Краткая инструкция по удалению правил iptables в ОС семейства Linux с помощью командной строки.
Сначала нам необходимо просмотреть список активных правил iptables из таблицы filter
# iptables -t filter -L
ответ консоли:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh DROP tcp -- anywhere anywhere tcp dpt:http #conn src/32 > 1000 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http DROP tcp -- anywhere anywhere tcp dpt:https #conn src/32 > 1000 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https flags:FIN,SYN,ACK/SYN DROP tcp -- anywhere anywhere tcp dpt:3000 #conn src/32 > 1000 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:3000 ACCEPT tcp -- 192.168.3.115 anywhere state NEW tcp dpts:zabbix-agent:zabbix-trapper DROP all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited ACCEPT tcp -- 192.168.3.115 anywhere state NEW tcp dpts:zabbix-agent:zabbix-trapper Chain FORWARD (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere anywhere tcp dpt:smtp #conn src/32 > 500 ACCEPT tcp -- anywhere 192.168.3.111 tcp dpt:smtp DROP tcp -- anywhere anywhere tcp dpt:submission #conn src/32 > 500 ACCEPT tcp -- anywhere 192.168.3.111 tcp dpt:smtp DROP tcp -- anywhere anywhere tcp dpt:urd #conn src/32 > 500 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:urd DROP tcp -- anywhere anywhere tcp dpt:1465 #conn src/32 > 500 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:urd DROP tcp -- anywhere anywhere tcp dpt:imap2 #conn src/32 > 500 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:imap2 DROP tcp -- anywhere anywhere tcp dpt:imaps #conn src/32 > 500 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:imaps DROP tcp -- anywhere anywhere tcp dpt:pop3 #conn src/32 > 500 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:pop3 DROP tcp -- anywhere anywhere tcp dpt:pop3s #conn src/32 > 500 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:pop3s DROP tcp -- anywhere anywhere tcp dpt:8100 #conn src/32 > 500 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:8100 DROP tcp -- anywhere anywhere tcp dpt:9100 #conn src/32 > 500 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:9100 DROP tcp -- anywhere anywhere tcp dpt:11024 #conn src/32 > 500 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:11024 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- 192.168.3.110 anywhere ACCEPT all -- 192.168.3.111 anywhere ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Также для удобства мы можем использовать этот список с нумерацией правил
# iptables -t filter -L --line-numbers
ответ консоли:
Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 2 ACCEPT icmp -- anywhere anywhere 3 ACCEPT all -- anywhere anywhere 4 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh 5 DROP tcp -- anywhere anywhere tcp dpt:http #conn src/32 > 1000 6 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http 7 DROP tcp -- anywhere anywhere tcp dpt:https #conn src/32 > 1000 8 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https flags:FIN,SYN,ACK/SYN 9 DROP tcp -- anywhere anywhere tcp dpt:3000 #conn src/32 > 1000 10 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:3000 11 ACCEPT tcp -- 192.168.3.115 anywhere state NEW tcp dpts:zabbix-agent:zabbix-trapper 12 DROP all -- anywhere anywhere 13 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited 14 ACCEPT tcp -- 192.168.3.115 anywhere state NEW tcp dpts:zabbix-agent:zabbix-trapper Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 DROP tcp -- anywhere anywhere tcp dpt:smtp #conn src/32 > 500 2 ACCEPT tcp -- anywhere 192.168.3.111 tcp dpt:smtp 3 DROP tcp -- anywhere anywhere tcp dpt:submission #conn src/32 > 500 4 ACCEPT tcp -- anywhere 192.168.3.111 tcp dpt:smtp 5 DROP tcp -- anywhere anywhere tcp dpt:urd #conn src/32 > 500 6 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:urd 7 DROP tcp -- anywhere anywhere tcp dpt:1465 #conn src/32 > 500 8 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:urd 9 DROP tcp -- anywhere anywhere tcp dpt:imap2 #conn src/32 > 500 10 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:imap2 11 DROP tcp -- anywhere anywhere tcp dpt:imaps #conn src/32 > 500 12 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:imaps 13 DROP tcp -- anywhere anywhere tcp dpt:pop3 #conn src/32 > 500 14 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:pop3 15 DROP tcp -- anywhere anywhere tcp dpt:pop3s #conn src/32 > 500 16 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:pop3s 17 DROP tcp -- anywhere anywhere tcp dpt:8100 #conn src/32 > 500 18 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:8100 19 DROP tcp -- anywhere anywhere tcp dpt:9100 #conn src/32 > 500 20 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:9100 21 DROP tcp -- anywhere anywhere tcp dpt:11024 #conn src/32 > 500 22 ACCEPT tcp -- anywhere 192.168.3.110 tcp dpt:11024 23 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 24 ACCEPT icmp -- anywhere anywhere 25 ACCEPT all -- 192.168.3.110 anywhere 26 ACCEPT all -- 192.168.3.111 anywhere 27 ACCEPT all -- anywhere anywhere 28 DROP all -- anywhere anywhere 29 DROP all -- anywhere anywhere 30 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination
Теперь мы можем использовать эти номера для удаления ненужных нам правил.
Например, можем удалить правило 10 из таблицы filter цепочки INPUT
# iptables -t filter -D INPUT 10
После этого место старого правила 10 займёт новое правило, которое до удаления имело номер 11. Проверяем
# iptables -t filter -L INPUT --line-numbers
ответ консоли:
Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 2 ACCEPT icmp -- anywhere anywhere 3 ACCEPT all -- anywhere anywhere 4 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh 5 DROP tcp -- anywhere anywhere tcp dpt:http #conn src/32 > 1000 6 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http 7 DROP tcp -- anywhere anywhere tcp dpt:https #conn src/32 > 1000 8 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https flags:FIN,SYN,ACK/SYN 9 DROP tcp -- anywhere anywhere tcp dpt:3000 #conn src/32 > 1000 10 ACCEPT tcp -- 192.168.3.115 anywhere state NEW tcp dpts:zabbix-agent:zabbix-trapper 11 DROP all -- anywhere anywhere 12 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited 13 ACCEPT tcp -- 192.168.3.115 anywhere state NEW tcp dpts:zabbix-agent:zabbix-trapper