Ran IPTables Flush? How To Regain SSH Access After Being Locked Out Of CSF Firewall Servers

You’ve accidentally run the SSH command iptables -F and have locked yourself out of your server and can not SSH login again. So how do you regain SSH access? Centmin Mod LEMP stack uses CSF Firewall which is a wrapper interface to CentOS system’s underlying IPTables. If you run the SSH command, iptables -F you may end up locking yourself out of the server as this command flushes all the existing IPTable rules that are configured and setup by CSF Firewall at startup. This guide will outline ways you can possibly regain SSH access using example VPS providers – Upcloud, DigitalOcean, Vultr, Linode, Hetzner and Amazon AWS EC2 instance servers.

Affiliate referral links are used where appropriate. So if you like this guide, please consider signing up via the links.

Background

Centmin Mod’s MOTD banner displayed on initial SSH login even mentions and warns against running iptables -F as you can see below excerpt:

===============================================================================
# ! This server maybe running CSF Firewall !  
#   DO NOT run the below command or you  will lock yourself out of the server: 
# 
#   iptables -F 

the full MOTD banner on initial SSH login displayed to the user looks like this:

===============================================================================
 - Hostname......: hostname.domain.com on CentOS Linux 7.9.2009
 - Users.........: Currently 2 user(s) logged on (includes: root)
===============================================================================
 - CPU usage.....: 0.25, 0.14, 0.12 (1, 5, 15 min)
 - Processes.....: 105 running
 - System uptime.: 274 days 14 hours 17 minutes 33 seconds
===============================================================================
              total        used        free      shared  buff/cache   available
Mem:            990         347         115         126         528         271
Swap:          1023          70         953
===============================================================================
Filesystem     Type      Size  Used Avail Use% Mounted on
devtmpfs       devtmpfs  486M     0  486M   0% /dev
tmpfs          tmpfs     496M     0  496M   0% /dev/shm
tmpfs          tmpfs     496M   51M  446M  11% /run
tmpfs          tmpfs     496M     0  496M   0% /sys/fs/cgroup
/dev/vda1      xfs        25G   12G   14G  46% /
/dev/loop0     ext4      5.8G   25M  5.5G   1% /tmp
tmpfs          tmpfs     100M     0  100M   0% /run/user/0
tmpfs          tmpfs     100M     0  100M   0% /run/user/993

===============================================================================
# ! This server maybe running CSF Firewall !  
#   DO NOT run the below command or you  will lock yourself out of the server: 
# 
#   iptables -F 


===============================================================================
* Getting Started Guide - https://centminmod.com/getstarted.html
* Centmin Mod FAQ - https://centminmod.com/faq.html
* Centmin Mod Config Files - https://centminmod.com/configfiles.html
* Change Log - https://centminmod.com/changelog.html
* Community Forums https://community.centminmod.com  [ << Register ]
===============================================================================

===============================================================================
 Centmin Mod local code is up to date at /usr/local/src/centminmod
 no available updates at this time...
===============================================================================

What Happens When You Flush IPTables?

When you run iptables -F command, you end up flushing and removing all IPTable rules configured by CSF Firewall. You can view all the configured IPTable rules via either of these two commands:

  • iptables -L -v -n
  • csf -l

When CSF Firewall and IPTables are properly running you’ll see something similar to the following IPTable rules listed:

ipatbles -L -v -n

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !lo    *       94.237.40.9          0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  !lo    *       94.237.40.9          0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  !lo    *       94.237.40.9          0.0.0.0/0            tcp spt:53
    0     0 ACCEPT     udp  --  !lo    *       94.237.40.9          0.0.0.0/0            udp spt:53
    0     0 ACCEPT     tcp  --  !lo    *       94.237.127.9         0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  !lo    *       94.237.127.9         0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  !lo    *       94.237.127.9         0.0.0.0/0            tcp spt:53
    5   508 ACCEPT     udp  --  !lo    *       94.237.127.9         0.0.0.0/0            udp spt:53
  126 49300 LOCALINPUT  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   47 16513 INVALID    tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
    0     0            tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 state NEW recent: SET name: 21 side: source mask: 255.255.255.255
    0     0 PORTFLOOD  tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 state NEW recent: UPDATE seconds: 300 hit_count: 20 name: 21 side: source mask: 255.255.255.255
    0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
    0     0 LOGDROPIN  icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           
   38 16136 ACCEPT     all  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:20
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:21
    1    60 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:53
    1    40 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:110
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:143
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:161
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:465
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:587
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:993
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:995
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:1110
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:1186
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:1194
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:81
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:9418
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpts:30001:50011
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:67
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:68
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:1110
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpts:33434:33534
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:20
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:21
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:53
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:80
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:443
    4   164 LOGDROPIN  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            94.237.40.9          tcp dpt:53
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            94.237.40.9          udp dpt:53
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            94.237.40.9          tcp spt:53
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            94.237.40.9          udp spt:53
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            94.237.127.9         tcp dpt:53
    5   293 ACCEPT     udp  --  *      !lo     0.0.0.0/0            94.237.127.9         udp dpt:53
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            94.237.127.9         tcp spt:53
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            94.237.127.9         udp spt:53
  114 15489 LOCALOUTPUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            tcp spt:53
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            udp spt:53
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
   38  4583 INVALID    tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           
   31  3390 ACCEPT     all  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8080
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2525
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:465
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:1110
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:1194
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:9418
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:20
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:21
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:53
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:110
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:113
    2   120 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:587
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:993
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:995
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:67
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:68
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:1110
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpts:33434:33534
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:20
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:21
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:53
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:113
    3   228 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:123
    0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           

Chain ALLOWDYNIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set chain_ALLOWDYN src

Chain ALLOWDYNOUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set chain_ALLOWDYN dst

Chain ALLOWIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   82 32900 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set chain_ALLOW src

Chain ALLOWOUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   78 11751 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set chain_ALLOW dst

Chain DENYIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set chain_DENY src

Chain DENYOUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOGDROPOUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set chain_DENY dst

Chain INVALID (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 INVDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x03/0x03
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x06
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x05/0x05
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x11/0x01
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x18/0x08
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x30/0x20
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 state NEW

Chain INVDROP (10 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOCALINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  126 49300 ALLOWDYNIN  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
  126 49300 ALLOWIN    all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
   44 16400 DENYIN     all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           

Chain LOCALOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  114 15489 ALLOWDYNOUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
  114 15489 ALLOWOUT   all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
   36  3738 DENYOUT    all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
    3   228 UDPFLOOD   udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           

Chain LOGDROPIN (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:23
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:23
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:68
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:113
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:113
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:135:139
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:135:139
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:445
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:500
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:513
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:513
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:520
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:520
    4   164 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
    4   164 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOGDROPOUT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain PORTFLOOD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *Port Flood* "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain UDPFLOOD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   228 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 0
    0     0 RETURN     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            limit: avg 100/sec burst 500
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDPFLOOD* "
    0     0 REJECT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

And from csf -l command output something similar when operation is normal.

csf -l

iptables filter table
=====================
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  !lo    *       94.237.40.9          0.0.0.0/0            tcp dpt:53
2        0     0 ACCEPT     udp  --  !lo    *       94.237.40.9          0.0.0.0/0            udp dpt:53
3        0     0 ACCEPT     tcp  --  !lo    *       94.237.40.9          0.0.0.0/0            tcp spt:53
4        0     0 ACCEPT     udp  --  !lo    *       94.237.40.9          0.0.0.0/0            udp spt:53
5        0     0 ACCEPT     tcp  --  !lo    *       94.237.127.9         0.0.0.0/0            tcp dpt:53
6        0     0 ACCEPT     udp  --  !lo    *       94.237.127.9         0.0.0.0/0            udp dpt:53
7        0     0 ACCEPT     tcp  --  !lo    *       94.237.127.9         0.0.0.0/0            tcp spt:53
8        5   508 ACCEPT     udp  --  !lo    *       94.237.127.9         0.0.0.0/0            udp spt:53
9       95 47562 LOCALINPUT  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
10       0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
11      47 16566 INVALID    tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
12       0     0            tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 state NEW recent: SET name: 21 side: source mask: 255.255.255.255
13       0     0 PORTFLOOD  tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 state NEW recent: UPDATE seconds: 300 hit_count: 20 name: 21 side: source mask: 255.255.255.255
14       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
15       0     0 LOGDROPIN  icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 8
16       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           
17      40 16250 ACCEPT     all  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
18       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:20
19       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:21
20       2   120 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
21       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:25
22       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:53
23       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
24       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:110
25       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:143
26       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:161
27       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
28       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:465
29       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:587
30       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:993
31       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:995
32       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:1110
33       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:1186
34       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:1194
35       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:81
36       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:9418
37       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpts:30001:50011
38       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:67
39       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:68
40       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:1110
41       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpts:33434:33534
42       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:20
43       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:21
44       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:53
45       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:80
46       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:443
47       6   272 LOGDROPIN  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            94.237.40.9          tcp dpt:53
2        0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            94.237.40.9          udp dpt:53
3        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            94.237.40.9          tcp spt:53
4        0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            94.237.40.9          udp spt:53
5        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            94.237.127.9         tcp dpt:53
6        5   293 ACCEPT     udp  --  *      !lo     0.0.0.0/0            94.237.127.9         udp dpt:53
7        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            94.237.127.9         tcp spt:53
8        0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            94.237.127.9         udp spt:53
9       91 11854 LOCALOUTPUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
10       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            tcp dpt:53
11       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            udp dpt:53
12       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            tcp spt:53
13       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            udp spt:53
14       0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
15      38  4591 INVALID    tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
16       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           
17      36  4471 ACCEPT     all  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
18       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8080
19       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2525
20       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:465
21       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:1110
22       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:1194
23       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:9418
24       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:20
25       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:21
26       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
27       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:25
28       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:53
29       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
30       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:110
31       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:113
32       2   120 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
33       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:587
34       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:993
35       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:995
36       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:67
37       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:68
38       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:1110
39       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpts:33434:33534
40       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:20
41       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:21
42       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:53
43       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:113
44       1    76 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:123
45       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           

Chain ALLOWDYNIN (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set chain_ALLOWDYN src

Chain ALLOWDYNOUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set chain_ALLOWDYN dst

Chain ALLOWIN (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       47 30920 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set chain_ALLOW src

Chain ALLOWOUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       52  7187 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set chain_ALLOW dst

Chain DENYIN (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set chain_DENY src

Chain DENYOUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 LOGDROPOUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set chain_DENY dst

Chain INVALID (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 INVDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
2        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00
3        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F
4        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x03/0x03
5        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x06
6        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x05/0x05
7        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x11/0x01
8        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x18/0x08
9        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x30/0x20
10       0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 state NEW

Chain INVDROP (10 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOCALINPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       95 47562 ALLOWDYNIN  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
2       95 47562 ALLOWIN    all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
3       48 16642 DENYIN     all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           

Chain LOCALOUTPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       91 11854 ALLOWDYNOUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
2       91 11854 ALLOWOUT   all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
3       39  4667 DENYOUT    all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
4        1    76 UDPFLOOD   udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           

Chain LOGDROPIN (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:23
2        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:23
3        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
4        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
5        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:68
6        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
7        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:113
8        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:113
9        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:135:139
10       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:135:139
11       3   152 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
12       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:445
13       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:500
14       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500
15       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:513
16       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:513
17       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:520
18       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:520
19       3   120 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
20       0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
21       0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
22       3   120 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOGDROPOUT (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
2        0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
3        0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
4        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain PORTFLOOD (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *Port Flood* "
2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain UDPFLOOD (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        1    76 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 0
2        0     0 RETURN     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            limit: avg 100/sec burst 500
3        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDPFLOOD* "
4        0     0 REJECT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable


iptables mangle table
=====================
Chain PREROUTING (policy ACCEPT 100 packets, 48070 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 100 packets, 48070 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 96 packets, 12147 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 96 packets, 12147 bytes)
num   pkts bytes target     prot opt in     out     source               destination         


iptables raw table
==================
Chain PREROUTING (policy ACCEPT 100 packets, 48070 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 96 packets, 12147 bytes)
num   pkts bytes target     prot opt in     out     source               destination         


iptables nat table
==================
Chain PREROUTING (policy ACCEPT 9 packets, 444 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 3 packets, 172 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 10 packets, 629 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 10 packets, 629 bytes)
num   pkts bytes target     prot opt in     out     source               destination   

However, after you run iptables -F command and flush all IPTable rules, you will see all rules are empty

iptables -L -v - n

Chain INPUT (policy DROP 12 packets, 732 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 8 packets, 608 bytes)
pkts bytes target prot opt in out source destination

Chain ALLOWDYNIN (0 references)
pkts bytes target prot opt in out source destination

Chain ALLOWDYNOUT (0 references)
pkts bytes target prot opt in out source destination

Chain ALLOWIN (0 references)
pkts bytes target prot opt in out source destination

Chain ALLOWOUT (0 references)
pkts bytes target prot opt in out source destination

Chain DENYIN (0 references)
pkts bytes target prot opt in out source destination

Chain DENYOUT (0 references)
pkts bytes target prot opt in out source destination

Chain INVALID (0 references)
pkts bytes target prot opt in out source destination

Chain INVDROP (0 references)
pkts bytes target prot opt in out source destination

Chain LOCALINPUT (0 references)
pkts bytes target prot opt in out source destination

Chain LOCALOUTPUT (0 references)
pkts bytes target prot opt in out source destination

Chain LOGDROPIN (0 references)
pkts bytes target prot opt in out source destination

Chain LOGDROPOUT (0 references)
pkts bytes target prot opt in out source destination

Chain PORTFLOOD (0 references)
pkts bytes target prot opt in out source destination

Chain UDPFLOOD (0 references)
pkts bytes target prot opt in out source destination

And for csf -l command after IPTables flushing

csf -l

iptables filter table
=====================
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain ALLOWDYNIN (0 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain ALLOWDYNOUT (0 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain ALLOWIN (0 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain ALLOWOUT (0 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain DENYIN (0 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain DENYOUT (0 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INVALID (0 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INVDROP (0 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain LOCALINPUT (0 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain LOCALOUTPUT (0 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain LOGDROPIN (0 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain LOGDROPOUT (0 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain PORTFLOOD (0 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain UDPFLOOD (0 references)
num   pkts bytes target     prot opt in     out     source               destination         


iptables mangle table
=====================
Chain PREROUTING (policy ACCEPT 166 packets, 52300 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 166 packets, 52300 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 136 packets, 15792 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 129 packets, 15228 bytes)
num   pkts bytes target     prot opt in     out     source               destination         


iptables raw table
==================
Chain PREROUTING (policy ACCEPT 166 packets, 52300 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 136 packets, 15792 bytes)
num   pkts bytes target     prot opt in     out     source               destination         


iptables nat table
==================
Chain PREROUTING (policy ACCEPT 25 packets, 1701 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 5 packets, 280 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 12 packets, 781 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 12 packets, 781 bytes)
num   pkts bytes target     prot opt in     out     source               destination 

How To Regain Lost SSH Access After IPTables Flushing?

The solution can vary between web host providers setups and may not always work. Below I’ll outline a few examples specific to some Cloud VPS providers I frequently use.

  1. The simplest method to try is rebooting the server via a hard power cycle after accidentally running iptables -F command as CSF Firewall’s IPTables rules are configured and loaded up on CSF service startup usually. It’s why manually adding IPtables rules via iptables command won’t work on reboots as CSF Firewall ones will override them unless you place such rules in manually created /etc/csf/csfpre.sh file with executable permissions which will allow those IPTables rules to persist and to load with CSF Firewall’s rules.
  2. If server reboot or power cycle doesn’t work, then you may need to try starting up the server with CSF Firewall temporarily disabled and then once you regain SSH access, re-enable/restart CSF Firewall or by running CSF Firewall restart command csf -ra within the web provider’s out of band console. How you go about doing this will depend on your web host provider’s support for out of band/KVM/VNC console access, cloud-init and user data custom configuration at the initial server startup phase. Note, most provider’s console/KVM console access prompt for a server root user password and don’t support SSH Keys. So ensure your VPS isn’t configured for SSH Keys only and doesn’t disable password authentication for SSH logins. Also, console access usually doesn’t support copy and paste so you’d need to manually type in the root user password.

Out Of Band Console Access

What is Out Of Band console access? It’s generally a secondary way for direct and/or remote access to your server bypassing the primary network. Direct access would be like physically connecting a monitor and keyboard to your server while remote console access would similar to your accustomed SSH client access. If you have lost your SSH keys for SSH key authentication or accidentally lock or block your own access to a server via misconfigured firewall rules, you should be able to get SSH access again via an Out Of Band console.

Upcloud

It seems Upcloud server reboot won’t fix the issue of accidentally flushing IPTables as on server reboot as the IPTables rules seem to still be flushed/removed blocking SSH login access. Upcloud VPS provider has both out of band console access and also VNC console access which seems can fix the issue. You can log into your server using the console access with the root password that is automatically generated by Upcloud at server creation time. Then you have a few choices – either one seems to be able to fix the issue and allow you to regain SSH login access to your server.

  1. Temporarily disable CSF Firewall via the csf -x command and then try logging into your server via SSH and then re-enable CSF Firewall via csf -e command OR
  2. Try restarting CSF Firewall service via csf -ra command which will re-populate IPTables with CSF Firewall’s configured IPTable rules and thus allow you to regain SSH login access again.
  3. To prevent future lock outs, another way is to edit Centmin Mod’s configured /etc/rc.local file and add the csf -ra command to restart CSF Firewall service on start up. This will allow a server reboot to restart CSF Firewall service to re-populate your IPTable rules if you did accidentally run iptables -F command and flushed all your IPTables rules.

Upcloud console and VNC console

DigitalOcean

DigitalOcean allows you to power cycle your droplet KVM server to restart it. This seems to allow you to regain lost SSH access when you run iptables -F command as the power cycle forces CSF Firewall to restart and rebuild the IPTable rules again.

DigitalOcean droplet power cycle

However, if a power cycle doesn’t work, DigitalOcean VPS provider has out of band console recovery access. You can log into your server using the console access which requires a root password to log into. If you only created DigitalOcean VPS server with SSH Key, you will need to use the DigitalOcean Access tab to reset your root password to create one first which will be sent to you via your DigitalOcean account registered email address. Resetting root password will automatically shutdown your droplet server and restart it with your updated root password.

Once droplet server is rebooted, first SSH login will prompt you to change the root user SSH password that was provided via email.

DigitalOcean reset password prompt

On recover console access window, you may not see the login root user prompt until you hit enter on the black blank screen. Login with root username and the root password either set via reset password feature or if SSH change password action.

DigitalOcean Recover Console login

Then you have 2 choices

  1. Within the console access, temporarily disable CSF Firewall via the csf -x command and then try logging into your server via SSH and then re-enable CSF Firewall via csf -e command OR
  2. Within the console access, try restarting CSF Firewall service via csf -ra command which will re-populate IPTables with CSF Firewall’s configured IPTable rules and thus allow you to regain SSH login access again.

DigitalOcean console recover access & reset root password

Vultr

Vultr server restart on Vultr dashboard top right corner does allow you to regain SSH access after running iptables -F command.

Vultr restart server

However, if restarting the server doesn’t work, Vultr VPS provider has out of band console access on your Vultr server’s dashboard top right ‘View Console’ icon. You can log into your server using the console access with the root password provided.

Vultr root passwordVultr view console

Then you have 2 choices

  1. Within the console access, temporarily disable CSF Firewall via the csf -x command and then try logging into your server via SSH and then re-enable CSF Firewall via csf -e command OR
  2. Within the console access, try restarting CSF Firewall service via csf -ra command which will re-populate IPTables with CSF Firewall’s configured IPTable rules and thus allow you to regain SSH login access again.

Linode

Linode server reboot on dashboard top right corner drop-down menu does not fix lost SSH access after running iptables -F command. So you’ll need to use console access via Weblish.

Linode VPS provider has out of band console access in the form of  Lish, Glish or Weblish link on the top right for Launch Console on Linode server dashboard. Documentation here.

Linode console weblish

You can log into your server using the console access. On Weblish console window, you may not see the login root user prompt until you hit enter on the black blank screen.

Then you have 2 choices

  1. Within the console access, temporarily disable CSF Firewall via the csf -x command and then try logging into your server via SSH and then re-enable CSF Firewall via csf -e command OR
  2. Within the console access, try restarting CSF Firewall service via csf -ra command which will re-populate IPTables with CSF Firewall’s configured IPTable rules and thus allow you to regain SSH login access again.

Hetzner

Hetzner allows you to power cycle your server to restart it. This seems to allow you to regain lost SSH access when you run iptables -F command as the power cycle forces CSF Firewall to restart and rebuild the IPTable rules again.

Hetzner power cycle server

However, if that doesn’t work, Hetzner VPS provider has out of band console access. If you created Hetzner VPS server with an SSH key, a root user password isn’t created for you and root user password is needed to log in via console access. So ideally, you would have set up a root user password after your created server is online. Unfortunately, if you created SSH key with disabled password authentication, then you would not be able to log into the console with root user password.

You can log into your server using the console access via the icon on the top right of server dashboard.

Hetzner dashboard console

Then you have 2 choices

  1. Within the console access, temporarily disable CSF Firewall via the csf -x command and then try logging into your server via SSH and then re-enable CSF Firewall via csf -e command OR
  2. Within the console access, try restarting CSF Firewall service via csf -ra command which will re-populate IPTables with CSF Firewall’s configured IPTable rules and thus allow you to regain SSH login access again.

Amazon AWS EC2 Server

Amazon AWS EC2 allows cloud-init and user data instance modification support.  So you can stop your EC2 instance and modify the user data and specify commands to run on an Amazon AWS EC2 instance’s startup routine as outlined here and using mime multi-part file. The command you want to specify is to restart CSF Firewall service csf -ra.

Amazon AWS EC2 Instance state

To modify instance user data

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. In the navigation pane, choose Instances.
  3. Select the instance and choose Instance stateStop instance. If this option is disabled, either the instance is already stopped or its root device is an instance store volume.
  4. When prompted for confirmation, choose Stop. It can take a few minutes for the instance to stop.
  5. With the instance still selected, choose ActionsInstance settingsEdit user data.
  6. Modify the user data as needed using below mime multi-part file lines, and then choose Save.
  7. Restart the instance.
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
csf -ra
--//

You can then either power down EC2 instance again and edit and remove the mime multi-part code and power back up the server. Or you could leave that in place so every time you power cycle your EC2 instance, CSF Firewall is restarted.

Example edit instance User data page

Amazon AWS EC2 instance user data modification

If you use Amazon AWS EC2 spot instances, they can not be powered down as their state isn’t persistent. This means to regain lost SSH access, you need to use Amazon AWS Backup to backup your spot EC2 instance and then choose to restore that backup to a new EC2 instance and in Advanced settings section of Backup restore page, edit User data with the above mime multi-part file lines to restart CSF Firewall.

AWS Backup EC2 instance restore with modified User data

Once you regain SSH access to your Centmin Mod LEMP stack server, make sure CSF Firewall and Login Failure Daemon (lfd) services are enabled and running by using these commands below:

csf -e
csf -ra
service csf status
service lfd status

If you haven’t yet installed Centmin Mod LEMP stack, check out the Centmin Mod LEMP stack advanced installation guide.