Configure the firewall using iptables

Iptables operates on three tables, each having several sub-chains.

Mangle table, NAT table, and filter table.

The firewall uses the filter table, which is also the most commonly used table. It has three sub-Chains: input, output, and forward.

Display command:

Iptables-l-N-V -- line-Numbers

Chain INPUT (policy ACCEPT 3002 packets, 138K bytes)num   pkts bytes target     prot opt in     out     source               destination         Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)num   pkts bytes target     prot opt in     out     source               destination         Chain OUTPUT (policy ACCEPT 3051 packets, 1606K bytes)num   pkts bytes target     prot opt in     out     source               destination         

For special tables, the-t parameter-T <mangle | Nat | filter> is used by default.

Clear command:

Iptables-F

Create a custom chain:

Iptables-n

Delete a custom chain:

Iptables-x

Rules, add, modify, and delete:

Usage: iptables -[ACD] chain rule-specification [options]       iptables -I chain [rulenum] rule-specification [options]       iptables -D chain rulenum [options]

Add a drop rule to the input chain.

iptables -A INPUT -s 74.125.71.103 -j DROP

At this time, all packages from 74.125.71.103 will be discarded,

Therefore, if you ping from the local machine, you will not receive the 74.125.71.103 response.

# Ping 74.125.71.103

Okay. Delete the deny rule.

iptables -D INPUT 1

Now Ping is available.

If the rules are accepted, ping the rules.

iptables -A INPUT -s 74.125.71.103 -j ACCEPT
A common firewall policy that disables inbound traffic, and rejects forwarding and output traffic.
iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT ACCEPTiptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
-M indicates the matching status. -- State indicates the matching status.
Disable the External Machine 172.16.73.25 to connect to port 8000.
iptables -A INPUT -p tcp -s 172.16.73.25 --dport 8000 -j DROP
Forbid external requests to a website 74.125.71.108
iptables -A OUTPUT -p tcp -d 74.125.71.103  -j DROP
Open the port sequence 7000: 7010
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT
Prohibit Access to a specific MAC address
iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP 
References:
Http://cloud.csdn.net/a/20120117/310905.html
Http:// OS .51cto.com/art/201103/249398.htm