delete a table in iptables

Question

how do I delete a table in iptables (as opposed to a chain)?

I have some empty tables that are getting output by iptables-save even though I'm only using the 'filter' table.

For example, I'd like iptables-save to not produce any output regarding the 'mangle' table. Today I was playing around with iptables, and I used the mangle table. My output of iptables-save used to look like this:

# Generated by iptables-save v1.6.0 on Thr Jun 21 00:00:00 2018
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Thr Jun 21 00:00:00 2018

But now it looks like this:

# Generated by iptables-save v1.6.0 on Sat Jun 23 00:00:00 2018
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Jun 23 00:00:00 2018
# Generated by iptables-save v1.6.0 on Sat Jun 23 00:00:00 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Sat Jun 23 00:00:00 2018

How do I delete this unused 'mangle' table to cleanup my iptables-save output?

slm · Answer 1 · 2018-06-23T05:16:44.097

You can flush the mangle table's rules and then delete any optional chains within like so:

$ sudo iptables -t mangle -F
$ sudo iptables -t mangle -X

Example

To start, notice that the mangle table is empty

$ iptables -t mangle -L -v --line-numbers
Chain PREROUTING (policy ACCEPT 16 packets, 928 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 16 packets, 928 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 8 packets, 608 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 8 packets, 608 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Now add a sample rule

$ iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452

$ iptables -t mangle -L -v --line-numbers
Chain PREROUTING (policy ACCEPT 6 packets, 348 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 6 packets, 348 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 TCPMSS     tcp  --  any    any     anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS set 1452

Chain OUTPUT (policy ACCEPT 3 packets, 236 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 3 packets, 236 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Now flush and delete

$ iptables -t mangle -F
$ iptables -t mangle -X

$ iptables -t mangle -L -v --line-numbers
Chain PREROUTING (policy ACCEPT 20 packets, 1160 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 20 packets, 1160 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 10 packets, 760 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 10 packets, 760 bytes)
num   pkts bytes target     prot opt in     out     source               destination

References

this does not remove the table from the output in `iptables-save` per my question. Indeed, my question showed that the chains for these tables were already empty. — Michael Altfield, Jul 02 '18 at 05:57
@maltfield - ah. Yeah the only way to remove the entries, what I showed, plus the empty tables is to remove the mangle module from the kernel. You can make the module blacklisted so it won't ever load. — slm, Jul 02 '18 at 05:59

score 1 · Accepted Answer · answered Jun 24 '18 at 21:52

1

Try:

rmmod iptable_mangle

once you removed all entries from mangle table (and possibly - restored default chain policies).

answered Jun 24 '18 at 21:52

Tomek

2,950
1
15
9

that's the only way I know of (and it won't be usable from inside a container if the OP forgot to mention it: once "activated" it can't be deactivated till the end of its network namespace if the container can't (shouldn't be able to) remove the module). – A.B Jun 26 '18 at 18:59
this worked, thanks! To make it persistent, I needed `modprobe -r iptable_mangle` – Michael Altfield Jul 02 '18 at 05:59

delete a table in iptables

2 Answers2

Example

References