best way to clear all iptables rules

Solution 1:

To answer your question succinctly, no: there would not be any "leftover" rules after flushing every table. In the interest of being thorough however, you may want to set the policy for the built-in INPUT and FORWARD chains to ACCEPT, as well:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

Clear ip6tables rules:

ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X

...and that should do it. iptables -nvL should produce this (or very similar) output:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Solution 2:

This will correctly totally reset your iptables system to a very basic state:

iptables-save | awk '/^[*]/ { print $1 } 
                     /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; }
                     /COMMIT/ { print $0; }' | iptables-restore

All policies will be reset to ACCEPT as well as flushing every table in current use. All chains other than the built in chains will no longer exist.

Solution 3:

Whenever I need the firewall disabled is something like this:

  • iptables-save > iptables.bak
  • service iptables stop (i'm on fedora)

Solution 4:

You can just unload iptables' modules from the kernel:

modprobe -r iptable_raw iptable_mangle iptable_security iptable_nat iptable_filter

UPD Unfortunately, too good to be true. As long as there's a rule or a user-defined chain in a table, corresponding module's reference count is 1, and modprobe -r fails. You might delete rules and user-defined chains like so:

echo $'*raw\nCOMMIT\n*mangle\nCOMMIT\n*security\nCOMMIT\n*nat\nCOMMIT\n*filter\nCOMMIT' | iptables-restore

or:

iptables-save | awk '/^[*]/ { print $1 "\nCOMMIT" }' | iptables-restore

Also, you might want to unload modules this way (no hardcoding module names):

lsmod | egrep ^iptable_ | awk '{print $1}' | xargs -rd\\n modprobe -r

On the bright side, after this iptables-save produces nice empty output :)

Solution 5:

Backups configuration to iptables_backup.conf and clean all rules.

iptables-save | tee iptables_backup.conf | grep -v '\-A' | iptables-restore

To restore previous configuration:

iptables-restore < iptables_backup.conf

Tags:

Linux

Firewall

Iptables

Recent Posts