Does iptables -F permanently delete all iptables rules?
Solution 1
The iptables
rules are stored in two places on Red Hat systems:
In memory within the running kernel, where the firewall code checks them on network I/O. Flushing the rules with
iptables -F
gets rid of this ruleset only.In
/etc/sysconfig/iptables
from which they are loaded on boot. You can force a reload without rebooting withservice iptables reload
or...restart
.
So the answer is no, flushing the rules with iptables -F
is not permanent.
When you go into setup
and modify the firewall rules, it saves them in /etc/sysconfig/iptables
. You're not supposed to edit that file directly, but if you know the iptables
command line format, you can pretty easily figure out the format of this file.
Solution 2
Also, as a point of reference, here's how to flush ALL the current iptables rules:
#!/bin/sh
echo "Stopping firewall and allowing everyone..."
iptables=/sbin/iptables
$iptables -F
$iptables -X
$iptables -t nat -F
$iptables -t nat -X
$iptables -t mangle -F
$iptables -t mangle -X
$iptables -P INPUT ACCEPT
$iptables -P FORWARD ACCEPT
$iptables -P OUTPUT ACCEPT
Related videos on Youtube
Mike B
Updated on September 18, 2022Comments
-
Mike B over 1 year
In a RHEL training document, the author says:
...run the following command to disable the firewall on the current system: iptables -F
He explicitly uses the word "disable" which to me suggests that it will be simple to re-enable. In reading the man page though for iptables, I see this:
Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
Can I get clarification on the expected behavior?
-
Stéphane Chazelas over 11 yearsNote that
iptables -F
flushes all the rules in the "filter" table, it doesn't flush the other tables (nat, mangle...) and doesn't restore the policies to their default, so they can't really be said to disable the firewall.
-
-
Mike B over 11 yearsFantastic answer. I appreciate the detail and clarification. Thanks Warren.
-
derobert over 11 yearsThere are actually more tables than that. At least
-t raw
and-t security
. Instead of hard coding, use/proc/net/ip_tables_names