View previous topic :: View next topic |
Author |
Message |
pacolotero n00b

Joined: 19 Apr 2013 Posts: 29
|
Posted: Thu Apr 03, 2014 9:26 am Post subject: Iptables delete rules |
|
|
I want delete this rules:
iptables-save | grep DROP
-A PREROUTING -d 173.252.110.27/32 -j DROP
-A PREROUTING -d 31.13.80.7/32 -j DROP
-A PREROUTING -d 69.171.247.21/32 -j DROP
-A PREROUTING -d 66.220.149.88/32 -j DROP
but when i run
iptables -D PREROUTING -d 173.252.110.27/32 -j DROP -> iptables: Bad rule (does a matching rule exist in that chain?). |
|
Back to top |
|
 |
limn l33t

Joined: 13 May 2005 Posts: 997
|
Posted: Thu Apr 03, 2014 2:22 pm Post subject: |
|
|
Try
Code: | iptables -D PREROUTING -t raw -d 173.252.110.27/32 -j DROP |
which is how the rule specification was intially loaded. Or
Code: | iptables -t raw -D PREROUTING <rulenum> |
|
|
Back to top |
|
 |
Ant P. Watchman

Joined: 18 Apr 2009 Posts: 6885
|
Posted: Fri Apr 04, 2014 12:39 am Post subject: |
|
|
Code: | iptables-save | grep -v DROP | iptables-restore |
|
|
Back to top |
|
 |
pacolotero n00b

Joined: 19 Apr 2013 Posts: 29
|
Posted: Mon Apr 07, 2014 10:33 am Post subject: |
|
|
iptables -D PREROUTING -t raw -d 173.252.110.27/32 -j DROP
iptables: Bad rule (does a matching rule exist in that chain?).
Or
iptables -t raw -D PREROUTING -d 173.252.110.27/32 -j DROP
iptables: Bad rule (does a matching rule exist in that chain?). |
|
Back to top |
|
 |
limn l33t

Joined: 13 May 2005 Posts: 997
|
Posted: Mon Apr 07, 2014 5:20 pm Post subject: |
|
|
If not raw, it should be one of the ones in
Code: | # cat /proc/net/ip_tables_names |
|
|
Back to top |
|
 |
Hu Moderator

Joined: 06 Mar 2007 Posts: 16513
|
Posted: Tue Apr 08, 2014 1:27 am Post subject: |
|
|
Typically, PREROUTING rules are found in the nat table. How did you manage to add the rules you now want removed? The removal procedure is the inverse of the addition procedure. |
|
Back to top |
|
 |
szatox Veteran

Joined: 27 Aug 2013 Posts: 1995
|
Posted: Wed Apr 09, 2014 11:24 am Post subject: |
|
|
run `iptables -nL` to check what rules you actually have defined.
rule definition when you ad or delete rule is exacly the same, the only difference is -A vs -D which is a command for uptables rather than rule definition.
Also, if everything goes wrong, you can always `iptables -F; iptables -X` to delete all rules. You might also need to specify table you flush, since AFAIR when -t <table name> is skipped it flushes filter only. |
|
Back to top |
|
 |
Hu Moderator

Joined: 06 Mar 2007 Posts: 16513
|
Posted: Thu Apr 10, 2014 2:13 am Post subject: |
|
|
Depending on what rules you used, flushing everything can be a mildly bad idea or a terrible idea. If you use a default deny policy, flushing custom rules will leave you with only the DENY policy, thereby blocking all network traffic. This is the mildly bad idea, since it is an inconvenience until you restore the permissive rules. If you use a default accept policy, flushing custom rules will remove any DENY rules that protected your services, allowing everyone to connect to them. If your services were configured with the assumption they were protected, then flushing rules in this case is a terrible idea. |
|
Back to top |
|
 |
Ralphred Tux's lil' helper

Joined: 31 Dec 2013 Posts: 120
|
Posted: Thu Apr 10, 2014 6:01 am Post subject: |
|
|
Code: | iptables --line-numbers -n -v -L -t nat | will put rule numbers in front of each line, then you can use Code: | iptables -t nat -D PREROUTING [number] | to delete each one.
BE AWARE if you want to delete numbers 1,2,3 and 4, once you delete number 1, number 2 will become number 1 and so on, if this is hard to keep track of, relist the rules with the line numbers after each delete to check which rule should be deleted next.
I use the following aliases, just because it's so infrequently I change rules and can never remember what flags to set to see what I actually want to Code: | alias natlist='iptables --line-numbers -n -v -L -t nat'
alias iplist='iptables --line-numbers -n -v -L' |
|
|
Back to top |
|
 |
|