如何从iptables中删除特定规则?

本文翻译自:How can I remove specific rules from iptables?

I am hosting special HTTP and HTTPS services on the ports 8006 and 8007 respectively. 我分别在端口8006和8007上托管特殊的HTTP和HTTPS服务。 I use iptables to "activate" the server; 我用iptables来“激活”服务器; ie to route the incoming HTTP and HTTPS ports: 即路由传入的HTTP和HTTPS端口:

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 8006 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 8007 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8006 
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8007  
iptables -A OUTPUT -t nat -d 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to-ports 8006
iptables -A OUTPUT -t nat -d 127.0.0.1 -p tcp --dport 443 -j REDIRECT --to-ports 8007 

This works like a charm. 这就像一个魅力。 However I would like to create another script that disables my server again; 但是,我想创建另一个脚本,再次禁用我的服务器; ie restore iptables to the state it was in before running the lines above. 即在运行上面的行之前将iptables恢复到它所处的状态。 However I am having a hard time figuring out the syntax to remove these rules. 但是,我很难找出删除这些规则的语法。 The only thing that seems to work is a complete flush: 似乎唯一有效的是完全冲洗:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

But that will also delete other iptables rules which is undesired. 但这也将删除其他不受欢迎的iptables规则。


#1楼

参考:https://stackoom.com/question/gmoH/如何从iptables中删除特定规则


#2楼

Execute the same commands but replace the "-A" with "-D". 执行相同的命令,但将“-A”替换为“-D”。 For example: 例如:

iptables -A ...

becomes

iptables -D ...

#3楼

You may also use the rule's number ( --line-numbers ): 您也可以使用规则的编号( - line-numbers ):

iptables -L INPUT --line-numbers

Example output : 示例输出:

Chain INPUT (policy ACCEPT) 
    num  target prot opt source destination
    1    ACCEPT     udp  --  anywhere  anywhere             udp dpt:domain 
    2    ACCEPT     tcp  --  anywhere  anywhere             tcp dpt:domain 
    3    ACCEPT     udp  --  anywhere  anywhere             udp dpt:bootps 
    4    ACCEPT     tcp  --  anywhere  anywhere             tcp dpt:bootps

So if you would like to delete second rule : 所以,如果你想删除第二条规则:

iptables -D INPUT 2

Update 更新

If you use(d) a specific table (eg nat), you have to add it to the delete command (thx to @ThorSummoner for the comment) 如果你使用(d)一个特定的表(例如nat),你必须将它添加到删除命令(thx到@ThorSummoner的评论)

sudo iptables -t nat -D PREROUTING 1

#4楼

The best solution that works for me without any problems looks this way: 对我来说没有任何问题的最佳解决方案就是这样的:
1. Add temporary rule with some comment: 1.添加一些评论的临时规则:

comment=$(cat /proc/sys/kernel/random/uuid | sed 's/\-//g')
iptables -A ..... -m comment --comment "${comment}" -j REQUIRED_ACTION

2. When the rule added and you wish to remove it (or everything with this comment), do: 2.当规则添加并且您希望删除它(或带有此注释的所有内容)时,请执行以下操作:

iptables-save | grep -v "${comment}" | iptables-restore

So, you'll 100% delete all rules that match the $comment and leave other lines untouched. 因此,您将100%删除与$ comment匹配的所有规则,并保持其他行不变。 This solution works for last 2 months with about 100 changes of rules per day - no issues.Hope, it helps 这个解决方案在过去的2个月里工作,每天约100次规则变更 - 没有问题。希望,这有帮助


#5楼

First list all iptables rules with this command: 首先使用以下命令列出所有iptables规则:

iptables -S

it lists like: 它列出如下:

-A XYZ -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

Then copy the desired line, and just replace -A with -D to delete that: 然后复制所需的行,只需将-A替换为-D即可删除:

iptables -D XYZ -p ...

#6楼

Use -D command, this is how man page explains it: 使用-D命令,这是man页解释它的方式:

-D, --delete chain rule-specification
-D, --delete chain rulenum
    Delete  one  or more rules from the selected chain.  
    There are two versions of this command: 
    the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match.

Do realize this command, like all other command( -A , -I ) works on certain table. 像所有其他命令( -A-I )一样在某些表上实现此命令。 If you'are not working on the default table( filter table), use -t TABLENAME to specify that target table. 如果您没有使用默认表( filter表),请使用-t TABLENAME指定该目标表。

Delete a rule to match 删除要匹配的规则

iptables -D INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

Note: This only deletes the first rule matched. 注意:这仅删除匹配的第一个规则。 If you have many rules matched(this can happen in iptables), run this several times. 如果您有许多匹配的规则(这可能发生在iptables中),请多次运行。

Delete a rule specified as a number 删除指定为数字的规则

iptables -D INPUT 2

Other than counting the number you can list the line-number with --line-number parameter, for example: 除了计算数字,您可以使用--line-number参数列出行--line-number ,例如:

iptables -t nat -nL --line-number
  • 0
    点赞
  • 0
    评论
  • 0
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

©️2021 CSDN 皮肤主题: 大白 设计师:CSDN官方博客 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值