Basic iptables operations

I. view the iptables service status of the terminal. view the iptables service status # serviceiptablesstatus because iptables is loaded to the kernel in the module mode, if the corresponding module is not started, the iptables service is definitely not started (for details, see/etc/init. d/iptables file) # lsmod | greptables2. set 1. view the terminal'sIptablesService Status
1. View The iptables service status
# Service iptables status
Because iptables loads the kernel through modules, if the corresponding module is not started, the iptables service is certainly not started (for details, see The/etc/init. d/iptables file)
# Lsmod | grep 'Tables'
 
2. set the iptables service to automatically start when the linux system is started.
# Chkconfig iptables on
Chkconfig -- level 3 iptables on
2. set the iptables Service (DNS, lo, ssh, icmp, httpd) of the terminal)
1. view the filter table settings
# Iptables-t filter-L
 
2. clear all rules in the filter table
# Iptables-t filter-F
# Iptables-t filter-Z // Set the data packet counter and traffic counter of the filter table to zero.
 
3. set ssh rules to allow other hosts to connect to the SSH service of the terminal (the terminal is an SSH Server). the default rules here are: INPUT chain, OUTPUT chain, and FORWARD chain, which are rejected by default.
# Iptables-t filter-a input-p tcp -- dport 22-j ACCEPT
# Iptables-t filter-a output-p tcp -- sport 22-j ACCEPT
 
Allow this terminal to connect to the SSH service of the remote host (This terminal is an SSH client)
# Iptables-t filter-a input-p tcp -- sport 22-j ACCEPT
# Iptables-t filter-a output-p tcp -- dport 22-j ACCEPT
 
Set the local loopback traffic of the terminal (because the local loopback address is 127.0.0.1, it provides a lot of services, which can be viewed through netstat-autnlp)
# Iptables-t filter-a input-I lo-j ACCEPT
# Iptables-t filter-a output-o lo-j ACCEPT
 
Allow the terminal to send and receive ICMP packets (ping command)
# Iptables-t filter-a input-p icmp-j ACCEPT
# Iptables-t filter-a output-p icmp-j ACCEPT
 
Allow this terminal to send and receive DNS data packets (This terminal is a DNS client)
# Iptables-t filter-a output-p udp -- dport 53-j ACCEPT
# Iptables-t filter-a input-p udp -- sport 53-j ACCEPT
 
Allow this terminal to send and receive httpd data packets (This terminal is a web client)
# Iptables-t filter-a input-p tcp -- sport 80-j ACCEPT
# Iptables-t filter-a output-p tcp -- dport 80-j ACCEPT
 
Change the default policy rules (note: you must first set the above services (especially the SSH service) and then modify the default rules)
# Iptables-t filter-P INPUT DROP
# Iptables-t filter-P OUTPUT DROP
# Iptables-t filter-P FORWARD DROP
 
3. View firewall rules
# After setting the relevant rules, check the settings of the filter table.
# Iptables-t filter-L-n -- line-numbers // or iptables-t filter-L-n -- line
 
Add the v parameter to view the Nic information.
# Iptables-L-v-n -- line
 
4. save firewall rules by using the service iptables save and iptables-save>/etc/sysconfig/iptables
First:
# Service iptables save (note: it saves the current settings to the/etc/sysconfig/iptables configuration file)
 
Second:
# Iptables-save>/etc/sysconfig/iptables // haha! In fact, you can directly modify the/etc/sysconfig/iptables file to modify the rule.
# Iptables-restore <iptables-config // iptables-save can save the current settings to a file for reuse. for example: iptables-save> iptables-config. if the setting is lost, you can use iptables-restore to restore the configuration (prerequisite: backup configuration is required before)
 
Appendix:
When creating firewall rules, first perform a test on the machine in the local experiment, then use iptables-save to save the policy as a file, and then copy the policy to the real server.