Iptables configuration instance

Iptables-F? #-F is the meaning of clearing, the role is to all the chain rules of FILTRETABLE are cleared iptables-AINPUT-s172.20.20.1/32-mstate -- stateNEW, ESTABLISHED, RELATED-jACCEPT # the source address of the INPUT chain matching in the FILTER table is 172.20.20 per rule instance.
Iptables-F?
#-F indicates clearing. it is used to clear all the chain rules of the filtre table.
Iptables-a input-s 172.20.20.1/32-m state -- stateNEW, ESTABLISHED, RELATED-j ACCEPT
# In the FILTER table, the source address of the INPUT chain is 172.20.20.1, and the statuses are NEW, ESTABLISHED, and RELATED.
Iptables-a input-s 172.20.20.1/32-m state -- stateNEW, ESTABLISHED-p tcp-m multiport -- dport 123,110-j ACCEPT
#-P specifies the protocol and-m specifies the module. The multiport module can be used to continuously match multiple non-adjacent port numbers. The complete meaning is that the source address is 172.20.20.1, and the status is NEW, ESTABLISHED, RELATED, TCP, and data packets with the destination ports 123 and 110 can both pass through.
Iptables-a input-s 172.20.22.0/24-m state -- stateNEW, ESTABLISHED-p tcp-m multiport -- dport 123,110-j ACCEPT
Iptables-a input-s 0/0-m state -- state NEW-p tcp-mmultiport -- dport 123,110-j DROP
# This indicates that all TCP packets in the NEW state with the source address of 0/0 are forbidden to access ports 123 and 110.
Iptables-a input-s! 172.20.89.0/24-m state -- state NEW-ptcp-m multiport -- dport 1230,110-j DROP
#"! . That is, all IP addresses except 172.20.89.0 are dropped.
Iptables-r input 1-s 192.168.6.99-p tcp -- dport 22-jACCEPT
Replace the first rule in the INPUT chain
Iptables-t filter-l input-vn
Display the INPUT chain rules of the filter table in Number format
# ------------------------------- NATIP --------------------------------------
# The following operations are completed in the nat table. Please note.
Iptables-t nat-F
Iptables-t nat-a prerouting-d 192.168.102.55-p tcp -- dport 90-j DNAT -- to 172.20.11.1: 800
#-A prerouting specifies the route before routing. The complete meaning is in the nat table routing pre-processing, the destination is 192.168.102.55 destination port is 90 we do DNAT processing, give him to 172.20.11.1: 800 there.
Iptables-t nat-a postrouting-d 172.20.11.1-j SNAT -- to 192.168.102.55
#-A postrouting. This means that after the nat table route is processed, we will convert all the routes destined for 172.20.11.1 to SNAT and rewrite the source address to 192.168.102.55.
Iptables-a input-d 192.168.20.0/255.255.255.0-I eth1-j DROP
Iptables-a input-s 192.168.20.0/255.255.255.0-I eth1-j DROP
Iptables-a output-d 192.168.20.0/255.255.255.0-o eth1-j DROP
Iptables-a output-s 192.168.20.0/255.255.255.0-o eth1-j DROP
# In the above example, eth1 is a connection to the external Internet, while 192.168.20.0 is the network number of the intranet. the above rules are used to prevent IP spoofing, because the ip address used to access the eth1 package should be a public IP address
Iptables-a input-s limit 255-I eth0-j DROP
Iptables-a input-s 224.0.0.0/224.0.0.0-I eth0-j DROP
Iptables-a input-d 0.0.0.0-I eth0-j DROP
# Prevent the broadcast package from accessing the LAN from the IP proxy server:
Iptables-a input-p tcp-m tcp -- sport 5000-j DROP
Iptables-a input-p udp-m udp -- sport 5000-j DROP
Iptables-a output-p tcp-m tcp -- dport 5000-j DROP
Iptables-a output-p udp-m udp -- dport 5000-j DROP
# Shield port 5000
Iptables-a input-s 211.148.130.129-I eth1-p tcp-m tcp -- dport 3306-j DROP
Iptables-a input-s 192.168.20.0/255.255.255.0-I eth0-p tcp-m tcp -- dport 3306-j ACCEPT
Iptables-a input-s 211.148.130.128/255.255.255.240-I eth1-p tcp-m tcp -- dport 3306-j ACCEPT
Iptables-a input-p tcp-m tcp -- dport 3306-j DROP
# Prevent Internet users from accessing the MySQL server (Port 3306)
Iptables-a forward-p TCP -- dport 22-j REJECT -- reject-with tcp-reset
# REJECT, similar to DROP, but replies the information specified by -- reject-with to the host sending the package, so that the existence of the firewall can be well hidden. Iptables instance description.