Linux flush or remove all iptables firewall rules

Linux flush or remove all iptables firewall rules
In this quick post, we will see how to list and delete all iptables firewall rules using the command line. I also have a small script that does this. Debian or Ubuntu GNU/Linux does not comes with any SYS V init script (located in /etc/init.d directory). You create a script as follows and use it to stop or flush the iptables rules. Be careful when running the following commands at the command prompt as firewall protection is going to be disabled. Use the script to speed up work.

ADVERTISEMENTS

Linux flush or remove all iptables commands

Warning: Disabling firewall open your server to various attacks. All the commands must be executed with root privileges.

The IPv4 and IPv6 syntax is as follows:

# Accept all traffic first to avoid ssh lockdown  via iptables firewall rules #
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
 
# Flush All Iptables Chains/Firewall rules #
iptables -F
 
# Delete all Iptables Chains #
iptables -X
 
# Flush all counters too #
iptables -Z 
# Flush and delete all nat and  mangle #
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables iptables -t raw -F
iptables -t raw -X

Replace iptables with ip6tables under Linux to flush or remove all IPv6 rules. Let us see all commands in details.

How to list firewall rules on Linux

Open the terminal application and then type the following command to show all IPv4 rules before we start removing all iptables rules:
$ sudo iptables -L -n -v
For IPv6 rules, try:
$ sudo ip6tables -L -n -v
Another option to dump iptables/ip6tables rules on screen is to run the following command before you remove all iptables firewall rules:
$ sudo iptables-save
$ sudo ip6tables-save

# Generated by iptables-save v1.8.4 on Sun Jul 26 08:38:01 2020
*mangle
:PREROUTING ACCEPT [1916030992:764975955327]
:INPUT ACCEPT [1652755630:277824922275]
:FORWARD ACCEPT [263275362:487151033052]
:OUTPUT ACCEPT [1895922402:3163297068770]
:POSTROUTING ACCEPT [2159197764:3650448101822]
-A POSTROUTING -o lxdbr0 -p udp -m udp --dport 68 -m comment --comment "generated for LXD network lxdbr0" -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Jul 26 08:38:01 2020
# Generated by iptables-save v1.8.4 on Sun Jul 26 08:38:01 2020
*nat
:PREROUTING ACCEPT [8200683:492010596]
:INPUT ACCEPT [6377168:384552638]
:OUTPUT ACCEPT [319493:23572478]
:POSTROUTING ACCEPT [4087290:249640562]
-A PREROUTING -s 172.xxx.yyy.zz/32 -d 45.xxx.yyy.zz/32 -p tcp -m tcp --dport 443 -m comment --comment "RD VPN HTTPS -> utls-wp-mg-www-cbz" -j DNAT --to-destination 10.105.28.2:443
-A PREROUTING -s 139.xxx.yyy.zz/32 -d 45.xx.yyy.zz/32 -p tcp -m tcp --dport 443 -m comment --comment "RD VPN HTTPS -> utls-wp-mg-www-cbz" -j DNAT --to-destination 10.105.28.2:443
-A PREROUTING -d 192.168.217.103/32 -p tcp -m tcp --dport 444 -m comment --comment "RD HTTPS -> utls-www-cbz" -j DNAT --to-destination 10.105.28.3:444
-A PREROUTING -d 192.168.217.103/32 -p tcp -m tcp --dport 81 -m comment --comment "RD HTTP-> utls-www-cbz" -j DNAT --to-destination 10.105.28.3:81
-A POSTROUTING -s 10.105.28.0/24 ! -d 10.105.28.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE
COMMIT
# Completed on Sun Jul 26 08:38:01 2020
# Generated by iptables-save v1.8.4 on Sun Jul 26 08:38:01 2020
*filter
:INPUT DROP [144164:6923642]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [560:28760]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
.....
...
.....
-A ufw-user-input -s 172.xxx.yyy.zz/32 -d 45.xxx.yy.zz/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -s 172.xxx.yyy.zz/32 -d 45.xxx.yy.zz/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -s 139.xxx.yyy.zz/32 -d 45.xxx.yyy.zz/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -s 139.xxx.yyy.zz/32 -d 45.xxx.yyy.zz/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -s 23.xxx.yyy.zz/32 -d 45.xxx.yyy.zz/32 -p udp -m udp --dport 31194 -j ACCEPT
-A ufw-user-input -s 10.105.29.0/24 -i wg0 -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Sun Jul 26 08:38:01 2020

Procedure for Debian / Ubuntu Linux (Generic method)

First, create a new shell script called /root/fw.stop script using text editor such as vi:

#!/bin/sh
echo "Stopping IPv4 firewall and allowing everyone..."
ipt="/sbin/iptables"
## Failsafe - die if /sbin/iptables not found
[ ! -x "$ipt" ] && { echo "$0: \"${ipt}\" command not found."; exit 1; }
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X
$ipt iptables -t raw -F
$ipt -t raw -X

Make sure you can execute the script:
# chmod +x /root/fw.stop
Run the script as root user:
# /root/fw.stop

How do I verify that my firewall rules are flushed out?

Type the following command:
# iptables -L -n -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

A note for RedHat (RHEL), CentOS and friends Linux user (older version)

Please note that RedHat Enterprise Linux (RHEL), Fedora and Centos Linux comes with pre-installed rc.d script, which can be used to stop the firewall, enter:
# /etc/init.d/iptables stop
OR
# service iptables stop
Sample outputs:

A note about firewalld on CentOS 7+/Fedora (latest)/RedHat Enterprise Linux 7.x+ user

Type the following command to stop and flush all rules:
# systemctl stop firewalld
See our in-depth tutorial about setting up FirewallD on RHEL 8, CentOS 8, or OpenSUSE 15.1

List and delete iptables firewall rules on Ubuntu/Debian when using ufw

We can list all rules by specified chains as follows:
$ sudo iptables -S
$ sudo ip6tables -S
$ sudo iptables -S {CHIN_NAME}
$ sudo iptables -S BADIPS
$ sudo iptables -L
$ sudo ufw status

Ubuntu/Debian Linux flush all rules, delete all chains, and accept all connections

Run the following command:
$ sudo ufw disable
For more information see how to set up and use ufw on:

Linux flush or remove all iptables command summary

iptables option Description
-P {chain} {target} Set the policy for the built-in chain to either ACCEPT or DROP.
-t {table} State the packet matching table which the command should operate on. The tables are filter, nat, mangle, raw, and security.
-S Print all rules in the selected chain.
-L List all rules in the selected chain.
-n Disable DNS lookups and speed up listing option.
-v Verbose firewall output. This option makes the list command show the interface name, the rule options (if any), and the TOS masks. The packet and byte counters are also listed. For appending, insertion, deletion and replacement, this causes detailed information on the rule or rules to be printed. -v may be specified multiple times to possibly emit more detailed debug statements.
-F Flush the selected chain and firewall rules.
-Z Zero the packet and byte counters in all chains, or only the given chain, or only the given rule in a chain.
-X Delete the optional user-defined chain specified. If no argument is given, it will attempt to delete every non-builtin chain in the table.

Related tutorial:
» Linux: 25 Iptables Netfilter Firewall Examples For New SysAdmins
» CentOS / Redhat Iptables Firewall Configuration Tutorial

Read iptables man page by typing the following man command and see ipfilter documents:
$ man iptables
$ man ip6tables

Conclusion

In this blog post, we covered various rules and syntax to show and disable firewall rules on Linux. Most modern Linux distro now uses frontends such as ufw or firewalld for ease of management. Hence, use those tools instead of low-level tools such as iptables/ip6tables.

🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
12 comments… add one
  • JRivera Sep 20, 2008 @ 13:06

    #/etc/init.d/iptables stop

    Thank you that just saved me much time.

  • Phil Nutzmeyer Sep 11, 2009 @ 18:26

    Thanks!!! It saved my time too!

  • noob Dec 26, 2009 @ 16:26

    should i run update-rc.d on the script in init.d ?
    Or will the script be run automatically when the system is booted up ?

    thanx.

  • phpmonk Mar 22, 2010 @ 11:48

    iptables normally starts when you start system
    ‘/etc/init.d/iptables status’ should show you rules of iptables running.

  • Relax Jun 6, 2011 @ 8:32

    iptables --flush
    iptables --delete-chain
    iptables --table nat --flush
    iptables --table filter --flush
    iptables --table nat --delete-chain
    iptables --table filter --delete-chain

  • rocksfrow Oct 26, 2011 @ 4:20

    In CentOS 5 I easily disable iptables after installation as root:

    #service iptables stop
    #chkconfig iptables off

    chkconfig ensures iptables doesn’t start up next boot.

  • Price Oct 5, 2012 @ 15:39

    I have Fire iptables -F
    Now My VPS is not Responding I’m Thrown out of the VPS I have no Access to it Please Help

    • sholan Feb 6, 2014 @ 15:33

      The problem is that those scripts are meant to be started not by a user and specially not line by line.

      The first command, iptables -F, flushes all chains of default table i.e. INPUT, OUTPUT and FORWARD, using any remote connection implies you’re using both INPUT and OUTPUT chains.

      If those chains have a DROP policy, you won’t be able to contact your server remotely anymore.

      To ensure note having problem, I would recommend to execute iptables -P ACCEPT commands stated at the end of the script first as it will first set your remote computer to accept connections by default.

      I know that this comment is more than a year old, but ppl could still have this issue.

      @NIXCraft, I would recommend to modify the script (you’re going permissive anyway) or, at least, warn people about this issue that is more than likely to occur.

      • Robert Fleming Jan 7, 2016 @ 20:36

        Agreed. This page is currently my top Google hit for “linux firewall flush”, but as it’s written, it’ll lock the user out if executed line-by-line.

  • Nivas Aug 21, 2013 @ 11:58

    Hi,

    Im getting the following error:

    Stopping iptables: ERROR: Module ipt_addrtype does not exist in /proc/modules

  • Keijo Apr 12, 2016 @ 0:31

    Line 15 of the Debian script:
    $ipt iptables -t raw -F
    throws an error:
    Bad argument `iptables’

    Deleting `iptables’ and leaving the line like this:
    $ipt -t raw -F
    does the trick.

    Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.