Can I remove multiple matching rules with the iptables --delete command
The iptables --append (-A) command allows you to add multiple identical rules, and you seem to have to run the same number of --delete (-D) commands to remove them again.
The iptables manpage says that the --delete command can delete one or more rules from the selected chain. How do I get the --delete command to remove all matching rules in a single operation?
In a script I can loop calling --delete until I get a non-zero exit status, but this seems crufty.
$ # Add two identical rules.
$ /sbin/iptables --append OUTPUT --protocol tcp --destination example.com --jump DROP
$ /sbin/iptables --append OUTPUT --protocol tcp --destination example.com --jump DROP
$ /sbin/iptables -L OUTPUT -v
Chain OUTPUT (policy ACCEPT 6 packets, 780 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere 93.184.216.119
0 0 DROP tcp -- any any anywhere 93.184.216.119
$ # Delete a single rule - can this remove all rules?
$ /sbin/iptables --delete OUTPUT --protocol tcp --destination example.com --jump DROP
$ /sbin/iptables -L OUTPUT -v
Chain OUTPUT (policy ACCEPT 6 packets, 716 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere 93.184.216.119
I'm using iptables v1.4.18 on Amazon Linux (their EC2 base image)
linux iptables
asked Jul 31 '14 at 9:16
d5ve
930715
add a comment |
The iptables --append (-A) command allows you to add multiple identical rules, and you seem to have to run the same number of --delete (-D) commands to remove them again.
The iptables manpage says that the --delete command can delete one or more rules from the selected chain. How do I get the --delete command to remove all matching rules in a single operation?
In a script I can loop calling --delete until I get a non-zero exit status, but this seems crufty.
$ # Add two identical rules.
$ /sbin/iptables --append OUTPUT --protocol tcp --destination example.com --jump DROP
$ /sbin/iptables --append OUTPUT --protocol tcp --destination example.com --jump DROP
$ /sbin/iptables -L OUTPUT -v
Chain OUTPUT (policy ACCEPT 6 packets, 780 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere 93.184.216.119
0 0 DROP tcp -- any any anywhere 93.184.216.119
$ # Delete a single rule - can this remove all rules?
$ /sbin/iptables --delete OUTPUT --protocol tcp --destination example.com --jump DROP
$ /sbin/iptables -L OUTPUT -v
Chain OUTPUT (policy ACCEPT 6 packets, 716 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere 93.184.216.119
I'm using iptables v1.4.18 on Amazon Linux (their EC2 base image)
linux iptables
asked Jul 31 '14 at 9:16
d5ve
930715
add a comment |
The iptables --append (-A) command allows you to add multiple identical rules, and you seem to have to run the same number of --delete (-D) commands to remove them again.
The iptables manpage says that the --delete command can delete one or more rules from the selected chain. How do I get the --delete command to remove all matching rules in a single operation?
In a script I can loop calling --delete until I get a non-zero exit status, but this seems crufty.
$ # Add two identical rules.
$ /sbin/iptables --append OUTPUT --protocol tcp --destination example.com --jump DROP
$ /sbin/iptables --append OUTPUT --protocol tcp --destination example.com --jump DROP
$ /sbin/iptables -L OUTPUT -v
Chain OUTPUT (policy ACCEPT 6 packets, 780 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere 93.184.216.119
0 0 DROP tcp -- any any anywhere 93.184.216.119
$ # Delete a single rule - can this remove all rules?
$ /sbin/iptables --delete OUTPUT --protocol tcp --destination example.com --jump DROP
$ /sbin/iptables -L OUTPUT -v
Chain OUTPUT (policy ACCEPT 6 packets, 716 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere 93.184.216.119
I'm using iptables v1.4.18 on Amazon Linux (their EC2 base image)
linux iptables
asked Jul 31 '14 at 9:16
d5ve
930715
The iptables --append (-A) command allows you to add multiple identical rules, and you seem to have to run the same number of --delete (-D) commands to remove them again.
The iptables manpage says that the --delete command can delete one or more rules from the selected chain. How do I get the --delete command to remove all matching rules in a single operation?
In a script I can loop calling --delete until I get a non-zero exit status, but this seems crufty.
$ # Add two identical rules.
$ /sbin/iptables --append OUTPUT --protocol tcp --destination example.com --jump DROP
$ /sbin/iptables --append OUTPUT --protocol tcp --destination example.com --jump DROP
$ /sbin/iptables -L OUTPUT -v
Chain OUTPUT (policy ACCEPT 6 packets, 780 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere 93.184.216.119
0 0 DROP tcp -- any any anywhere 93.184.216.119
$ # Delete a single rule - can this remove all rules?
$ /sbin/iptables --delete OUTPUT --protocol tcp --destination example.com --jump DROP
$ /sbin/iptables -L OUTPUT -v
Chain OUTPUT (policy ACCEPT 6 packets, 716 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere 93.184.216.119
I'm using iptables v1.4.18 on Amazon Linux (their EC2 base image)
linux iptables
linux iptables
asked Jul 31 '14 at 9:16
d5ve
930715
asked Jul 31 '14 at 9:16
d5ve
930715
asked Jul 31 '14 at 9:16
d5ve
930715
asked Jul 31 '14 at 9:16
d5ve
930715
asked Jul 31 '14 at 9:16
d5ve
930715
930715
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I'm afraid you can't do it using just the iptables command line options. What you can do instead is use shell capabilities and xargs:
$ iptables [-t table] -S [chain] | grep [your pattern] | cut -d " " -f 2- | xargs -rL1 iptables [-t table] -D
For example, using your numbers above:
$ iptables -S OUTPUT | grep 93.184.216.119 | cut -d " " -f 2- | xargs -rL1 iptables -D
You can use it also for different tables:
$ iptables -t nat -S | grep 93.184.216.119 | cut -d " " -f 2- | xargs -rL1 iptables -t nat -D
I know this is an old question and probably won't be very helpful to OP, but maybe someone else will stumble upon this problem.
answered Nov 21 at 2:12
bstd
114
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f25055121%2fcan-i-remove-multiple-matching-rules-with-the-iptables-delete-command%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I'm afraid you can't do it using just the iptables command line options. What you can do instead is use shell capabilities and xargs:
$ iptables [-t table] -S [chain] | grep [your pattern] | cut -d " " -f 2- | xargs -rL1 iptables [-t table] -D
For example, using your numbers above:
$ iptables -S OUTPUT | grep 93.184.216.119 | cut -d " " -f 2- | xargs -rL1 iptables -D
You can use it also for different tables:
$ iptables -t nat -S | grep 93.184.216.119 | cut -d " " -f 2- | xargs -rL1 iptables -t nat -D
I know this is an old question and probably won't be very helpful to OP, but maybe someone else will stumble upon this problem.
answered Nov 21 at 2:12
bstd
114
add a comment |
I'm afraid you can't do it using just the iptables command line options. What you can do instead is use shell capabilities and xargs:
$ iptables [-t table] -S [chain] | grep [your pattern] | cut -d " " -f 2- | xargs -rL1 iptables [-t table] -D
For example, using your numbers above:
$ iptables -S OUTPUT | grep 93.184.216.119 | cut -d " " -f 2- | xargs -rL1 iptables -D
You can use it also for different tables:
$ iptables -t nat -S | grep 93.184.216.119 | cut -d " " -f 2- | xargs -rL1 iptables -t nat -D
I know this is an old question and probably won't be very helpful to OP, but maybe someone else will stumble upon this problem.
answered Nov 21 at 2:12
bstd
114
add a comment |
I'm afraid you can't do it using just the iptables command line options. What you can do instead is use shell capabilities and xargs:
$ iptables [-t table] -S [chain] | grep [your pattern] | cut -d " " -f 2- | xargs -rL1 iptables [-t table] -D
For example, using your numbers above:
$ iptables -S OUTPUT | grep 93.184.216.119 | cut -d " " -f 2- | xargs -rL1 iptables -D
You can use it also for different tables:
$ iptables -t nat -S | grep 93.184.216.119 | cut -d " " -f 2- | xargs -rL1 iptables -t nat -D
I know this is an old question and probably won't be very helpful to OP, but maybe someone else will stumble upon this problem.
answered Nov 21 at 2:12
bstd
114
I'm afraid you can't do it using just the iptables command line options. What you can do instead is use shell capabilities and xargs:
$ iptables [-t table] -S [chain] | grep [your pattern] | cut -d " " -f 2- | xargs -rL1 iptables [-t table] -D
For example, using your numbers above:
$ iptables -S OUTPUT | grep 93.184.216.119 | cut -d " " -f 2- | xargs -rL1 iptables -D
You can use it also for different tables:
$ iptables -t nat -S | grep 93.184.216.119 | cut -d " " -f 2- | xargs -rL1 iptables -t nat -D
I know this is an old question and probably won't be very helpful to OP, but maybe someone else will stumble upon this problem.
answered Nov 21 at 2:12
bstd
114
answered Nov 21 at 2:12
bstd
114
answered Nov 21 at 2:12
bstd
114
answered Nov 21 at 2:12
bstd
114
114
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f25055121%2fcan-i-remove-multiple-matching-rules-with-the-iptables-delete-command%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
