Iptables delete rules

Message

pacolotero · Post by **pacolotero** » Thu Apr 03, 2014 9:26 am

I want delete this rules:
iptables-save | grep DROP
-A PREROUTING -d 173.252.110.27/32 -j DROP
-A PREROUTING -d 31.13.80.7/32 -j DROP
-A PREROUTING -d 69.171.247.21/32 -j DROP
-A PREROUTING -d 66.220.149.88/32 -j DROP

but when i run
iptables -D PREROUTING -d 173.252.110.27/32 -j DROP -> iptables: Bad rule (does a matching rule exist in that chain?).

limn · Post by **limn** » Thu Apr 03, 2014 2:22 pm

Try

Code: Select all

iptables -D PREROUTING -t raw -d 173.252.110.27/32 -j DROP

which is how the rule specification was intially loaded. Or

Code: Select all

iptables -t raw -D PREROUTING <rulenum>

Ant P. · Post by **Ant P.** » Fri Apr 04, 2014 12:39 am

Code: Select all

iptables-save | grep -v DROP | iptables-restore

pacolotero · Post by **pacolotero** » Mon Apr 07, 2014 10:33 am

iptables -D PREROUTING -t raw -d 173.252.110.27/32 -j DROP
iptables: Bad rule (does a matching rule exist in that chain?).

Or

iptables -t raw -D PREROUTING -d 173.252.110.27/32 -j DROP
iptables: Bad rule (does a matching rule exist in that chain?).

limn · Post by **limn** » Mon Apr 07, 2014 5:20 pm

If not raw, it should be one of the ones in

Code: Select all

# cat /proc/net/ip_tables_names

Post by Hu » Tue Apr 08, 2014 1:27 am

Typically, PREROUTING rules are found in the nat table. How did you manage to add the rules you now want removed? The removal procedure is the inverse of the addition procedure.

szatox · Post by **szatox** » Wed Apr 09, 2014 11:24 am

run `iptables -nL` to check what rules you actually have defined.
rule definition when you ad or delete rule is exacly the same, the only difference is -A vs -D which is a command for uptables rather than rule definition.

Also, if everything goes wrong, you can always `iptables -F; iptables -X` to delete all rules. You might also need to specify table you flush, since AFAIR when -t <table name> is skipped it flushes filter only.

Post by Hu » Thu Apr 10, 2014 2:13 am

Depending on what rules you used, flushing everything can be a mildly bad idea or a terrible idea. If you use a default deny policy, flushing custom rules will leave you with only the DENY policy, thereby blocking all network traffic. This is the mildly bad idea, since it is an inconvenience until you restore the permissive rules. If you use a default accept policy, flushing custom rules will remove any DENY rules that protected your services, allowing everyone to connect to them. If your services were configured with the assumption they were protected, then flushing rules in this case is a terrible idea.

Ralphred · Post by **Ralphred** » Thu Apr 10, 2014 6:01 am

Code: Select all

iptables --line-numbers -n -v -L -t nat

will put rule numbers in front of each line, then you can use

Code: Select all

iptables -t nat -D PREROUTING [number]

to delete each one.

BE AWARE if you want to delete numbers 1,2,3 and 4, once you delete number 1, number 2 will become number 1 and so on, if this is hard to keep track of, relist the rules with the line numbers after each delete to check which rule should be deleted next.
I use the following aliases, just because it's so infrequently I change rules and can never remember what flags to set to see what I actually want to

Code: Select all

alias natlist='iptables --line-numbers -n -v -L -t nat'
alias iplist='iptables --line-numbers -n -v -L'