. How do I stop or start iptables based firewall service on Ubuntu Linux using bash command line options?

You can type the following commands start / stop firewall service on Ubuntu based server or desktop.


a] ufw command – This command is used for managing a Linux firewall and aims to provide an easy to use interface for the user.

b] iptables command – This command is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel.

Find status of firewall

Login as root user either by opening the Terminal or login over the ssh based session. Type the following command:
$ sudo ufw status
Sample outputs:

Status: inactive

Ubuntu stop iptables service command

Type the following command to unloads firewall and disables firewall on boot:
$ sudo ufw disable

Ubuntu start iptables service command

Type the following command to reloads firewall and enables firewall on boot:
$ sudo ufw enable

Ubuntu reload / restart iptables service command

Type the following command to reloads firewall:
$ sudo ufw reload

Alternative method to enable/disable firewall on Ubuntu and other Linux distros

If you are not using ufw command and/or ufw is not installed, try the following generic methods:

Get IPv4 iptables status

$ sudo iptables -L -n -v

Get IPv6 ip6tables status

$ sudo ip6tables -L -n -v

Save IPv4 iptables firewall

Use the iptables-save command to save current firewall rules:
$ sudo iptables-save > $HOME/firewall.txt

Save IPv6 ip6tables firewall

$ sudo ip6tables-save > $HOME/firewall-6.txt

Restore IPv4 iptables firewall

Use the iptables-restore command to restore firewall rules:
$ sudo iptables-restore < $HOME/firewall.txt

Restore IPv6 ip6tables firewall

$ sudo ip6tables-restore < $HOME/firewall-6.txt

Putting it all together

To stop Ipv4 based iptables firewall, enter:

sudo iptables-save > $HOME/firewall.txt
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

To stop Ipv6 based iptables firewall, enter:

sudo ip6tables-save > $HOME/firewall-6.txt
sudo ip6tables -X
sudo ip6tables -t mangle -F
sudo ip6tables -t mangle -X
sudo ip6tables -P INPUT ACCEPT
sudo ip6tables -P FORWARD ACCEPT
sudo ip6tables -P OUTPUT ACCEPT


  1. -F : Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
  2. -X : Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted.
  3. -P chainNameHere ACCEPT : Set the policy for the chain to the given target.
  4. -L : List rules.
  5. -v : Verbose output.
  6. -n : Numeric output. IP addresses and port numbers will be printed in numeric format.
Recommend readings

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.


5 comment

  1. FLUSH is dangerous, it does delete all the rules but it does not change the default policy for each chain. That’s fine on a stock iptables config as the default policy is to ACCEPT. But, as is usually the case, what if the default policy for each chain has been changed to DROP and you FLUSH the tables while connected over SSH. OOPS!!!

    Don’t forget to specifically ACCEPT existing SSH sessions after flushing the rules or you will need a crashcart to get back into your remote server. I always use a script (a list of commands saved in a text file) to send commands to iptables. The following 2 commands are always the first 2 and last 2 in my script file. That will insure that my SSH connection doesn’t get killed.

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp --dport ssh -j ACCEPT

    The above 2 commands do 2 things, allow existing established connections to remain (your ssh session) and allow new ssh sessions (in case you get disconnected). The safest way to work with iptables is thru the use of script files rather than sending commands directly to the firewall. That way you can ensure the above two commands are always executed after a FLUSH.

    Although, after one too many (1 time is enough for me) 2am mad dashes across town to hook up a crash cart to one of my servers and open port 22, I will never FLUSH iptables… ever!

  2. There’s another typo that’s caused me some difficulty –
    sudo ip6tables-save > $HOME/firewall.txt
    should be
    sudo ip6tables-save > $HOME/firewall-6.txt

    Anyone know where I can restore default settings for this, as I’ve lost iptables from the line above.

Leave a Comment