Scenario / Questions

I currently have this snippet:

# flush all chains
iptables -F
iptables -t nat -F
iptables -t mangle -F
# delete all chains
iptables -X

Is there a possibility that some impervious rule will stay alive after running this?

The idea is to have a completely clean iptables config, that can be easily replaced by new ruleset (nevermind routes/ifconfig’s parameters).

Find below all possible solutions or suggestions for the above questions..

Suggestion: 1

To answer your question succinctly, no: there would not be any “leftover” rules after flushing every table. In the interest of being thorough however, you may want to set the policy for the built-in INPUT and FORWARD chains to ACCEPT, as well:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

Clear ip6tables rules:

ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X

…and that should do it. iptables -nvL should produce this (or very similar) output:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Suggestion: 2

This will correctly totally reset your iptables system to a very basic state:

iptables-save | awk '/^[*]/ { print $1 } 
                     /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; }
                     /COMMIT/ { print $0; }' | iptables-restore

All policies will be reset to ACCEPT as well as flushing every table in current use. All chains other than the built in chains will no longer exist.

Suggestion: 3

Whenever I need the firewall disabled is something like this:

  • iptables-save > iptables.bak
  • service iptables stop (i’m on fedora)

Suggestion: 4

You can just unload iptables‘ modules from the kernel:

modprobe -r iptable_raw iptable_mangle iptable_security iptable_nat iptable_filter

UPD Unfortunately, too good to be true. As long as there’s a rule or a user-defined chain in a table, corresponding module’s reference count is 1, and modprobe -r fails. You might delete rules and user-defined chains like so:

echo $'*raw\nCOMMIT\n*mangle\nCOMMIT\n*security\nCOMMIT\n*nat\nCOMMIT\n*filter\nCOMMIT' | iptables-restore

or:

iptables-save | awk '/^[*]/ { print $1 "\nCOMMIT" }' | iptables-restore

Also, you might want to unload modules this way (no hardcoding module names):

lsmod | egrep ^iptable_ | awk '{print $1}' | xargs -rd\\n modprobe -r

On the bright side, after this iptables-save produces nice empty output 🙂

Suggestion: 5

One can do this in 1 or 2 commands:

 $ sudo iptables-save > iptables.bak
 $ sudo iptables -F

Result:

$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 3138 packets, 5567K bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3602 packets, 6547K bytes)
pkts bytes target     prot opt in     out     source               destination         

Suggestion: 6

I’ve had to block all connections recently what I ended up doing was

iptables-policy INPUT DROP
iptables-policy OUTPUT DROP
iptables-policy FORWARD DROP

as for saving I’d recommend the following

Ubuntu:

/etc/init.d/iptables save
/sbin/service iptables save

RedHat/CentOS:

/etc/init.d/iptables save
/sbin/iptables-save

In addition to backup all current ufw rules Ive used this in the past

cp /lib/ufw/{user.rules,user6.rules} /<BACKUP LOCATION> 
cp /lib/ufw/{user.rules,user6.rules} ./

I think this may be useful for future reference. Thought I would share.

Suggestion: 7

Backups configuration to iptables_backup.conf and clean all rules.

iptables-save | tee iptables_backup.conf | grep -v '\-A' | iptables-restore

To restore previous configuration:

iptables-restore < iptables_backup.conf

Suggestion: 8

This worked for me (on Ubuntu 18.04):

sudo bash -c "ufw -f reset && iptables -F && iptables -X && ufw allow 22 && ufw -f enable"

It resets (and disables) ufw and then resets iptables clearing and removing all chains. Then it enables the ufw again, but not before it allows port 22 for remote access. The two commands that require user confirmation are “forced” ensuring no input is required. I was able to run this over an active SSH connection.

(source)