Rule "labels"?

Stephen J. McCracken sjmccracky at
Thu Apr 14 23:32:47 CEST 2005

Andrew Kraslavsky wrote:
> This equates to the following 2 rules, one in the 'nat' table and the 
> other in the 'filter' table:
> iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 80 -j DNAT 
> --to
> iptables -t filter -A FORWARD -i $PUBLIC_IF -d -p tcp 
> --dport 80 -j ACCEPT
> Later, the user decides to disable the policy which means deleting both 
> of the rules above.  Since I cannot rely on knowing the indices of each 
> Ideally, the delete command would remove all rules in the specified 
> chain with the specified label, or all rules within the specified table, 
> or even across all chains in all tables, but I'm not that greedy...
> Suggestions?

It might not be as elegant as you are looking for, but I do something 
similar with adding/deleting rules when VPNs come up/go down.  I have 
been simply generating rules in a file and sourcing that file in the 
VPN_up script.  I then have that file saved for the case when the VPN 
goes down and just do a simple sed script to change all adds to deletes 
and source that file in the VPN_down script.  You don't have the problem 
of finding rules dynamically as you have the file that generated the 
rules hanging around and can easily reverse the process changing "-A" to 

Like I said, maybe not elegant, but it works.


More information about the netfilter mailing list