Login/Register
Iptables remove specific rules by comment
Asked Answered
Solved linuxfirewalliptablescoreos
S

3

4

I need to delete some rules with same comment.

For example I have rules with comment = "test it", so i can get list of them like this:

sudo iptables -t nat -L | grep 'test it'

But how can i delete all PREROUTING rules with comment 'test it'?

UPD: As @hek2mgl said, i can do something like this:

sudo bash -c "iptables-save > iptables.backup"
sed -i '/PREROUTING.*--comment.* "test it"/d' iptables.backup
sudo iptables-restore < iptables.backup
sudo rm iptables.backup

But between save and restore could be changes in iptables, so after restore there will be problems =/

Saadi answered 15/3, 2015 at 8:2 Comment(1)
is it safe that a) the comment is a one line comment b) the comment is located one line before the rule?Smithery
S
5

You can use the following command:

iptables-save | sed -r '/PREROUTING.*comment.*test it/s/-A/iptables -D/e'

iptables-save will return iptables commands that can be executed to return the current state of the firewall after a reboot or whatever.

Meaning it will contain lines like:

...
-A PREROUTING -p tcp -m tcp --dport 25 -j ACCEPT -m comment --comment "test it"
...

The sed command searches for lines containing PREROUTING.*comment.*test it (should be good enough) and prepends the term iptablesplus replaces -A by -D since -D deletes a rule. The result of the replacement operation get's then executed using the e command. The e command is a GNU extension to sed.

Note: If you want to print the command in addition to simply executing it you can use s/-A/iptables -D/pe.

Smithery answered 15/3, 2015 at 9:7 Comment(12)
inside rule, something like this: tcp dpt:8555 /* test it */ to:127.0.0.1:8080Saadi
/* */ style comments aren't allowed in shell scripts. How did you defined the iptables.rules meaning in which language?Smithery
bash, like this: sudo iptables -t nat -I PREROUTING --src 0/0 --dst my_ip -p tcp --dport 8555 -j DNAT --to-destination 127.0.0.1:8080 -m comment --comment "test it"Saadi
And...how can I use your grep for delete rules?Saadi
-v outputs only those lines which doesn't match the pattern. Of course you would need to redirect the output to a temporary file and then rename it back to iptables.rules (or whatever). If you prefer sed it can be a single command: sed -i '/PREROUTING.*--comment.* test it/d' iptables.rules. But always test a command before using -i!Smithery
So, I should save current iptables to file using iptables-save, than modify it using sed, and after that use iptables-restor. And delete temporary file. Is it? How can i do this by 1 line command?Saadi
Like this: sudo bash -c "iptables-save > iptables.backup" sed -i '/PREROUTING.*--comment.* "test it"/d' iptables.backup sudo iptables-restore < iptables.backup sudo rm iptables.backup But it's soooo hard waySaadi
As I said, if you are using sed -i its a single command: sed -i '/PREROUTING.*--comment.* test it/d' iptables.ruleSmithery
I don't have iptables.rule on CoreOS =/Saadi
Of course you need to replace it with the actual file name where you stored the rulesSmithery
which one? I have 4 files here: ./usr/sbin/iptables-restore, ./usr/sbin/iptables-apply, ./usr/sbin/iptables-save, ./usr/sbin/iptablesSaadi
Let us continue this discussion in chat.Smithery
R
3

Yet another way to Remove by comment:

NOWRULES=$(iptables --line-number -nL INPUT | grep comment_here | awk '{print $1}' | tac)
for rul in $NOWRULES; do     /sbin/iptables -D INPUT $rul; sleep 0.1; done
Rodrigorodrigue answered 3/4, 2018 at 7:42 Comment(0)
P
2

The best way to remove comment-based rules from iptables is:

iptables-save | grep -v COMMENT | iptables-restore

it cleans all rules with matching comment. As for me, I use this method to add ruleset that needs to be completely removed later.

If you neeed only PREROUTING chain to be touched, add some prefix or suffix to your comment like preroute_COMMENT upon rule creation to make difference inside COMMENT identified ruleset

Pattipattie answered 5/5, 2021 at 18:31 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.