Basic configuration of iptables

Basic configuration of iptables (I) basic operation www.2cto.com to list existing iptables policies iptables-L insert a policy iptables-I INPUT 3-p tcp -- dport 22-j ACCEPT note: all traffic that uses the TCP protocol and the target port is 22 is allowed to be deleted by a policy in the order of 3. iptables-d input 3 is used to delete all policies (temporarily effective) iptables-F:
(Ii) the matching parameter is based on the IP address-s 192.168.1.1 (Source Address)-d 192.168.1.0/24 (target address) based on the Interface-I eth0 (traffic received from eth0) -o eth1 (traffic sent from eth1) Exclusion parameter-s '! '192.168.1.0/24 (all network segments except 192.168.1.0/24) are based on the protocol and port-p tcp -- dport 23 (Target Port)-p udp -- sport 53 (source port) -p lcmp (3) Example www.2cto.com ① control the network traffic to the local machine iptables-a input-s 192.168.1.100-j DROP iptables-a input-p tcp -- dport 80-j DROP iptables-A INPUT -s 192.168.1.0/24-p tcp -- dport 22-j DROP iptables-a input-I eth0-j ACCEPT ② use linux as A route (for data forwarding) when using a device, you can set a forwarding control policy at the filter point FORWARD, for example: disable all traffic from 192.168.1.0/24 to 10.1.1.0/24 iptables-a forward-s 192.168.1.0/24-d 10.1.1.0/24-j DROP ③ NAT (Network Address Translation) A mechanism used to modify the IP address of a data packet. NAT is divided into two types: ● SNAT: source address conversion, which is usually used to disguise internal addresses ● DNAT: Destination Address conversion, the NAT table DNAT can only be used in PROROUTING. SNAT can only be used in POSTROUTING.★Jump through NAT: iptables-t nat-a prerouting-p tcp -- dport 80-j DNAT -- to-dest 192.168.1.10★Forward data through NAT: iptables-t nat-a output-p tcp -- dport 80-j DNAT -- to-dest 192.168.1.100: 8080★Mask data streams through NAT: iptables-t nat-a postrouting-o eth0-j MASQUERADE★Use NAT to hide the source IP address iptables-t nat-a postrouting-j SNAT -- to-source 1.3.1.4 (4) The Policy added through iptables in the configuration file will not be permanently saved if you need to permanently Save the policy, you need to run the following command in the configuration file/etc/sysconfig/iptables to write all the iptables policies in the memory to the configuration file service iptables save (V). If you manage a linux host remotely and modify the iptables policy, you must first allow ssh traffic from the client host to ensure this is the first iptables policy. Otherwise, you may lock yourself out due to configuration errors.