ipteables: Deleting Rules by Chain and Number

 How To List and Delete Iptables Firewall Rules | DigitalOcean

Deleting Rules by Chain and Number

The other way to delete iptables rules is by its chain and line number. To determine a rule’s line number, list the rules in the table format and add the --line-numbers option:

sudo iptables -L --line-numbers

 

[secondary_output Output]
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
2    ACCEPT     all  --  anywhere             anywhere
3    DROP       all  --  anywhere             anywhere             ctstate INVALID
4    UDP        udp  --  anywhere             anywhere             ctstate NEW
5    TCP        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
6    ICMP       icmp --  anywhere             anywhere             ctstate NEW
7    REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
8    REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
9    REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable
10   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW,ESTABLISHED
...

This adds the line number to each rule row, indicated by the num header.

Once you know which rule you want to delete, note the chain and line number of the rule. Then run the iptables -D command followed by the chain and rule number.

For example, if we want to delete the input rule that drops invalid packets, we can see that it’s rule 3 of the INPUT chain. So we should run this command:

sudo iptables -D INPUT 3

 

Now that you know how to delete individual firewall rules, let’s go over how you can flush chains of rules.

IPTABLES and ports

 How to restrict MySQL port access (a2hosting.com)

ou can use iptables to create firewall rules that restrict access to port 3306. The advantage of this method is that you can selectively grant or deny access to port 3306 based on IP addresses or other criteria.

For example, to block external access to port 3306 completely, type the following command:

iptables -A INPUT -p tcp --dport 3306 -j DROP

Similarly, to grant access to a specific IP address and block all others, type the following commands. Replace xxx.xxx.xxx.xxx with the IP address for which you want to grant access:

iptables -A INPUT -p tcp --dport 3306 -s xxx.xxx.xxx.xxx -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP

You can grant MySQL access to additional IP addresses by inserting rules in the INPUT chain before the DROP rule. For example:

iptables -I INPUT 1 -p tcp --dport 3306 -s xxx.xxx.xxx.xxx -j ACCEPT
Task: Open port 3306
In most cases following simple rule opens TCP port 3306:
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
The following iptable rules allows incoming client request (open port 3306) for server IP address 202.54.1.20. Add rules to your iptables shell script:
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 3306 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
However in real life you do not wish give access to everyone. For example in a web hosting company, you need to gives access to MySQL database server from web server only. Following example allows MySQL database server access (202.54.1.20) from Apache web server (202.54.1.50) only:
iptables -A INPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 3306 -d 202.54.1.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Please note if you follow above setup, then you need tell all your hosting customer to use 202.54.1.50 as MySQL host in PHP/Perl code. A better approach is to create following entry in /etc/hosts file or use fully qualified domain name (create dns entry) mysql.hostingservicecompany.com which points to 202.54.1.50 ip:
202.54.1.50 mysql
In shot MySQL database connection code from PHP hosted on our separate webserver would look like as follows:
// ** MySQL settings ** //
define('DB_NAME', 'YOUR-DATABASE-NAME');     // The name of the database
define('DB_USER', 'YOUR-USER-NAME');     // Your MySQL username
define('DB_PASSWORD', 'YOUR-PASSWORD''); // ...and password
define('DB_HOST', 'mysql');       // mysql i.e. 202.54.1.50
// ** rest of PHP code ** //
Task: Allow outgoing MySQL request on TCP port 3306
Even you can allow outgoing MySql client request (made via mysql command line client or perl/php script), from firewall host 202.54.1.20 as follows:
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 1024:65535 -d 0/0 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 3306 -d 202.54.1.20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT