Learning Center
Linux

Listing and Deleting Iptables Firewall Rules

23 Jun 2025
Hostman Team
Hostman Team

The iptables application is a firewall essential for securely working with network resources on the Linux platform. While there is extensive material dedicated to configuring iptables, we will focus on a few specific tasks: how to view rule lists, delete unnecessary rules, flush chains, and clear the packet count and byte size counters. 

We do not recommend modifying the SSH connection on port 22 unless you are absolutely sure of your actions, as you might accidentally block remote access to your test host.

And if you’re looking for a reliable, high-performance, and budget-friendly solution for your workflows, Hostman has you covered with Linux VPS Hosting options, including Debian VPS, Ubuntu VPS, and VPS CentOS.

In this guide, we will use a Hostman cloud server running Ubuntu. The setup process will be similar on CentOS and Debian.

Before proceeding, make sure you have a user with sudo privileges.

Viewing Rules
Copy link

In iptables, you can view the rules set by default or by a previous administrator. Execute the command:

sudo iptables -S

The result will be displayed like this:

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ICMP
-N TCP
-N UDP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT

Viewing a Specific Chain
Copy link

This function is used when you want to exclude a specific chain (e.g., INPUT, OUTPUT, TCP, etc.) from the general output. Specify the chain name after the -S option. Example:

sudo iptables -S TCP

The result:

-N TCP
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT

View Rules as a Table
Copy link

This method is convenient for comparing different rules. The tabular format is built into the utility and is activated using the -L option. Enter:

sudo iptables -L

You can also limit the output to a specific chain:

sudo iptables -L INPUT

Sample output:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
UDP        udp  --  anywhere             anywhere             ctstate NEW
TCP        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ICMP       icmp --  anywhere             anywhere             ctstate NEW
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable

Explanation:

  • target – action taken when a packet matches the rule (e.g., ACCEPT, DROP, redirect to another chain).
  • prot – protocol used (UDP, TCP, ALL).
  • opt – IP options, if any.
  • source – source IP/subnet (e.g., "anywhere" = from anywhere).
  • destination – destination IP/subnet.
  • The last column (without a header) contains additional rule parameters like port numbers or connection states.

Viewing Packet and Byte Counters
Copy link

You can also display the packet and total byte count per rule. This is useful for estimating traffic by rule. Available with -L and -v:

sudo iptables -L INPUT -v

Sample output:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out source               destination
 284K   42M ACCEPT     all -- any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all -- lo     any     anywhere             anywhere
    0     0 DROP       all -- any    any     anywhere             anywhere             ctstate INVALID
  396 63275 UDP        udp -- any    any     anywhere             anywhere             ctstate NEW
17067 1005K TCP        tcp -- any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
 2410 154K ICMP       icmp -- any    any     anywhere             anywhere             ctstate NEW
  396 63275 REJECT     udp -- any    any     anywhere             anywhere             reject-with icmp-port-unreachable
 2916 179K REJECT     all -- any    any     anywhere             anywhere             reject-with icmp-proto-unreachable
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh ctstate NEW,ESTABLISHED

Compare this to previous output and you’ll see two new columns: pkts and bytes.

Resetting Packet and Byte Counters
Copy link

You can reset these counters using the -Z option. This happens automatically on reboot, but can also be done manually to test for new traffic:

sudo iptables -Z

To reset a specific chain:

sudo iptables -Z OUTPUT

To reset a specific rule in a chain by number:

sudo iptables -Z OUTPUT 2

Deleting Rules
Copy link

Deleting by Specification

Use -D followed by the full rule specification. View existing rules first. For example, to remove the rule that drops invalid outgoing traffic:

sudo iptables -D OUTPUT -m conntrack --ctstate INVALID -j DROP

No need to use -A when deleting.

Deleting by Rule Number

Use --line-numbers to get rule numbers:

sudo iptables -L --line-numbers

Sample output:

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
2    ACCEPT     all  --  anywhere             anywhere
3    DROP       all  --  anywhere             anywhere             ctstate INVALID
...

Then delete by number:

sudo iptables -D INPUT 3

Flushing Chains
Copy link

Be cautious when flushing chains; you could block your SSH connection.

Flush a Single Chain

sudo iptables -F INPUT

Flush All Chains

sudo iptables -F

This command allows all traffic (inbound, outbound, forwarded), essentially disabling the firewall. If you run it on a production system, you’ll need to reconfigure the firewall from scratch. Always back up your current rules:

iptables-save > iptables_backup.txt

Restore them later with:

iptables-restore < iptables_backup.txt

Before flushing, set the default policy to ACCEPT to avoid losing SSH access:

sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

Then flush everything:

sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X

This allows all traffic. If you list rules after this, only the default chains (INPUT, FORWARD, OUTPUT) will be present.

Conclusion
Copy link

This tutorial provides practical guidance on how to view, reset, and delete iptables firewall rules and perform similar actions on specific chains. Keep in mind that any changes will be lost upon server reboot unless saved.