Delete more than 1 line in iptables.

Support for security such as Firewalls and securing linux
Post Reply
Oracle
Posts: 7
Joined: 2013/08/01 02:07:57

Delete more than 1 line in iptables.

Post by Oracle » 2013/09/22 17:42:55

Good day all,

I was wondering if anyone is out there who's managed to delete more than 1 line in iptables. The man page says and I quote

-D, --delete chain rulenum
Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match.

So I've been trying a few iterations trying to delete say lines 1 2 3 4 just as an example.

iptables -vnL INPUT --line-numbers (works and it shows me the line numbers I want to delete)

then I try:

iptables -D INPUT 1-4
or
iptables -D INPUT 1,2,3,4

I know I can do iptables -D INPUT 1 and this works but my goal is not have to do that 4 times, :-)

command doesn't work, the man page seems limited with this command and my searches have turned up nothing as far as deleting multiple lines in a single command. Short of writing a bash script does anyone have any knowledge on leveraging this type of command and with the syntax I've exampled here? perhaps just a small limitation of the iptables :-D ?

Thanks .

O

rhinoau
Posts: 1
Joined: 2014/10/20 01:05:00

Re: Delete more than 1 line in iptables.

Post by rhinoau » 2014/10/20 01:46:18

Old thread, but it comes up on searches a lot so here goes:

Code: Select all

rhino@bofh ~ $ echo $SHELL
/bin/bash

Code: Select all

rhino@bofh ~ $ for i in {24..37};do echo $i;done;
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Change the echo as appropriate once you're sure.

If you do it too often, try a crude bash function similar to this:

in ~/.bashrc put this:

Code: Select all

iptables_delete () 
{ 
    if [[ $3 == "" ]]; then
        echo "Usage: iptables_delete {CHAIN} {starting rule number} {ending rule number}";
        return; # don't use exit here - it will exit the controlling shell
    fi;

    for (( i=$2; i<=$3; i++ ))
    do
        /sbin/iptables -D $1 $i;
    done
}
Then:

Code: Select all

source ~/.bashrc
You can check it loaded with:

Code: Select all

typeset -f | grep -A7 iptables_delete
Then you have a command to do it (it should also tab-complete the main commmand):

Code: Select all

rhino@bofh ~ $ iptables_delete  
Usage: iptables_delete {CHAIN} {starting rule number} {ending rule number}

rhino@bofh ~ $ iptables_delete INPUT 24 35
...
Or if it's because you wrote some dodgy script to emulate fail2ban in a mad hurry like I did and are were then stuck with a lot of rules to delete - learn to use fail2ban :)

walty8
Posts: 1
Joined: 2017/09/04 07:25:14

Re: Delete more than 1 line in iptables.

Post by walty8 » 2017/09/04 07:33:40

I know this is a very old post, but it's of the top result of google so I still marked some comment here.

The answer in the second post is nice, but it has one fatal mistake. All iptables rules must be deleted in the descending order!

When a rule is deleted, all rule number would be shifted immediately.

So if you want to remove first 3 rules, you should do the following:

Code: Select all

iptables -t nat -D POSTROUTING 1
iptables -t nat -D POSTROUTING 1
iptables -t nat -D POSTROUTING 1
OR the following

Code: Select all

iptables -t nat -D POSTROUTING 3
iptables -t nat -D POSTROUTING 2
iptables -t nat -D POSTROUTING 1
But never the ascending order.

And you are strongly advised to use iptables-save to back up your rules first.


Here is the revised version of iptables_delete (note the subtle change in the for loop).

Code: Select all

iptables_delete () 
{ 
    if [[ $3 == "" ]]; then
        echo "Usage: iptables_delete {CHAIN} {starting rule number} {ending rule number}";
        return; # don't use exit here - it will exit the controlling shell
    fi;

    for (( i=$3; i>=$2; i-- ))
    do
        /sbin/iptables -D $1 $i;
    done
}

Post Reply