Linux – Delete a iptables chain with its all rules

iptableslinuxlinux-networking

I have a chain appended with many rules like:

> :i_XXXXX_i - [0:0]
> -A INPUT -s 282.202.203.83/32 -j i_XXXXX_i 
> -A INPUT -s 222.202.62.253/32 -j i_XXXXX_i 
> -A INPUT -s 222.202.60.62/32 -j i_XXXXX_i 
> -A INPUT -s 224.93.27.235/32 -j i_XXXXX_i 
> -A OUTPUT -d 282.202.203.83/32 -j i_XXXXX_i 
> -A OUTPUT -d 222.202.62.253/32 -j i_XXXXX_i 
> -A OUTPUT -d 222.202.60.62/32 -j i_XXXXX_i 
> -A OUTPUT -d 224.93.27.235/32 -j i_XXXXX_i

when I try to delete this chain with:

iptables -X XXXX

but got error like (tried iptables -F XXXXX before):

iptables: Too many links.

Is there a easy way to delete the chain by once command?

Best Answer

You can't delete chains when rules with '-j CHAINTODELETE' are referencing them. Figure out what is referencing your chain (the link), and remove that. Also, flush then kill.

-F, --flush [chain]

Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.

-X, --delete-chain [chain]

Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. The chain must be empty, i.e. not contain any rules. If no argument is given, it will attempt to delete every non-builtin chain in the table.

Related Solutions

Linux – Iptables: how to easily group rules in chain

Your chain is in the filter table (since you did not specify a table when it was created, it ends up there by default), but you are trying to reference it from the mangle table, where it does not exist.

You would need to specify the correct table, like this:

iptables -t mangle -N MYCHAIN

In addition, in order to use the NFQUEUE target, you need to have the nfnetlink_queue kernel module loaded. The MARK target needs to be set in the PREROUTING chain of the mangle table. In your example above it is set in the INPUT chain.

So,to summarize, in order to make this work, you would probably need to do something like this:

iptables -t mangle -N MYCHAIN
iptables -t mangle -I MYCHAIN -j NFQUEUE -p udp --dport 4444
iptables -t mangle -I MYCHAIN -j MARK --set-mark 100 -p udp --dport 4444
iptables -t mangle -I MYCHAIN -j NFQUEUE -p udp --sport 4444
iptables -t mangle -I MYCHAIN -j MARK --set-mark 200 -p udp --sport 4444

And then reference this in the relevant tables, like this:

iptables -t mangle -I PREROUTING -j MYCHAIN

The flushing and deleting of the chain should not happen in the same script file, since it effectively eliminates any possibility of the rules ever getting executed.

Linux – iptables: why only OUTPUT rules are needed for samba clients

The default chain names are most definitely involved in the packet flow. There are many diagrams all over the internet showing the various paths a packet might take through the chains, but in general for your scenario traffic from the machine will traverse output, and traffic to the machine will traverse input. They will traverse other chains too, but that doesn't likely matter for the scope of this question.

Also recall that iptables works on a first dispositive match basis (the first match which disposes of a packet, such as by accepting, rejecting or dropping it, causes processing of the chain to stop also). So, none of your input rules after -A INPUT -j REJECT --reject-with icmp-host-prohibited have any effect.

With that said, the reason your samba connections are working is this input rule: -m state --state RELATED,ESTABLISHED -j ACCEPT. That is because when you connect to another samba host, conntrack will record the connection state and this rule will begin accepting the return traffic. I suspect you would find, if you tried to serve something from this box, that nobody could access it.

Best Answer

Related Solutions

Linux – Iptables: how to easily group rules in chain

Linux – iptables: why only OUTPUT rules are needed for samba clients

Related Topic