IPTABLES rules: deny all links first.
Available IPTABLES operations
(1)-L: first, all the policies in the selected chain are IPTABLES-t filter-L
(2)-A: (chain name): Add A new policy to the end of the selected chain.
For example, IPTABLES-t filter-a input-S 192.168.3.1-j DROP
(3)-D: (chain name) (policy content or serial number) Delete the policy from the selected chain
For example, iptables-t filter-d input 3
(4)-F (chain name) clears the selected chain policy,
Iptables-F INPUT
Description of available data in IPTABLES
(1)-p (tcp/udp/icmp) matches the specified Protocol example:
Block all UDP Communication from the source address 192.168.3.1 to the Local Machine
Iptables-t filter-a input-P udp-S 192.168.3.1-j DROP
(2)-d (IP address) blocks communication between this address
Blocks communication between IP segments 192.168.3.1 and 192.168.3.0.
Iptables-t filter-a output-d 192.168.3.1/192.168.3.0/24-j DROP
(3)-I (Network Interface) matches data packets by entering the local interface with data packets (entering the local interface-I)
For example, all communications with the source address 192.168.3.1 entered from eth0 are blocked.
Iptables-t filter-a input-I eth0-s 192.168.3.1-j DROP
(4)-o (Network Interface) uses the network interface used by the data packet to exit the local network to match the data packet, same as-I (exit Local interface-o)
For example, the target IP address 192.168.3.0 is blocked for communication from eth0.
Iptables-t filter-a output-o eth0-S 192.168.3.0/24-j DROP
(5) -- sport (port) uses the source port of the data packet to match the data packet. This parameter must be used with-p.
For example, all tcp communications with the source port 1000 are blocked.
Iptables-t filter-a input-p tcp -- sport 1000-j DROP
(6) -- dport match based on the destination port of the Data Packet
For example, tcp communication with the target port 1000 is blocked.
Iptables-t filter-a output-p tcp -- dport 1000-j DROP
Common service policy configuration
For example, DNS:
Iptables-a input-p udp-s 192.168.3.0/24 -- dport 53-j ACCEPT
Iptables-a input-p udp-s 192.168.3.0/24 -- sport 53-j ACCEPT
Iptables-a output-p udp-D 192.168.3.0/24 -- dport 53-j ACCEPT
Iptables-a output-p udp-D 192.168.3.0/24 -- sport 53-j ACCEPT
The IPTABLES rules are saved in the configuration file/etc/sysconfig/iptables.
The following command saves the current IPTABLES configuration to the configuration file
Service iptables save
Recommended reading:
Iptables-packet filtering (Network Layer) Firewall
Linux Firewall iptables
Iptables + L7 + Squid implements a complete software firewall
Basic use of iptables backup, recovery, and firewall scripts
Detailed description of firewall iptables usage rules in Linux