I currently have this snippet:
# flush all chains
iptables -F
iptables -t nat -F
iptables -t mangle -F
# delete all chains
iptables -X
Is there a possibility that some impervious rule will stay alive after running this?
The idea is to have a completely clean iptables config, that can be easily replaced by new ruleset (nevermind routes/ifconfig's parameters).
To answer your question succinctly, no: there would not be any "leftover" rules after flushing every table. In the interest of being thorough however, you may want to set the policy for the built-in INPUT and FORWARD chains to ACCEPT, as well:
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
Clear ip6tables rules:
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X
...and that should do it. iptables -nvL should produce this (or very similar) output:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
This will correctly totally reset your iptables system to a very basic state:
iptables-save | awk '/^[*]/ { print $1 }
/^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; }
/COMMIT/ { print $0; }' | iptables-restore
All policies will be reset to ACCEPT as well as flushing every table in current use. All chains other than the built in chains will no longer exist.
Backups configuration to iptables_backup.conf and clean all rules.
iptables-save | tee iptables_backup.conf | grep -v '\-A' | iptables-restore
To restore previous configuration:
iptables-restore < iptables_backup.conf
Whenever I need the firewall disabled is something like this:
iptables-save > iptables.bakservice iptables stop (i'm on fedora)
One can do this in 1 or 2 commands:
$ sudo iptables-save > iptables.bak
$ sudo iptables -F
Result:
$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 3138 packets, 5567K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3602 packets, 6547K bytes)
pkts bytes target prot opt in out source destination
You can just unload iptables' modules from the kernel:
modprobe -r iptable_raw iptable_mangle iptable_security iptable_nat iptable_filter
UPD Unfortunately, too good to be true. As long as there's a rule or a user-defined chain in a table, corresponding module's reference count is 1, and modprobe -r fails. You might delete rules and user-defined chains like so:
echo $'*raw\nCOMMIT\n*mangle\nCOMMIT\n*security\nCOMMIT\n*nat\nCOMMIT\n*filter\nCOMMIT' | iptables-restore
or:
iptables-save | awk '/^[*]/ { print $1 "\nCOMMIT" }' | iptables-restore
Also, you might want to unload modules this way (no hardcoding module names):
lsmod | egrep ^iptable_ | awk '{print $1}' | xargs -rd\\n modprobe -r
On the bright side, after this iptables-save produces nice empty output :)
Here is how I remove all DROP rules:
iptables -S |grep DROP| sed 's/-A/-D/' >rules # -A becomes -D: delete
nano rules # check that everything is correct
cat rules | while read line; do iptables $line; done
iptables-save
Done!
I've had to block all connections recently what I ended up doing was
iptables-policy INPUT DROP
iptables-policy OUTPUT DROP
iptables-policy FORWARD DROP
as for saving I'd recommend the following
Ubuntu:
/etc/init.d/iptables save
/sbin/service iptables save
RedHat/CentOS:
/etc/init.d/iptables save
/sbin/iptables-save
In addition to backup all current ufw rules Ive used this in the past
cp /lib/ufw/{user.rules,user6.rules} /<BACKUP LOCATION>
cp /lib/ufw/{user.rules,user6.rules} ./
I think this may be useful for future reference. Thought I would share.
This worked for me (on Ubuntu 18.04):
sudo bash -c "ufw -f reset && iptables -F && iptables -X && ufw allow 22 && ufw -f enable"
It resets (and disables) ufw and then resets iptables clearing and removing all chains. Then it enables the ufw again, but not before it allows port 22 for remote access. The two commands that require user confirmation are "forced" ensuring no input is required. I was able to run this over an active SSH connection.
(source)
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -t filter -F
sudo iptables -t raw -F
sudo iptables -t nat -X
sudo iptables -t mangle -X
sudo iptables -t filter -X
sudo iptables -t raw -X
echo "=== NAT ==="; sudo iptables -t nat -S; echo "\n=== MANGLE ==="; sudo iptables -t mangle -S; echo "\n=== FILTER ==="; sudo iptables -t filter -S; echo "\n=== RAW ==="; sudo iptables -t raw -S
Newbie Necro-post:
Lately, I'm finding that nf/iptables reports it's busy so whatever --delete, --flush, or -X argument that was issued with the iptables command simply has no effect. Thereby, I sometimes do end up with some mixture of new configuration rules, along with some unwanted artifact rules from a previous iptables configuration, getting saved with iptables-save.
While it's not a 100% cure, I suffix any iptables commands with --wait, along with whatever other arguments I intend, such as -X.
I think it's still worthwhile to augment -X precautions with --flush, --delete and maybe make a null-firewall .rules file to restore with iptables-restore.
I can check in a bash shell script, using awk, if there's more than the default 38 lines resulting from an iptables --list command showing an empty configuration
EXITCOND1=0
iptables --list | awk '{ ++cnt; /
if (cnt < 40 ) exit level 1: /
print } '
EXITCOND1=$(echo $?)
if [ $EXITCOND1 == 0 ];
then
echo "There are firewall rules"
else
echo "There are no firewall rules"
fi
Obviously you all know to replace the "echo" statements with your own handling code. You can also use similar code to check line length and --log-prefix content in case you coincidentally do have only 38-40 lines of code in your iptables configuration.
(I'm typing this on my phone. I hope spell check didn't help me screw this up.)
Great ideas in your posts folks. Thanks.
