Удаление правил iptables

Краткая инструкция по удалению правил iptables в ОС семейства Linux с помощью командной строки.

Сначала нам необходимо просмотреть список активных правил iptables из таблицы filter

# iptables -t filter -L

ответ консоли:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere             tcp dpt:http #conn src/32 > 1000
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
DROP       tcp  --  anywhere             anywhere             tcp dpt:https #conn src/32 > 1000
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https flags:FIN,SYN,ACK/SYN
DROP       tcp  --  anywhere             anywhere             tcp dpt:3000 #conn src/32 > 1000
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:3000
ACCEPT     tcp  --  192.168.3.115        anywhere             state NEW tcp dpts:zabbix-agent:zabbix-trapper
DROP       all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     tcp  --  192.168.3.115        anywhere             state NEW tcp dpts:zabbix-agent:zabbix-trapper

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             tcp dpt:smtp #conn src/32 > 500
ACCEPT     tcp  --  anywhere             192.168.3.111        tcp dpt:smtp
DROP       tcp  --  anywhere             anywhere             tcp dpt:submission #conn src/32 > 500
ACCEPT     tcp  --  anywhere             192.168.3.111        tcp dpt:smtp
DROP       tcp  --  anywhere             anywhere             tcp dpt:urd #conn src/32 > 500
ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:urd
DROP       tcp  --  anywhere             anywhere             tcp dpt:1465 #conn src/32 > 500
ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:urd
DROP       tcp  --  anywhere             anywhere             tcp dpt:imap2 #conn src/32 > 500
ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:imap2
DROP       tcp  --  anywhere             anywhere             tcp dpt:imaps #conn src/32 > 500
ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:imaps
DROP       tcp  --  anywhere             anywhere             tcp dpt:pop3 #conn src/32 > 500
ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:pop3
DROP       tcp  --  anywhere             anywhere             tcp dpt:pop3s #conn src/32 > 500
ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:pop3s
DROP       tcp  --  anywhere             anywhere             tcp dpt:8100 #conn src/32 > 500
ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:8100
DROP       tcp  --  anywhere             anywhere             tcp dpt:9100 #conn src/32 > 500
ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:9100
DROP       tcp  --  anywhere             anywhere             tcp dpt:11024 #conn src/32 > 500
ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:11024
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  192.168.3.110        anywhere            
ACCEPT     all  --  192.168.3.111        anywhere            
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Также для удобства мы можем использовать этот список с нумерацией правил

# iptables -t filter -L --line-numbers

ответ консоли:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
2    ACCEPT     icmp --  anywhere             anywhere            
3    ACCEPT     all  --  anywhere             anywhere            
4    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
5    DROP       tcp  --  anywhere             anywhere             tcp dpt:http #conn src/32 > 1000
6    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
7    DROP       tcp  --  anywhere             anywhere             tcp dpt:https #conn src/32 > 1000
8    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https flags:FIN,SYN,ACK/SYN
9    DROP       tcp  --  anywhere             anywhere             tcp dpt:3000 #conn src/32 > 1000
10   ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:3000
11   ACCEPT     tcp  --  192.168.3.115        anywhere             state NEW tcp dpts:zabbix-agent:zabbix-trapper
12   DROP       all  --  anywhere             anywhere            
13   REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
14   ACCEPT     tcp  --  192.168.3.115        anywhere             state NEW tcp dpts:zabbix-agent:zabbix-trapper

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       tcp  --  anywhere             anywhere             tcp dpt:smtp #conn src/32 > 500
2    ACCEPT     tcp  --  anywhere             192.168.3.111        tcp dpt:smtp
3    DROP       tcp  --  anywhere             anywhere             tcp dpt:submission #conn src/32 > 500
4    ACCEPT     tcp  --  anywhere             192.168.3.111        tcp dpt:smtp
5    DROP       tcp  --  anywhere             anywhere             tcp dpt:urd #conn src/32 > 500
6    ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:urd
7    DROP       tcp  --  anywhere             anywhere             tcp dpt:1465 #conn src/32 > 500
8    ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:urd
9    DROP       tcp  --  anywhere             anywhere             tcp dpt:imap2 #conn src/32 > 500
10   ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:imap2
11   DROP       tcp  --  anywhere             anywhere             tcp dpt:imaps #conn src/32 > 500
12   ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:imaps
13   DROP       tcp  --  anywhere             anywhere             tcp dpt:pop3 #conn src/32 > 500
14   ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:pop3
15   DROP       tcp  --  anywhere             anywhere             tcp dpt:pop3s #conn src/32 > 500
16   ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:pop3s
17   DROP       tcp  --  anywhere             anywhere             tcp dpt:8100 #conn src/32 > 500
18   ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:8100
19   DROP       tcp  --  anywhere             anywhere             tcp dpt:9100 #conn src/32 > 500
20   ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:9100
21   DROP       tcp  --  anywhere             anywhere             tcp dpt:11024 #conn src/32 > 500
22   ACCEPT     tcp  --  anywhere             192.168.3.110        tcp dpt:11024
23   ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
24   ACCEPT     icmp --  anywhere             anywhere            
25   ACCEPT     all  --  192.168.3.110        anywhere            
26   ACCEPT     all  --  192.168.3.111        anywhere            
27   ACCEPT     all  --  anywhere             anywhere            
28   DROP       all  --  anywhere             anywhere            
29   DROP       all  --  anywhere             anywhere            
30   REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Теперь мы можем использовать эти номера для удаления ненужных нам правил.

Например, можем удалить правило 10 из таблицы filter цепочки INPUT

# iptables -t filter -D INPUT 10

После этого место старого правила 10 займёт новое правило, которое до удаления имело номер 11. Проверяем

# iptables -t filter -L INPUT --line-numbers

ответ консоли:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
2    ACCEPT     icmp --  anywhere             anywhere            
3    ACCEPT     all  --  anywhere             anywhere            
4    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
5    DROP       tcp  --  anywhere             anywhere             tcp dpt:http #conn src/32 > 1000
6    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
7    DROP       tcp  --  anywhere             anywhere             tcp dpt:https #conn src/32 > 1000
8    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https flags:FIN,SYN,ACK/SYN
9    DROP       tcp  --  anywhere             anywhere             tcp dpt:3000 #conn src/32 > 1000
10   ACCEPT     tcp  --  192.168.3.115        anywhere             state NEW tcp dpts:zabbix-agent:zabbix-trapper
11   DROP       all  --  anywhere             anywhere            
12   REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
13   ACCEPT     tcp  --  192.168.3.115        anywhere             state NEW tcp dpts:zabbix-agent:zabbix-trapper

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *