Linux flush or remove all iptables firewall rules

last updated in Categories Debian Linux, Howto, Iptables, Linux, Networking, RedHat/Fedora Linux, Ubuntu Linux

Linux flush or remove all iptables firewall rules
In this quick post, we will see how to list and delete all iptables firewall rules using the command line. I also have a small script that does this. Debian or Ubuntu GNU/Linux does not comes with any SYS V init script (located in /etc/init.d directory). You create a script as follows and use it to stop or flush the iptables rules. Be careful when running the following commands at the command prompt as firewall protection is going to be disabled. Use the script to speed up work.

ADVERTISEMENTS

Linux flush or remove all iptables commands

Warning: Disabling firewall open your server to various attacks. All the commands must be executed with root privileges.

The IPv4 and IPv6 syntax is as follows:

# Accept all traffic first to avoid ssh lockdown  via iptables firewall rules #
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
 
# Flush All Iptables Chains/Firewall rules #
iptables -F
 
# Delete all Iptables Chains #
iptables -X
 
# Flush all counters too #
iptables -Z 
# Flush and delete all nat and  mangle #
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables iptables -t raw -F
iptables -t raw -X

Replace iptables with ip6tables under Linux to flush or remove all IPv6 rules. Let us see all commands in details.

How to list firewall rules on Linux

Open the terminal application and then type the following command to show all IPv4 rules before we start removing all iptables rules:
$ sudo iptables -L -n -v
For IPv6 rules, try:
$ sudo ip6tables -L -n -v
Another option to dump iptables/ip6tables rules on screen is to run the following command before you remove all iptables firewall rules:
$ sudo iptables-save
$ sudo ip6tables-save

# Generated by iptables-save v1.8.4 on Sun Jul 26 08:38:01 2020
*mangle
:PREROUTING ACCEPT [1916030992:764975955327]
:INPUT ACCEPT [1652755630:277824922275]
:FORWARD ACCEPT [263275362:487151033052]
:OUTPUT ACCEPT [1895922402:3163297068770]
:POSTROUTING ACCEPT [2159197764:3650448101822]
-A POSTROUTING -o lxdbr0 -p udp -m udp --dport 68 -m comment --comment "generated for LXD network lxdbr0" -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Jul 26 08:38:01 2020
# Generated by iptables-save v1.8.4 on Sun Jul 26 08:38:01 2020
*nat
:PREROUTING ACCEPT [8200683:492010596]
:INPUT ACCEPT [6377168:384552638]
:OUTPUT ACCEPT [319493:23572478]
:POSTROUTING ACCEPT [4087290:249640562]
-A PREROUTING -s 172.xxx.yyy.zz/32 -d 45.xxx.yyy.zz/32 -p tcp -m tcp --dport 443 -m comment --comment "RD VPN HTTPS -> utls-wp-mg-www-cbz" -j DNAT --to-destination 10.105.28.2:443
-A PREROUTING -s 139.xxx.yyy.zz/32 -d 45.xx.yyy.zz/32 -p tcp -m tcp --dport 443 -m comment --comment "RD VPN HTTPS -> utls-wp-mg-www-cbz" -j DNAT --to-destination 10.105.28.2:443
-A PREROUTING -d 192.168.217.103/32 -p tcp -m tcp --dport 444 -m comment --comment "RD HTTPS -> utls-www-cbz" -j DNAT --to-destination 10.105.28.3:444
-A PREROUTING -d 192.168.217.103/32 -p tcp -m tcp --dport 81 -m comment --comment "RD HTTP-> utls-www-cbz" -j DNAT --to-destination 10.105.28.3:81
-A POSTROUTING -s 10.105.28.0/24 ! -d 10.105.28.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE
COMMIT
# Completed on Sun Jul 26 08:38:01 2020
# Generated by iptables-save v1.8.4 on Sun Jul 26 08:38:01 2020
*filter
:INPUT DROP [144164:6923642]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [560:28760]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
.....
...
.....
-A ufw-user-input -s 172.xxx.yyy.zz/32 -d 45.xxx.yy.zz/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -s 172.xxx.yyy.zz/32 -d 45.xxx.yy.zz/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -s 139.xxx.yyy.zz/32 -d 45.xxx.yyy.zz/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -s 139.xxx.yyy.zz/32 -d 45.xxx.yyy.zz/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -s 23.xxx.yyy.zz/32 -d 45.xxx.yyy.zz/32 -p udp -m udp --dport 31194 -j ACCEPT
-A ufw-user-input -s 10.105.29.0/24 -i wg0 -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Sun Jul 26 08:38:01 2020

Procedure for Debian / Ubuntu Linux (Generic method)

First, create a new shell script called /root/fw.stop script using text editor such as vi:

#!/bin/sh
echo "Stopping IPv4 firewall and allowing everyone..."
ipt="/sbin/iptables"
## Failsafe - die if /sbin/iptables not found
[ ! -x "$ipt" ] && { echo "$0: \"${ipt}\" command not found."; exit 1; }
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X
$ipt iptables -t raw -F
$ipt -t raw -X

Make sure you can execute the script:
# chmod +x /root/fw.stop
Run the script as root user:
# /root/fw.stop

How do I verify that my firewall rules are flushed out?

Type the following command:
# iptables -L -n -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

A note for RedHat (RHEL), CentOS and friends Linux user (older version)

Please note that RedHat Enterprise Linux (RHEL), Fedora and Centos Linux comes with pre-installed rc.d script, which can be used to stop the firewall, enter:
# /etc/init.d/iptables stop
OR
# service iptables stop
Sample outputs:

A note about firewalld on CentOS 7+/Fedora (latest)/RedHat Enterprise Linux 7.x+ user

Type the following command to stop and flush all rules:
# systemctl stop firewalld
See our in-depth tutorial about setting up FirewallD on RHEL 8, CentOS 8, or OpenSUSE 15.1

List and delete iptables firewall rules on Ubuntu/Debian when using ufw

We can list all rules by specified chains as follows:
$ sudo iptables -S
$ sudo ip6tables -S
$ sudo iptables -S {CHIN_NAME}
$ sudo iptables -S BADIPS
$ sudo iptables -L
$ sudo ufw status

Ubuntu/Debian Linux flush all rules, delete all chains, and accept all connections

Run the following command:
$ sudo ufw disable
For more information see how to set up and use ufw on:

Linux flush or remove all iptables command summary

iptables optionDescription
-P {chain} {target}Set the policy for the built-in chain to either ACCEPT or DROP.
-t {table}State the packet matching table which the command should operate on. The tables are filter, nat, mangle, raw, and security.
-SPrint all rules in the selected chain.
-LList all rules in the selected chain.
-nDisable DNS lookups and speed up listing option.
-vVerbose firewall output. This option makes the list command show the interface name, the rule options (if any), and the TOS masks. The packet and byte counters are also listed. For appending, insertion, deletion and replacement, this causes detailed information on the rule or rules to be printed. -v may be specified multiple times to possibly emit more detailed debug statements.
-FFlush the selected chain and firewall rules.
-ZZero the packet and byte counters in all chains, or only the given chain, or only the given rule in a chain.
-XDelete the optional user-defined chain specified. If no argument is given, it will attempt to delete every non-builtin chain in the table.

Related tutorial:
» Linux: 25 Iptables Netfilter Firewall Examples For New SysAdmins
» CentOS / Redhat Iptables Firewall Configuration Tutorial

Read iptables man page by typing the following man command and see ipfilter documents:
$ man iptables
$ man ip6tables

Conclusion

In this blog post, we covered various rules and syntax to show and disable firewall rules on Linux. Most modern Linux distro now uses frontends such as ufw or firewalld for ease of management. Hence, use those tools instead of low-level tools such as iptables/ip6tables.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.


ADVERTISEMENTS

12 comment

  1. iptables normally starts when you start system
    ‘/etc/init.d/iptables status’ should show you rules of iptables running.

  2. iptables --flush
    iptables --delete-chain
    iptables --table nat --flush
    iptables --table filter --flush
    iptables --table nat --delete-chain
    iptables --table filter --delete-chain

  3. In CentOS 5 I easily disable iptables after installation as root:

    #service iptables stop
    #chkconfig iptables off

    chkconfig ensures iptables doesn’t start up next boot.

    1. The problem is that those scripts are meant to be started not by a user and specially not line by line.

      The first command, iptables -F, flushes all chains of default table i.e. INPUT, OUTPUT and FORWARD, using any remote connection implies you’re using both INPUT and OUTPUT chains.

      If those chains have a DROP policy, you won’t be able to contact your server remotely anymore.

      To ensure note having problem, I would recommend to execute iptables -P ACCEPT commands stated at the end of the script first as it will first set your remote computer to accept connections by default.

      I know that this comment is more than a year old, but ppl could still have this issue.

      @NIXCraft, I would recommend to modify the script (you’re going permissive anyway) or, at least, warn people about this issue that is more than likely to occur.

      1. Agreed. This page is currently my top Google hit for “linux firewall flush”, but as it’s written, it’ll lock the user out if executed line-by-line.

  4. Line 15 of the Debian script:
    $ipt iptables -t raw -F
    throws an error:
    Bad argument `iptables’

    Deleting `iptables’ and leaving the line like this:
    $ipt -t raw -F
    does the trick.

    Thanks.

Leave a Comment