Command for maintaining the rule table: 1. iptables (-N) to create a new rule table 2. iptables (-X) deletes an empty rule table. iptables (-P) changes the default policy of the built-in rule table. 4. iptables (-L) to list rules in the rule table 5. iptables (-F) clears the rules in the rule Table 6. iptables (-Z) command for clearing rule table counters and maintaining rule tables:
1.
Iptables(-N) create a new rule table
2. iptables (-X) deletes an empty rule table.
3. iptables (-P) changes the default policy of the built-in rule table.
4. iptables (-L) to list rules in the rule table
5. iptables (-F) clear the rules in the rule table
6. iptables (-Z) clears the rule table counter
Manage rules in the rule table:
1. iptables (-A) add A new rule to the rule table.
2. iptables (-I) insert the new rule to a location in the rule table.
3. iptables (-R) replace rules in the rule table
4. iptables (-D) delete a rule from the rule table.
In debugging
IptablesYou may need to modify your script repeatedly to implement some specific functions. we recommend that you add these lines to your script to prevent repeated rules:
# Clear all rules
Iptables-F-t filter
Iptables-X-t filter
Iptables-Z-t filter
Iptables-F-t nat
Iptables-X-t nat
Iptables-Z-t nat
# Set the default policy for the built-in rule table
Iptables-P INPUT ACCEPT
Iptables-P OUTPUT ACCEPT
Iptables-P FORWARD ACCEPT
Iptables-T nat-P PREROUTING ACCEPT
Iptables-T nat-P POSTROUTING ACCEPT
Iptables-T nat-P OUTPUT ACCEPT
The "-t" option is short for "-- table", which specifies the type of rule tables you want to operate on. The default value is filter.
The following is an example
IptablesUse of some options:
Specify the source address and target address
Specifies the source address of the rule operation-s or -- source or-src
Specify the target address of the rule operation-d or -- destination or-dst
Allow packets from 192.168.100.0/24 to pass through
Iptables-A input-s 192.168.100.0/24-d 0.0.0.0/0-jACCEPT
The "-j" option is short for "-- jump". it specifies the specific processing method of data packets matching the rule, which may be ACCEPT, DROP, etc.
Inverse: add "!" before the parameter. No.
Accept all packets except 192.168.100.0/24
Iptables-A input-s! 192.168.100.0/24-d 0.0.0.0/0-jACCEPT
Protocol (TCP, UDP, or ICMP)
-P or -- protocol
Disable icmp protocol
Iptables-A input-p icmp-j DROP
Specified interface
Interface-I or -- in-interface
Interface-o or -- out-interface
Only the-I interface can be specified in the INPUT rule table, and only the-o interface can be specified in the OUTPUT rule table. the FORWARD table can specify these two interfaces.
Packets allowed to enter from eth1
Iptables-A input-I eth1-j ACCEPT
Packets that can be sent from the eth0 interface
Iptables-A output-o eth0-j ACCEPT
Forward the data packet that enters from eth1 and eth0 sends
Iptables-A forward-I eth1-o eth0-j ACCEPT
TCP/UDP extension
Specify the source port -- sport or -- source-port
Specify the destination port -- dport or -- destination-port
Allow access to tcp packets destined for port 21 from eth0
Iptables-A input-I eth0-p tcp -- dport 21-j ACCEPT
Allow access to udp packets destined for port 21 from eth0
Iptables-A input-I eth0-p udp -- dport 21-j ACCEPT
Status Match
-- State, state...
As we used in the preceding script, state is a list separated by commas (,), indicating the connection status to be matched. Valid status options include INVAILD, indicating that the connection to the data packet is unknown; ESTABLISHED, indicating that the connection to the data packet has been transmitted in two-way, that is, the connection has been ESTABLISHED; NEW, indicates that the packet request initiates a connection; RELATED indicates that the packet initiates a new connection, but this connection is RELATED to an existing connection, for example: there is a RELATED relationship between the FTP data transmission connection and the control connection.
Disable the NEW status from eth0, that is, prohibit NEW access requests from eth0
Iptables-A input-I eth0-m state -- state NEW-jDROP
"-M" is short for "-- match. -The m option introduces
IptablesThe state extension module, such as the mac extension module, implements permission control rules based on the MAC address of the host Nic:
Iptables-A input-p tcp-m mac -- mac-source01: 02: 03: 04: 05: 06-j ACCEPT
The extension module is
IptablesIt makes
IptablesBecome a scalable security architecture. You can learn from here
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
