Iptables operates on three tables, each having several sub-chains.
Mangle table, NAT table, and filter table.
The firewall uses the filter table, which is also the most commonly used table. It has three sub-Chains: input, output, and forward.
Display command:
Iptables-l-N-V -- line-Numbers
Chain INPUT (policy ACCEPT 3002 packets, 138K bytes)num pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3051 packets, 1606K bytes)num pkts bytes target prot opt in out source destination
For special tables, the-t parameter-T <mangle | Nat | filter> is used by default.
Clear command:
Iptables-F
Create a custom chain:
Iptables-n
Delete a custom chain:
Iptables-x
Rules, add, modify, and delete:
Usage: iptables -[ACD] chain rule-specification [options] iptables -I chain [rulenum] rule-specification [options] iptables -D chain rulenum [options]
Add a drop rule to the input chain.
iptables -A INPUT -s 74.125.71.103 -j DROP
At this time, all packages from 74.125.71.103 will be discarded,
Therefore, if you ping from the local machine, you will not receive the 74.125.71.103 response.
# Ping 74.125.71.103
Okay. Delete the deny rule.
iptables -D INPUT 1
Now Ping is available.
If the rules are accepted, ping the rules.
iptables -A INPUT -s 74.125.71.103 -j ACCEPT
A common firewall policy that disables inbound traffic, and rejects forwarding and output traffic.
iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT ACCEPTiptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
-M indicates the matching status. -- State indicates the matching status.
Disable the External Machine 172.16.73.25 to connect to port 8000.
iptables -A INPUT -p tcp -s 172.16.73.25 --dport 8000 -j DROP
Forbid external requests to a website 74.125.71.108
iptables -A OUTPUT -p tcp -d 74.125.71.103 -j DROP
Open the port sequence 7000: 7010
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT
Prohibit Access to a specific MAC address
iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
References:
Http://cloud.csdn.net/a/20120117/310905.html
Http:// OS .51cto.com/art/201103/249398.htm