Many developers encounter this situation: you've set up port forwarding with iptables (like redirecting port 80 to 8080), but later need to undo it. Unlike adding rules, removing them isn't always as clearly documented.
# Original rule we want to remove:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080
First, let's view all NAT rules to identify what we need to remove:
iptables -t nat -L --line-numbers
This displays output like:
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8080
There are two primary methods to remove the rule:
Method 1: By Rule Number
iptables -t nat -D PREROUTING 1
Method 2: By Exact Specification
iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080
Always verify the rule is gone:
iptables -t nat -L
Or check more verbosely:
iptables -t nat -vL
Case 1: Multiple Similar Rules
If you have multiple similar rules, delete them sequentially by number:
iptables -t nat -D PREROUTING 1
iptables -t nat -D PREROUTING 1 # Deletes what is now the new "1" rule
Case 2: Flushing Entire Chain
For complete cleanup (be careful!):
iptables -t nat -F PREROUTING
Remember, iptables changes are temporary unless saved:
iptables-save > /etc/iptables.rules # Debian/Ubuntu
service iptables save # RHEL/CentOS
For IPv6 rules, use the same syntax with ip6tables:
ip6tables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080
- Use
-vflag for verbose output when listing rules - Check both IPv4 and IPv6 rules if networking issues persist
- Verify with
netstat -tulnpto confirm port behavior
Many Linux administrators use iptables to redirect traffic between ports. A typical example would be forwarding HTTP traffic from port 80 to an alternative port like 8080:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
Before making changes, always check your current NAT table rules:
iptables -t nat -L -n -v --line-numbers
This will display something like:
Chain PREROUTING (policy ACCEPT 1023 packets, 63445 bytes)
num pkts bytes target prot opt in out source destination
1 45 2716 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
There are three effective ways to remove the rule:
Method 1: Using Rule Numbers
After listing rules with --line-numbers, delete by the rule number:
iptables -t nat -D PREROUTING 1
Method 2: Exact Match Deletion
Alternatively, delete by specifying the exact rule parameters:
iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
Method 3: Flushing the Entire Chain
As a nuclear option (use with caution):
iptables -t nat -F PREROUTING
Always verify the rule is gone by checking the NAT table again:
iptables -t nat -L -n
Remember that iptables changes are temporary. To make permanent changes:
- Ubuntu/Debian:
iptables-save > /etc/iptables.rules - RHEL/CentOS:
service iptables save
If you used DNAT instead of REDIRECT, the removal process is similar:
# Original rule:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination :8080
# Removal:
iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination :8080