Linux 如何从 iptables 中删除特定规则?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10197405/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How can I remove specific rules from iptables?
提问by Jeroen
I am hosting special HTTP and HTTPS services on the ports 8006 and 8007 respectively. I use iptables to "activate" the server; i.e. to route the incoming HTTP and HTTPS ports:
我分别在端口 8006 和 8007 上托管特殊的 HTTP 和 HTTPS 服务。我使用 iptables 来“激活”服务器;即路由传入的 HTTP 和 HTTPS 端口:
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 8006 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 8007 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8006
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8007
iptables -A OUTPUT -t nat -d 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to-ports 8006
iptables -A OUTPUT -t nat -d 127.0.0.1 -p tcp --dport 443 -j REDIRECT --to-ports 8007
This works like a charm. However I would like to create another script that disables my server again; i.e. restore iptables to the state it was in before running the lines above. However I am having a hard time figuring out the syntax to remove these rules. The only thing that seems to work is a complete flush:
这就像一个魅力。但是我想创建另一个脚本来再次禁用我的服务器;即将 iptables 恢复到运行上面几行之前的状态。但是,我很难弄清楚删除这些规则的语法。唯一似乎有效的是完全冲洗:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
But that will also delete other iptables rules which is undesired.
但这也会删除其他不需要的 iptables 规则。
采纳答案by Eli Rosencruft
Execute the same commands but replace the "-A" with "-D". For example:
执行相同的命令,但将“-A”替换为“-D”。例如:
iptables -A ...
becomes
变成
iptables -D ...
回答by domi27
You may also use the rule's number (--line-numbers):
您还可以使用规则编号(--line-numbers):
iptables -L INPUT --line-numbers
Example output :
示例输出:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:domain
2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
So if you would like to delete second rule :
因此,如果您想删除第二条规则:
iptables -D INPUT 2
Update
更新
If you use(d) a specific table (eg nat), you have to add it to the delete command (thx to @ThorSummoner for the comment)
如果您使用(d)特定表(例如 nat),则必须将其添加到删除命令中(感谢@ThorSummoner 的评论)
sudo iptables -t nat -D PREROUTING 1
回答by ETech
The best solution that works for me without any problems looks this way:
1. Add temporary rule with some comment:
对我来说没有任何问题的最佳解决方案如下
所示:1. 添加带有一些注释的临时规则:
comment=$(cat /proc/sys/kernel/random/uuid | sed 's/\-//g')
iptables -A ..... -m comment --comment "${comment}" -j REQUIRED_ACTION
2. When the rule added and you wish to remove it (or everything with this comment), do:
2. 添加规则后,您希望删除它(或所有带有此注释的内容),请执行以下操作:
iptables-save | grep -v "${comment}" | iptables-restore
So, you'll 100% delete all rules that match the $comment and leave other lines untouched. This solution works for last 2 months with about 100 changes of rules per day - no issues.Hope, it helps
因此,您将 100% 删除与 $comment 匹配的所有规则,并保持其他行不变。此解决方案在过去 2 个月内有效,每天大约更改 100 次规则 - 没有问题。希望,它会有所帮助
回答by Wladdy Lopez
First list all iptables rules with this command:
首先使用此命令列出所有 iptables 规则:
iptables -S
it lists like:
它列出了:
-A XYZ -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Then copy the desired line, and just replace -Awith -Dto delete that:
然后复制所需的行,只需更换-A与-D删除:
iptables -D XYZ -p ...
回答by cizixs
Use -Dcommand, this is how manpage explains it:
使用-D命令,这是man页面解释它的方式:
-D, --delete chain rule-specification
-D, --delete chain rulenum
Delete one or more rules from the selected chain.
There are two versions of this command:
the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match.
Do realizethis command, like all other command(-A, -I) works on certain table. If you'are not working on the default table(filtertable), use -t TABLENAMEto specify that target table.
一定要意识到这个命令,就像所有其他命令(-A,-I)在某些表上工作一样。如果您不在默认表(filter表)上工作,请使用-t TABLENAME指定该目标表。
Delete a rule to match
删除要匹配的规则
iptables -D INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
Note: This only deletes the first rule matched. If you have many rules matched(this can happen in iptables), run this several times.
注意:这只会删除匹配的第一个规则。如果您有许多匹配的规则(这可能发生在 iptables 中),请多次运行。
Delete a rule specified as a number
删除指定为数字的规则
iptables -D INPUT 2
Other than counting the number you can list the line-number with --line-numberparameter, for example:
除了计算数字之外,您还可以列出带有--line-number参数的行号,例如:
iptables -t nat -nL --line-number
回答by lakshmikandan
Assume that, if you want to remove NAT rules,
假设,如果要删除 NAT 规则,
List the appended IPtables using the command below,
使用下面的命令列出附加的 IPtables,
# sudo iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 18 packets, 1382 bytes)
pkts bytes target prot opt in out source destination
7 420 DNAT tcp -- any any anywhere saltmaster tcp dpt:http to:172.31.5.207:80
0 0 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:http to:172.31.5.207:8080
If you would like to remove the nat rule from the IPtables, just execute the command,
如果你想从 IPtables 中删除 nat 规则,只需执行命令,
# sudo iptables -F -t nat -v
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Then, you can verify that,
然后,您可以验证,
# sudo iptables -L -t nat -v
