Linux iptables rejected - How do I enable it back?

IPtables has a list of rules, and for each packet, it checks the list of rules in order. Once a rule is found that matches the packet and specifies a policy (ACCEPT, REJECT, DROP), the fate of the matching packet is determined; no more rules are examined.

This means that the order in which you run commands is important. When you use iptables -A, you add a rule to the end of the list of rules, so you will end up with a rule list that looks like this:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     all  --  anywhere             anywhere

Since the REJECT rule comes before the ACCEPT rule, it gets triggered first, and thus forwarding won't happen.

You will therefore need to delete the REJECTrule instead of adding an ACCEPT rule. To delete the REJECT rule, run

iptables -D FORWARD -j REJECT 

For more information, read the iptables manpage.


The -A flag tells iptables to append the rule to the chain, meaning it ends up under your REJECT rule, and since the first rule matches, it's never used.

You list your rules with iptables -L FORWARD and you will see this yourself. To get rid of the rule you added, run

iptables -D FORWARD -j REJECT 

Until there are no more such rules in the chain.