46

I have a chain appended with many rules like:

> :i_XXXXX_i - [0:0]
> -A INPUT -s 282.202.203.83/32 -j i_XXXXX_i 
> -A INPUT -s 222.202.62.253/32 -j i_XXXXX_i 
> -A INPUT -s 222.202.60.62/32 -j i_XXXXX_i 
> -A INPUT -s 224.93.27.235/32 -j i_XXXXX_i 
> -A OUTPUT -d 282.202.203.83/32 -j i_XXXXX_i 
> -A OUTPUT -d 222.202.62.253/32 -j i_XXXXX_i 
> -A OUTPUT -d 222.202.60.62/32 -j i_XXXXX_i 
> -A OUTPUT -d 224.93.27.235/32 -j i_XXXXX_i

when I try to delete this chain with:

iptables -X XXXX

but got error like (tried iptables -F XXXXX before):

iptables: Too many links.

Is there a easy way to delete the chain by once command?

timy
  • 659
  • 1
  • 7
  • 14

8 Answers8

48

You can't delete chains when rules with '-j CHAINTODELETE' are referencing them. Figure out what is referencing your chain (the link), and remove that. Also, flush then kill.

-F, --flush [chain]

Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.

-X, --delete-chain [chain]

Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. The chain must be empty, i.e. not contain any rules. If no argument is given, it will attempt to delete every non-builtin chain in the table.

Jeff Ferland
  • 20,239
  • 2
  • 61
  • 85
  • I just want to find a way to delete the chain(has many '-j CHAINTODELETE' ref rules) directly, but from your answer, it seems impossible :( – timy Apr 03 '12 at 10:11
  • 1
    @timy StevenMonday's comment will single-pass remove any references to the chain. Perhaps not ideal, but darned close. – Jeff Ferland Apr 03 '12 at 13:20
  • Works like a charm. iptables -nvL|grep "^Chain.*0 references"|awk '{print $2}'|while read LINE; do iptables -X $LINE; done – LinuxGuru Feb 11 '20 at 15:58
17

This is potentially off-topic, but it's what I did after I found this post! For some use cases the iptables -D option might be useful. Since it allows you to clear out referring rules added programmatically with -A (if you know precisely how you added them).

E.g

    iptables -N MYCHAIN
    iptables -A INPUT -i interface -j MYCHAIN
    iptables -A MYCHAIN -j ACCEPT

can be reversed with 

   iptables -D INPUT -i interface -j MYCHAIN
   iptables --flush MYCHAIN
   iptables -X MYCHAIN
Att Righ
  • 321
  • 3
  • 3
12

You need two steps, but this does it in one command.

Create a file, and place this in it.

# Empty the entire filter table
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

Save the file as "clear-all-rules". Now, do this command:

iptables-restore < clear-all-rules

Now you can clear it anytime with just one command.

Avery Payne
  • 14,326
  • 1
  • 48
  • 87
11

Here's an alternate plan. It involves three commands, not one, but with luck, it should work.

Dump your iptables ruleset to a file:

iptables-save > /tmp/iptables.txt

Remove ALL uses of (and references to) the offending chain:

sed -i '/i_XXXXX_i/d' /tmp/iptables.txt

Then reload the ruleset:

iptables-restore < /tmp/iptables.txt && rm /tmp/iptables.txt
Steven Monday
  • 13,019
  • 4
  • 35
  • 45
2

In the iptables man file there is an option -S

S, --list-rules [chain] Print all rules in the selected chain. If no chain is selected, all chains are printed like iptables-save. Like every other iptables command, it applies to the specified table (filter is the default).

By using iptables -S | grep <CHAINNAMEHERE>. For examples:

root@root:~# iptables -S | grep TRAFFICLOG

-N TRAFFICLOG

-A FORWARD -i eth0 -j TRAFFICLOG

you can then see which rules are blocking the deletion of the chain from the table. Go through each rule (except the iptables -N <CHAINNAMEHERE> and delete the rule by using the -D option

-D, --delete chain rulenum Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match.

For example iptables -D FORWARD -i eth0 -j TRAFFICLOG. After you have deleted each rule for your chain flush the chain with the -F option, iptables -F <CHAINNAMEHERE>.

-F, --flush [chain] Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.

Then delete your chain with the -X option, iptables -X <CHAINNAMEHERE>

-X, --delete-chain [chain] Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. The chain must be empty, i.e. not contain any rules. If no argument is given, it will attempt to delete every non-builtin chain in the table.

Iptables is a complicated tool set so an ideal tutorial is needed. You can try one out at www.iptables.info

Jacob Bryan
  • 121
  • 3
  • This helped a lot because flush cleans the chain itself but not the references to it in the other chains. – Hardoman Jan 20 '21 at 11:27
0

Something along these lines will get all of them in a single line without taking iptables down in any way.

for chain in `iptables -L |grep i_XXXXX_i|awk '{ print $2 }'`; do iptables -X $chain; done
flickerfly
  • 2,533
  • 3
  • 24
  • 27
0

This will spit out chains and delete them 

for i in $(iptables -S | awk '{print $2}' | uniq ); do iptables -F $i && iptables -Z $i && iptables -X $i  ; done
user1007727
  • 421
  • 5
  • 20
0

I have found that you can remove the rules and chain by editing the rules file in /etc/iptables/rules.v4. If you delete the unwanted chain in this file and then reload iptables, you should no longer see the chain when doing a iptables -L.

Jay Phillips
  • 1
  • 1