≡ Menu

IPTables Flush: Delete / Remove All Rules On RedHat and CentOS Linux

On Red Hat based Linux, iptables comes with certain default rules. It is good idea to clean them up, and start from scratch.

This article is part of an ongoing iptables tutorial series. This is the 2nd article in that series. In our 1st part, we discussed about IPTables Tables, Chains, Rules Fundamentals.

Before we start learning how to add firewall rules using iptables, it is helpful to understand how to cleanup all the existing default rules and start everything from scratch.

Default Rules in IPTables

Start the iptables firewall as shown below.

# service iptables status
Firewall is stopped.

# service iptables start
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]

You can see the default rules under: iptables -> Filter Table -> RH-Firewall-1-INPUT Chain, as shown below. You can also use ‘iptables –list’ to view all the rules.

# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631
8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
10   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

IPTables Rules are stored in /etc/sysconfig/iptables

Please note that the iptables rules are stored in the /etc/sysconfig/iptables file. If you view this file, you’ll see all the default rules.

# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Temporarily delete all the firewall rules

Use ‘iptables –flush’ option to delete all the rules temporarily.

# iptables --flush

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (0 references)
target     prot opt source               destination

After the ‘iptables –flush’, if you restart the iptables, you’ll see all the default rules again. So, –flush is only temporary.

# service iptables stop

# service iptables start

# iptables --list

Permanently remove all the default firewall rules

Before deleting all the firewall rules, you’ll see the following in the /etc/sysconfig/iptables file.

# cat  /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

First, flush all these rules temporarily, as we discussed above.

# iptables --flush

Next, save the current iptables (which is empty, as we just flushed it) to the /etc/sysconfig/iptables file for permanent use using ‘service iptables save’

# service iptables save
Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]

Finally, view the /etc/sysconfig/iptables to make sure there are no rules.

# cat  /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Oct 28 08:44:01 2010
*filter
:INPUT ACCEPT [102:7668]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [78:8560]
COMMIT
# Completed on Thu Oct 28 08:44:01 2010

Now, if you stop and start the iptables, you’ll not see the default rules anymore. So, remember to do ‘service iptables save’ to make the ‘iptables –flush’ permanent.

# service iptables stop

# service iptables start

# iptables --list

Now you understand the fundamentals of iptables, and how to clean-up all the existing rule to start from scratch. In our next article, you’ll learn how to start adding new iptables firewall rules with several practical examples.

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 4 comments… add one }

  • napzter May 6, 2011, 11:39 pm

    great info about iptables… thanks remesh…

  • Ian February 22, 2012, 3:26 am

    Thank you for this.

  • ehsan October 10, 2012, 2:09 pm

    method not works and all old settings backs after
    iptables –flush
    iptables –flush

  • Rushyang November 28, 2013, 7:27 am

    Little more—Although, until and unless you execute command `service iptables save`, all settings of iptables will be restored back to normal after the system reboot.
    Even after saving changes from above command, a backup file is created under /etc/sysconfig/iptables directory with the name of “iptables.old” filename.
    Before flushing any iptables chain rules, if you are afraid that you will lose your iptables settings, or in case you want to pass on iptables settings from one workstation to another, then you can use
    `iptables-save > filename_here`
    and to restore the settings again…
    `iptables-restore FILE` command.

Leave a Comment