Common iptables commands in Centos

After learning iptables for the first time, you must learn several major points: iptables installation, iptables configuration, and iptables commands. When it comes to commands, new users will have a big head. This article provides some useful iptables commands for your reference!

Below is my summaryIptablesCommonCommand:

Command-A, -- append

Example iptables-a input...

It indicates that a new rule is added to a rule refining, and the rule will become the last rule in the rule refining.

Command-D, -- delete

Example iptables-d input -- dport 80-j DROP

Iptables-d input 1

This indicates that a rule can be deleted from a rule refining process. you can enter a complete rule or directly specify a rule number to delete it.

Command-R, -- replace

Example iptables-r input 1-s 192.168.0.1-j DROP

It indicates that the current rule is replaced, and the Order of the rule is not changed after it is replaced.

Command-I, -- insert

Example iptables-I INPUT 1 -- dport 80-j ACCEPT

It indicates that a rule is inserted. The rule at the specified position will move a forward position.

Command-L, -- list

Example iptables-L INPUT

Lists all rules in a rule.

Command-F, -- flush

Example iptables-F INPUT

Delete all rules in a rule refining.

Command-Z, -- zero

Example iptables-Z INPUT

This indicates that the packet counter is set to zero. The packet counter is used to calculate the number of occurrences of the same packet and is an indispensable tool for filtering block attacks.

Command-N, -- new-chain

Example iptables-N allowed

Define new rules.

Command-X, -- delete-chain

Example iptables-X allowed

Delete a rule.

Command-P, -- policy

Example iptables-P INPUT DROP

Define a filter policy. That is, the default processing method for packets that do not meet the filtering conditions.

Command-E, -- rename-chain

Example iptables-E allowed disallowed

Modifies the name of a custom rule.

Common packet comparison parameters:

Parameter-p, -- protocol

Example iptables-a input-p tcp

It indicates whether the communication protocol type is consistent and can be used! The operator performs reverse comparison, for example,-p! Tcp, which means other types except tcp, including udp, icmp, etc. If you want to compare all types, you can use the all keyword, for example,-p all.

Parameter-s, -- src, -- source

Example iptables-a input-s 192.168.1.1

The description is used to compare the source IP address of the packet. it can be compared to a single machine or network. when comparing the network, use a number to block it. for example,-s 192.168.0.0/24 can also be used to compare the IP address! The operator performs reverse comparison, for example,-s! 192.168.0.0/24.

Parameter-d, -- dst, -- destination

Example iptables-a input-d 192.168.1.1

Description used to compare the destination IP address of the packet. the setting method is the same as above.

Parameter-I, -- in-interface

Example iptables-a input-I eth0

The description is used to compare the network card from which the package Enters. you can use wildcard character + to perform large-scale comparison. for example,-I eth + indicates all ethernet network cards. you can also use it! The operator performs reverse comparison, for example,-I! Eth0.

Parameter-o, -- out-interface

Example iptables-a forward-o eth0

Specifies the network card from which the packet is sent.

Parameter -- sport, -- source-port

Example iptables-a input-p tcp -- sport 22

The source port number used to compare the packets. it can be compared to a single port or a range, for example, -- sport 22: 80, which indicates that the port number ranges from 22 to 80.

Ports are both qualified. to compare multiple ports that are not consecutive, you must use the -- multiport parameter. for details, see the following section. You can use it when comparing the port number!

The operator performs reverse comparison.

Parameter -- dport, -- destination-port

Example iptables-a input-p tcp -- dport 22

Description used to compare the destination port number of the package. the setting method is the same as above.

Parameter -- tcp-flags

Example iptables-p tcp -- tcp-flags SYN, FIN, ACK SYN

TCP

The status flag of the package. the parameters are divided into two parts: the first part lists the banners for comparison, and the second part lists which of the aforementioned banners are set and the unlisted banners must be empty. TCP

Status banners include SYN (synchronous), ACK (response), FIN (ended), RST (reset), URG (urgent), and PSH (forced push)

Can be used in parameters. In addition, you can use the keywords ALL and NONE for comparison. You can use it when comparing the banners! The operator performs reverse comparison.

Parameter -- syn

Example iptables-p tcp -- syn

The description is used to compare whether a TCP packet is online. it works exactly the same as iptables-p tcp -- tcp-flags SYN, FIN, and ack syn. if Yes! The operator can be used to compare non-required online packets.

Parameter-m multiport -- source-port

Example iptables-a input-p tcp-m multiport -- source-port 80,110

The description is used to compare multiple source ports that are not consecutive. up to 15 ports can be compared at a time. you can use this description! The operator performs reverse comparison.

Parameter-m multiport -- destination-port

Example iptables-a input-p tcp-m multiport -- destination-port 80,110

The description is used to compare non-consecutive destination port numbers. the setting method is the same as above.

Parameter-m multiport -- port

Example iptables-a input-p tcp-m multiport -- port 80,110

This parameter is special and used to compare packets with the same source port number and destination port number. the setting method is the same as above. Note: In this example, if the source port number is 80 but the destination port number is 110, this packet does not meet the condition.

Parameter -- icmp-type

Example iptables-a input-p icmp -- icmp-type 8

The description is used to compare the type numbers of ICMP. you can use code or number numbers for comparison. Please call iptables-p icmp -- help to check which code can be used.

Parameter-m limit -- limit

Example iptables-a input-m limit -- limit 3/hour

The description is used to compare the average traffic of packets within a certain period of time. the example above is used to compare whether the average traffic per hour exceeds three packets at a time.

In addition to the average time per hour, it can also be an average time per second, every minute or every day. the default value is an average time per hour. parameters such as:/second,/minute,/day.

In addition to comparing the number of packets, Setting this parameter will also suspend the packet comparison when conditions are met to avoid service interruption due to the use of the flood attack method by hackers.

Parameter -- limit-burst

Example iptables-a input-m limit -- limit-burst 5

The description is used to compare the quantity of a large number of packets in an instant. the example above is used to compare whether the number of packets that flood in at a time exceeds 5 (this is the default value). packets that exceed this limit will be discarded directly. The usage effect is the same as that.

Parameter-m mac -- mac-source

Example iptables-a input-m mac -- mac-source 00: 00: 00: 00: 01

This parameter is used to compare the hardware address of the packet source network interface. this parameter cannot be used in OUTPUT or Postrouting.

Rule refining, this is because the packet must be sent to the NIC before the NIC driver can identify the destination MAC address through the ARP communication protocol, so iptables

During packet comparison, you do not know the network interface to which the packet will be sent.

The description in this article will be of great help to new users! Hope you like it!