Iptables

https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules - done reading
https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands

// List all rules by specification
iptables -S

The output looks just like the commands that were used to create them, without 
the preceding iptables command. This will also look similar to the iptables rules 
configuration files, if you've ever used iptables-persistent or iptables save.

// List a specific chain:
iptables -S TCP

// List rules as table:
iptables -L

// List rules as table including line-numbers:
iptables -L --line-numbers

Listing the iptables rules in the table view can be useful for comparing different rules 
against each other.  To output all of the active iptables rules in a table, run the iptables 
command with the -L option:

This will output all of current rules sorted by chain.  If you want to limit the output to a 
specific chain (INPUT, OUTPUT, TCP, etc.), you can specify the chain name directly after 
the -L option:

iptables -L INPUT

iptables -A INPUT -s 123.0.0.0/8 -j DROP
iptables -A INPUT -s 117.0.0.0/8 -j DROP
iptables -A INPUT -s 14.0.0.0/8 -j DROP
iptables -A INPUT -s 113.0.0.0/8 -j DROP

service iptables save

What can we do if we accidentally block ourselves out of the system?

When working with firewalls, take care not to lock yourself out of your own server by blocking SSH traffic (port 22, by default). If you lose access due to your firewall settings, you may need to connect to it via the console to fix your access. Once you are connected via the console, you can change your firewall rules to allow SSH access (or allow all traffic). If your saved firewall rules allow SSH access, another method is to reboot your server.

How can we show packet counts and aggregate size?

When listing iptables rules, it is also possible to show the number of packets, and the aggregate size of the packets in bytes, that matched each particular rule. This is often useful when trying to get a rough idea of which rules are matching against packets. To do so, simply use the -L and -v option together:

iptables -L INPUT -v

Note that the listing now has two additional columns, pkts and bytes.

How can we clear the counters for all chains and rules?

iptables -Z

If you want to clear, or zero, the packet and byte counters for your rules, use the -Z option. They also reset if a reboot occurs. This is useful if you want to see if your server is receiving new traffic that matches your existing rules.

To clear the counters for all rules in a specific chain, use the -Z option and specify the chain. For example, to clear the INPUT chain counters run this command:

iptables -Z INPUT

If you want to clear the counters for a specific rule, specify the chain name and the rule number. For example, to zero the counters for the 1st rule in the INPUT chain, run this:

iptables -Z INPUT 1

How can we delete a rule by specification?

One of the ways to delete iptables rules is by rule specification. To do so, you can run the iptables command with the -D option followed by the rule specification. If you want to delete rules using this method, you can use the output of the rules list, iptables -S, for some help.

For example, if you want to delete the rule that drops invalid incoming packets (-A INPUT -m conntrack —ctstate INVALID -j DROP), you could run this command:

iptables -D INPUT -m conntrack --ctstate INVALID -j DROP

Note that the -A option, which is used to indicate the rule position at creation time, should be excluded here.

How can we delete a rule by chain and number?

The other way to delete iptables rules is by its chain and line number. To determine a rule's line number, list the rules in the table format and add the —line-numbers option:

iptables -L --line-numbers

This displays the line number to each rule row, indicated by the num header. Once you know which rule you want to delete, note the chain and line number of the rule. Then run the iptables -D command followed by the chain and rule number. For example, if we want to delete the input rule that drops invalid packets, we can see that it's rule 3 of the INPUT chain. So we should run this command:

iptables -D INPUT 3

How can we delete all rules in a chain (flush the chain)?

Be careful to not lock yourself out of your server, via SSH, by flushing a chain with a default policy of drop or deny. If you do, you may need to connect to it via the console to fix your access.

To flush a specific chain, which will delete all of the rules in the chain, you may use the -F, or the equivalent —flush, option and the name of the chain to flush. For example, to delete all of the rules in the INPUT chain, run this command:

iptables -F INPUT

To flush all chains, which will delete all of the firewall rules, you may use the -F, or the equivalent —flush, option by itself:

iptables -F

How can we flush all of your firewall rules, tables, and chains, and allow all network traffic?

This will effectively disable your firewall. You should only follow this section if you want to start over the configuration of your firewall. First, set the default policies for each of the built-in chains to ACCEPT. The main reason to do this is to ensure that you won't be locked out from your server via SSH:

sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

Then flush the nat and mangle tables, flush all chains (-F), and delete all non-default chains (-X):

sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X

Your firewall will now allow all network traffic. If you list your rules now, you will will see there are none, and only the three default chains (INPUT, FORWARD, and OUTPUT) remain.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License