Removing iptables rules

The output from iptables -L in my box is

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere state NEW tcp dpt:ftp-data recent: UPDATE seconds: 15 name: DEFAULT side: source
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data recent: SET name: DEFAULT side: source
DROP tcp -- anywhere anywhere state NEW tcp dpt:ftp recent: UPDATE seconds: 15 name: DEFAULT side: source
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ftp recent: SET name: DEFAULT side: source

What iptables commands must I issue in order to remove these rules?

Augustus SFX van Dusen <(E-Mail Removed)> wrote:
> The output from iptables -L in my box is
>[list of rules deleted]

> What iptables commands must I issue in order to remove these rules?

How about "man iptables"?

If you don't want to read the entire document, try searching for the word
"delete" and the pattern "deleting.*rules".

Chris

On Thu, 01 Jun 2006 22:14:41 +0100, Chris Davies wrote:

> Augustus SFX van Dusen <(E-Mail Removed)> wrote:
>> [quoted text muted]
>
>> [quoted text muted]
>
> How about "man iptables"?

You may also need to modify a file (ie. /etc/sysconfig/iptables) if you
don't want these to appear following a reboot.

- Andrew

On Thu, 01 Jun 2006 22:14:41 +0100, Chris Davies wrote:

> Augustus SFX van Dusen <(E-Mail Removed)> wrote:
>> The output from iptables -L in my box is[list of rules deleted]
>
>> What iptables commands must I issue in order to remove these rules?
>
> How about "man iptables"?
>
> If you don't want to read the entire document, try searching for the word
> "delete" and the pattern "deleting.*rules".

It is not at all obvious from the documentation how to delete rules
that you don't know how they were created. Since you seem to be very
familiar with such documentation, perhaps you might give more detailed
indications?

Augustus SFX van Dusen <(E-Mail Removed)> wrote:
> The output from iptables -L in my box is[list of rules deleted]
> What iptables commands must I issue in order to remove these rules?

On Thu, 01 Jun 2006 22:14:41 +0100, Chris Davies wrote:
> How about "man iptables"?

> If you don't want to read the entire document, try searching for the word
> "delete" and the pattern "deleting.*rules".

Augustus SFX van Dusen <(E-Mail Removed)> wrote:
> It is not at all obvious from the documentation how to delete rules
> that you don't know how they were created. Since you seem to be very
> familiar with such documentation, perhaps you might give more detailed
> indications?

man iptables:

-D, --delete chain rule-specification
-D, --delete chain rulenum
Delete one or more rules from the selected chain. There are two
versions of this command: the rule can be specified as a number in
the chain (starting at 1 for the first rule) or a rule to match.

Oh, and since you know about the -L flag, a quick reminder for other
readers:

-L, --list [chain]
List all rules in the selected chain. If no chain is selected,
all chains are listed. As every other iptables command, it
applies to the specified table (filter is the default), so NAT
rules get listed by
iptables -t nat -n -L

So, we have a method for listing the rules, and a method for deleting
them based on their position in the rule-chain.

# List the rules. In this case I'm showing the set from the NAT
# table. Omit the "-t nat" for the standard INPUT/OUTPUT/FORWARD
# group
#
iptables -t nat --line-numbers -n -L
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT all -- 192.168.7.0/30 192.168.8.0/21 to:192.168.9.13
2 DNAT all -- 0.0.0.0/0 10.1.1.105 to:10.1.20.20


# Delete the second rule
#
iptables -t nat -D PREROUTING 2

It's also possible to delete a rule if you know its original shape
(essentially repeat the rule definition changing the -I / -A flag to -D),
but in your case it's far easier to delete by position.

Chris

On Mon, 05 Jun 2006 02:58:53 +0000, Augustus SFX van Dusen wrote:

> Since you seem to be very
> familiar with such documentation, perhaps you might give more detailed
> indications?

Do you want to delete some of the rules, or all? If the latter, check the
"flush" operator.

- Andrew

On Mon, 05 Jun 2006 10:00:20 -0400, Andrew Gideon wrote:

> On Mon, 05 Jun 2006 02:58:53 +0000, Augustus SFX van Dusen wrote:
>
>> Since you seem to be very
>> familiar with such documentation, perhaps you might give more detailed
>> indications?
>
> Do you want to delete some of the rules, or all? If the latter, check the
> "flush" operator.

Only some. Take the output from iptables -L that I posted in the first
place as a (logical) subset of the complete output.

Thanks for your help.

On Mon, 05 Jun 2006 09:39:47 +0100, Chris Davies wrote:

>
> Augustus SFX van Dusen <(E-Mail Removed)> wrote:
>> The output from iptables -L in my box is[list of rules deleted] What
>> iptables commands must I issue in order to remove these rules?
>
> On Thu, 01 Jun 2006 22:14:41 +0100, Chris Davies wrote:
>> How about "man iptables"?
>
>> If you don't want to read the entire document, try searching for the
>> word "delete" and the pattern "deleting.*rules".
>
> Augustus SFX van Dusen <(E-Mail Removed)> wrote:
>> It is not at all obvious from the documentation how to delete
>> rules
>> that you don't know how they were created. Since you seem to be very
>> familiar with such documentation, perhaps you might give more detailed
>> indications?
>
> man iptables:
>
> -D, --delete chain rule-specification -D, --delete chain rulenum
> Delete one or more rules from the selected chain. There are two versions
> of this command: the rule can be specified as a number in the chain
> (starting at 1 for the first rule) or a rule to match.
>
> Oh, and since you know about the -L flag, a quick reminder for other
> readers:
>
> -L, --list [chain]
> List all rules in the selected chain. If no chain is selected, all chains
> are listed. As every other iptables command, it applies to the specified
> table (filter is the default), so NAT rules get listed by
> iptables -t nat -n -L
>
> So, we have a method for listing the rules, and a method for deleting them
> based on their position in the rule-chain.
>
> # List the rules. In this case I'm showing the set from the NAT #
> table. Omit the "-t nat" for the standard INPUT/OUTPUT/FORWARD # group
> #
> iptables -t nat --line-numbers -n -L
> Chain PREROUTING (policy ACCEPT)
> num target prot opt source destination 1 DNAT
> all -- 192.168.7.0/30 192.168.8.0/21 to:192.168.9.13 2
> DNAT all -- 0.0.0.0/0 10.1.1.105 to:10.1.20.20
>
>
> # Delete the second rule
> #
> iptables -t nat -D PREROUTING 2
>
> It's also possible to delete a rule if you know its original shape
> (essentially repeat the rule definition changing the -I / -A flag to -D),
> but in your case it's far easier to delete by position.

That's what I wanted to do initially, but the position technique is far
more convenient. Thanks.