≡ Menu

How to: Linux flush or remove all iptables rules

Here is a small script that does this. Debian or Ubuntu GNU/Linux does not comes with any SYS V init script (located in /etc/init.d directory). You create a script as follows and use it to stop or flush the iptables rules. Please don’t type rules at the command prompt. Use the script to speed up work.

Warning: All the commands must be executed with root privileges.

Procedure for Debian / Ubuntu Linux (Generic method)

First, create /root/fw.stop script using text editor such as vi:

#!/bin/sh
echo "Stopping firewall and allowing everyone..."
ipt="/sbin/iptables"
## Failsafe - die if /sbin/iptables not found 
[ ! -x "$ipt" ] && { echo "$0: \"${ipt}\" command not found."; exit 1; }
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X
$ipt iptables -t raw -F 
$ipt -t raw -X

Make sure you can execute the script:
# chmod +x /root/fw.stop

Run the script as root user:
# /root/fw.stop

How do I verify that my firewall rules are flushed out?

Type the following command:
# iptables -L -n -v
Sample outputs:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

A note for RedHat (RHEL), CentOS and friends Linux user

Please note that RedHat Enterprise Linux (RHEL), Fedora and Centos Linux comes with pre-installed rc.d script, which can be used to stop the firewall, enter:
# /etc/init.d/iptables stop
OR
# service iptables stop
Sample outputs:

A note about firewalld on CentOS 7/Fedora (latest)/RedHat Enterprise Linux 7.x+ user

Type the following command to stop and flush all rules:
# systemctl stop firewalld

Share this on:

Your support makes a big difference:
I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft, takes a lot of my time and hard work to produce. If you use nixCraft, who likes it, helps me with donations:
Become a Supporter →    Make a contribution via Paypal/Bitcoin →   

Don't Miss Any Linux and Unix Tips

Get nixCraft in your inbox. It's free:



{ 12 comments… add one }
  • JRivera September 20, 2008, 1:06 pm

    #/etc/init.d/iptables stop

    Thank you that just saved me much time.

  • Phil Nutzmeyer September 11, 2009, 6:26 pm

    Thanks!!! It saved my time too!

  • noob December 26, 2009, 4:26 pm

    should i run update-rc.d on the script in init.d ?
    Or will the script be run automatically when the system is booted up ?

    thanx.

  • phpmonk March 22, 2010, 11:48 am

    iptables normally starts when you start system
    ‘/etc/init.d/iptables status’ should show you rules of iptables running.

  • Relax June 6, 2011, 8:32 am

    iptables --flush
    iptables --delete-chain
    iptables --table nat --flush
    iptables --table filter --flush
    iptables --table nat --delete-chain
    iptables --table filter --delete-chain

  • rocksfrow October 26, 2011, 4:20 am

    In CentOS 5 I easily disable iptables after installation as root:

    #service iptables stop
    #chkconfig iptables off

    chkconfig ensures iptables doesn’t start up next boot.

  • Price October 5, 2012, 3:39 pm

    I have Fire iptables -F
    Now My VPS is not Responding I’m Thrown out of the VPS I have no Access to it Please Help

    • sholan February 6, 2014, 3:33 pm

      The problem is that those scripts are meant to be started not by a user and specially not line by line.

      The first command, iptables -F, flushes all chains of default table i.e. INPUT, OUTPUT and FORWARD, using any remote connection implies you’re using both INPUT and OUTPUT chains.

      If those chains have a DROP policy, you won’t be able to contact your server remotely anymore.

      To ensure note having problem, I would recommend to execute iptables -P ACCEPT commands stated at the end of the script first as it will first set your remote computer to accept connections by default.

      I know that this comment is more than a year old, but ppl could still have this issue.

      @NIXCraft, I would recommend to modify the script (you’re going permissive anyway) or, at least, warn people about this issue that is more than likely to occur.

      • Robert Fleming January 7, 2016, 8:36 pm

        Agreed. This page is currently my top Google hit for “linux firewall flush”, but as it’s written, it’ll lock the user out if executed line-by-line.

  • Nivas August 21, 2013, 11:58 am

    Hi,

    Im getting the following error:

    Stopping iptables: ERROR: Module ipt_addrtype does not exist in /proc/modules

  • Keijo April 12, 2016, 12:31 am

    Line 15 of the Debian script:
    $ipt iptables -t raw -F
    throws an error:
    Bad argument `iptables’

    Deleting `iptables’ and leaving the line like this:
    $ipt -t raw -F
    does the trick.

    Thanks.

Security: Are you a robot or human?

Leave a Comment


   Tagged with: , , , , , , , , , , ,