# Iptables delete rules

## pacolotero

I want delete this rules:

iptables-save | grep DROP

-A PREROUTING -d 173.252.110.27/32 -j DROP

-A PREROUTING -d 31.13.80.7/32 -j DROP

-A PREROUTING -d 69.171.247.21/32 -j DROP

-A PREROUTING -d 66.220.149.88/32 -j DROP

but when i run 

iptables -D PREROUTING -d 173.252.110.27/32 -j DROP -> iptables: Bad rule (does a matching rule exist in that chain?).

----------

## limn

Try

```
iptables -D PREROUTING -t raw -d 173.252.110.27/32 -j DROP
```

which is how the rule specification was intially loaded. Or

```
iptables -t raw -D PREROUTING <rulenum>
```

----------

## Ant P.

```
iptables-save | grep -v DROP | iptables-restore
```

----------

## pacolotero

iptables -D PREROUTING -t raw -d 173.252.110.27/32 -j DROP

iptables: Bad rule (does a matching rule exist in that chain?).

Or

iptables -t raw -D PREROUTING -d 173.252.110.27/32 -j DROP

iptables: Bad rule (does a matching rule exist in that chain?).

----------

## limn

If not raw, it should be one of the ones in 

```
# cat /proc/net/ip_tables_names
```

----------

## Hu

Typically, PREROUTING rules are found in the nat table.  How did you manage to add the rules you now want removed?  The removal procedure is the inverse of the addition procedure.

----------

## szatox

run `iptables -nL` to check what rules you actually have defined.

rule definition when you ad or delete rule is exacly the same, the only difference is -A vs -D which is a command for uptables rather than rule definition.

Also, if everything goes wrong, you can always `iptables -F; iptables -X` to delete all rules. You might also need to specify table you flush, since AFAIR when -t <table name> is skipped it flushes filter only.

----------

## Hu

Depending on what rules you used, flushing everything can be a mildly bad idea or a terrible idea.  If you use a default deny policy, flushing custom rules will leave you with only the DENY policy, thereby blocking all network traffic.  This is the mildly bad idea, since it is an inconvenience until you restore the permissive rules.  If you use a default accept policy, flushing custom rules will remove any DENY rules that protected your services, allowing everyone to connect to them.  If your services were configured with the assumption they were protected, then flushing rules in this case is a terrible idea.

----------

## Ralphred

```
iptables --line-numbers -n -v -L -t nat
```

will put rule numbers in front of each line, then you can use 

```
iptables -t nat -D PREROUTING [number]
```

 to delete each one. 

BE AWARE if you want to delete numbers 1,2,3 and 4, once you delete number 1, number 2 will become number 1 and so on, if this is hard to keep track of, relist the rules with the line numbers after each delete to check which rule should be deleted next. 

I use the following aliases, just because it's so infrequently I change rules and can never remember what flags to set to see what I actually want to

```
alias natlist='iptables --line-numbers -n -v -L -t nat'

alias iplist='iptables --line-numbers -n -v -L'
```

----------

