To view iptables rules:
[[Email protected]0002~]# Iptables-Nvlchain INPUT (Policy ACCEPT0Packets0bytes) pkts bytes Target prot optinch outSource Destination1786140K ACCEPT All--* *0.0.0.0/0 0.0.0.0/0State related,established0 0ACCEPT ICMP--* *0.0.0.0/0 0.0.0.0/0 0 0ACCEPT All--Lo *0.0.0.0/0 0.0.0.0/0 1 -ACCEPT TCP--* *0.0.0.0/0 0.0.0.0/0State NEW TCP DPT: A 122 10168REJECT All--* *0.0.0.0/0 0.0.0.0/0Reject-with icmp-host-Prohibitedchain FORWARD (Policy ACCEPT0Packets0bytes) pkts bytes Target prot optinch outSource Destination0 0REJECT All--* *0.0.0.0/0 0.0.0.0/0Reject-with icmp-host-Prohibitedchain OUTPUT (Policy ACCEPT1513packets, 135K bytes) pkts bytes Target prot optinch outSource destination
In this command we do not specify a table name, so it shows the rules of the filter table. Now that we haven't written any rules, it reads the default rules. We can see the default rules in/etc/sysconfig/iptables.
Vim/etc/sysconfig/iptables:
# Sample Configuration foriptables service# You can edit ThisManually or use system-config-firewall# DoNot ask us to add additional ports/services to This defaultConfiguration*filter:input ACCEPT [0:0]:forward ACCEPT [0:0]:output ACCEPT [0:0]-A input-m state--state related,established-J ACCEPT-A input-p ICMP-J ACCEPT-A input-i lo-J ACCEPT-A input-p tcp-m state--state new-m TCP--dport A-J ACCEPT-A input-j REJECT--reject-with icmp-host-prohibited-A forward-j REJECT--reject-with icmp-host-Prohibitedcommit
Specify the table:
[[Email protected]0002~]# iptables-t NAT-Nvlchain prerouting (Policy ACCEPT thePackets4222bytes) pkts bytes Target prot optinch outSource Destination Chain INPUT (policy ACCEPT1Packets -bytes) pkts bytes Target prot optinch outSource Destination Chain OUTPUT (policy ACCEPT1Packets inbytes) pkts bytes Target prot optinch outSource Destination Chain postrouting (policy ACCEPT1Packets inbytes) pkts bytes Target prot optinch outSource destination
Purge rule:
[[Email protected]0002~]# Iptables-F[[email protected]-0002~]# Iptables-Nvlchain INPUT (Policy ACCEPT +Packets3132bytes) pkts bytes Target prot optinch outSource Destination Chain FORWARD (policy ACCEPT0Packets0bytes) pkts bytes Target prot optinch outSource Destination Chain OUTPUT (policy ACCEPT inPackets2516bytes) pkts bytes Target prot optinch outSource destination
After you clear the rule, if you do not save it, the restart will revert to the original rule.
Save:
[Email protected]0002 ~/etc/sysconfig/iptables:[ OK ][[email protected]- 0002 ~]# Vim/etc/sysconfig/iptables
Restart Service:
[Email protected]0002 ~/bin/systemctl Restart iptables.service
Clear the counter 0:
[Email protected] ~]# iptables-Nvlchain INPUT (Policy ACCEPT 18M packets, 2965M bytes) pkts bytes Target prot optinch outSource Destination Chain FORWARD (policy ACCEPT0Packets0bytes) pkts bytes Target prot optinch outSource Destination Chain OUTPUT (policy ACCEPT 15M packets, 5501M bytes) pkts bytes Target Prot optinch outsource destination [[email protected]~]# Iptables-Z[[email protected]~]# Iptables-Nvlchain INPUT (Policy ACCEPT thePackets2984bytes) pkts bytes Target prot optinch outSource Destination Chain FORWARD (policy ACCEPT0Packets0bytes) pkts bytes Target prot optinch outSource Destination Chain OUTPUT (policy ACCEPT -Packets2456bytes) pkts bytes Target prot optinch outSource destination
Add a rule:
110.229. 26.253 REJECT
This rule means that the IP that enters the input chain is 110.229.26.253 access to port 80 for the request to deny. In short, this IP is not allowed to access our 80 port.
Delete the rule above:
110.229. 26.253 REJECT
In addition to this deletion, there is another way to remove it:
First get the serial number of this rule:
[Email protected] ~]# IPTABLES-NVL--line-Numberschain INPUT (Policy ACCEPT2462packets, 554K bytes) num pkts bytes target prot optinch outSource Destination1 277 22324ACCEPT TCP--* *0.0.0.0/0 0.0.0.0/0Multiport Dports -, +, theChain FORWARD (Policy ACCEPT0Packets0bytes) num pkts bytes target prot optinch outSource Destination Chain OUTPUT (policy ACCEPT2457packets, 562K bytes) num pkts bytes target prot optinch outSource destination
Then delete according to the serial number:
[Email protected] ~]# iptables-d INPUT1[[Email protected]~]# Iptables-Nvlchain INPUT (Policy ACCEPT -Packets3008bytes) pkts bytes Target prot optinch outSource Destination Chain FORWARD (policy ACCEPT0Packets0bytes) pkts bytes Target prot optinch outSource Destination Chain OUTPUT (policy ACCEPT *Packets3614bytes) pkts bytes Target prot optinch outSource destination
In addition to using-A to add rules, we can also add a rule with-I, which means to insert the rule to the front:
8 -j DROP
[Email protected] ~]# iptables-nvlchain INPUT (Policy ACCEPT packets, 4425 bytes) pkts bytes Target prot opt in
out Source destination 6216 DROP ICMP-- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes Target prot opt in out source
destination Chain OUTPUT (Policy ACCEPT packets, 11135 bytes) pkts bytes Target prot opt in out
source Destination
The purpose of this rule is not to let others ping your machine.
Look at the status of the ping before and after:
#设置iptables之前
[[Email protected]0002~]# Ping101.200.168.135PING101.200.168.135(101.200.168.135) About( -) bytes of data. -bytes from 101.200.168.135: icmp_seq=1Ttl= -Time=16.1Ms -bytes from 101.200.168.135: icmp_seq=2Ttl= -Time=13.7Ms -bytes from 101.200.168.135: icmp_seq=3Ttl= -Time=13.2Ms^C---101.200.168.135Ping Statistics---3Packets Transmitted,3Received0%packet loss, time 2004msrtt min/avg/max/mdev =13.252/14.370/16.135/1.262ms
#设置之后 [[Email protected]-0002~]# Ping101.200.168.135PING101.200.168.135(101.200.168.135) About( -) bytes of data.
Set the default state of the chain:
[Email protected] ~]# iptables-P INPUT accept[[email protected]~]# Iptables-Nvlchain INPUT (Policy ACCEPT $Packets2732bytes) pkts bytes Target prot optinch outSource Destination212 17808DROP ICMP--* *0.0.0.0/0 0.0.0.0/0Icmptype8Chain FORWARD (Policy ACCEPT0Packets0bytes) pkts bytes Target prot optinch outSource Destination Chain OUTPUT (policy ACCEPT toPackets3454bytes) pkts bytes Target prot optinch outSource destination
Linux Learning (28) iptables (ii) Iptables rule syntax