How do I remove all the ufw chains from iptables?

Question

I've removed ufw and I want to get rid of all the chains it leaves behind. How can I do that easily?

Answer 1

The answer from @flickerfly does not work in my situation. I run the following commands to get rid of all ufw roles and chains

for i in `iptables -L INPUT --line-numbers |grep '[0-9].*ufw' | cut -f 1 -d ' ' | sort -r `; do iptables -D INPUT $i ; done
for i in `iptables -L FORWARD --line-numbers |grep '[0-9].*ufw' | cut -f 1 -d ' ' | sort -r `; do iptables -D FORWARD $i ; done
for i in `iptables -L OUTPUT --line-numbers |grep '[0-9].*ufw' | cut -f 1 -d ' ' | sort -r `; do iptables -D OUTPUT $i ; done
for i in `iptables -L | grep 'Chain .*ufw' | cut -d ' ' -f 2`; do iptables -X $i ; done

Answer 2

Note: This has not aged well. Check out other answers for modern solutions first.

This two liner run as root will quickly find all the names and run them through a for loop that runs iptables -F to flush references to the chain then iptables -X to delete them.

for ufw in `iptables -L |grep ufw|awk '{ print $2 }'`; do iptables -F $ufw; done
for ufw in `iptables -L |grep ufw|awk '{ print $2 }'`; do iptables -X $ufw; done

Answer 3

iptables noob here, so please bear with me.

I know this is an older topic, but it helped me get on the right track.

TL;DR neither of the options presented by either @wjdp or @david-boho worked for me and I eventually found this comment on serverfault (hope I'm allowed to cross-share) delete a ip chain and all its references by user Steven Monday:

Try this: iptables-save | grep -v i_XXXXX_i | iptables-restore – Steven Monday Apr 2 '12 at 19:01

Replacing "i_XXXXX_i" with "ufw-" it did the job.

Hopefully needless to say I first backed up my iptables:

 iptables-save > ~/iptables-old

For my longer tale:

@wjdp : I think the first reason yours may appear to not work properly is that some of the output from "iptables -L" comes out as $1 instead of $2 eg:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere          

this throws an error:

iptables: No chain/target/match by that name.

I used:

for ufw in `iptables -L | grep -oE "(^| )ufw[^ ]*( |$)" | awk '{ print $1}'`; do iptables -F $ufw; done
for ufw in `iptables -L | grep -oE "(^| )ufw[^ ]*( |$)" | awk '{ print $1}'`; do iptables -X $ufw; done

however, on investigation, it appears I was simply creating duplicates as the rule was re-referred to in the policy (appears as $1) and in the rule itself ($2).

A simple mod to your commands to get clean output would be:

for ufw in `iptables -L | grep -E  ^Chain.*ufw | awk '{ print $2 }'`; do iptables -F $ufw; done
for ufw in `iptables -L | grep -E  ^Chain.*ufw | awk '{ print $2 }'`; do iptables -X $ufw; done

I, however, then got the following errors when running -X (after having run -F):

iptables v1.8.2 (nf_tables):  CHAIN_USER_DEL failed (Device or resource busy): chain ufw-before-logging-input
iptables v1.8.2 (nf_tables):  CHAIN_USER_DEL failed (Device or resource busy): chain ufw-before-logging-output

I then tried @david-boho's "-D" option and got the following error:

iptables: Bad rule (does a matching rule exist in that chain?).

(I added an echo to David's command, and confirmed the names were indeed valid)

It was after this that I found Steven's solution that worked perfectly for me.

Hope this helps someone.