I’m still a fan of iptables, I know firewalld is most likely the “wrapped iptables” future, but let’s hold on to iptables for just a bit longer shall we ? This is a short how-to on cleaning up PREROUTING NAT rules. PREROUTING can’t be flushed using iptables -F so its a bit different.


I got in this situation trying to add tcp/udp prerouting to a machine, that had to forward packets from one side of the network to a other subnet … well anyway, my iptables contained multiple rules I wanted to get out. So lets go !

First you need to find out what line it is :

iptables -t nat -L --line-numbers

The horrible result is :

iptables -t nat -L --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    DNAT       udp  --  anywhere             anywhere            udp dpt:snmptrap to:10.1.255.245:161 
2    DNAT       udp  --  anywhere             anywhere            udp dpt:snmptrap to:10.1.255.245:161 
3    DNAT       udp  --  anywhere             anywhere            udp dpt:snmptrap to:10.1.255.245:161 
4    DNAT       udp  --  anywhere             anywhere            udp dpt:snmptrap to:10.1.255.245:161 
5    DNAT       udp  --  anywhere             anywhere            udp dpt:snmptrap to:10.1.255.245:161 
6    DNAT       udp  --  anywhere             anywhere            udp dpt:snmptrap to:10.1.255.245:161 
7    DNAT       udp  --  anywhere             anywhere            udp dpt:snmptrap to:10.1.255.245:161 

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    MASQUERADE  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

So now how do I remove a specific rule ? Well by specifying the table (-t), and then delete (-D) followed by the chain (prerouting) and the rulenumber (7)

iptables -t nat -D PREROUTING 7

And that’s it, no magic firewalld commands needed !