Linux Learning (28) iptables (ii) Iptables rule syntax

Source: Internet
Author: User

To view iptables rules:

[[Email protected]0002~]# Iptables-Nvlchain INPUT (Policy ACCEPT0Packets0bytes) pkts bytes Target prot optinch      outSource Destination1786140K ACCEPT All--* *0.0.0.0/0            0.0.0.0/0State related,established0     0ACCEPT ICMP--* *0.0.0.0/0            0.0.0.0/0               0     0ACCEPT All--Lo *0.0.0.0/0            0.0.0.0/0               1     -ACCEPT TCP--* *0.0.0.0/0            0.0.0.0/0State NEW TCP DPT: A  122 10168REJECT All--* *0.0.0.0/0            0.0.0.0/0Reject-with icmp-host-Prohibitedchain FORWARD (Policy ACCEPT0Packets0bytes) pkts bytes Target prot optinch      outSource Destination0     0REJECT All--* *0.0.0.0/0            0.0.0.0/0Reject-with icmp-host-Prohibitedchain OUTPUT (Policy ACCEPT1513packets, 135K bytes) pkts bytes Target prot optinch      outSource destination

In this command we do not specify a table name, so it shows the rules of the filter table. Now that we haven't written any rules, it reads the default rules. We can see the default rules in/etc/sysconfig/iptables.

Vim/etc/sysconfig/iptables:

# Sample Configuration foriptables service# You can edit ThisManually or use system-config-firewall# DoNot ask us to add additional ports/services to This defaultConfiguration*filter:input ACCEPT [0:0]:forward ACCEPT [0:0]:output ACCEPT [0:0]-A input-m state--state related,established-J ACCEPT-A input-p ICMP-J ACCEPT-A input-i lo-J ACCEPT-A input-p tcp-m state--state new-m TCP--dport A-J ACCEPT-A input-j REJECT--reject-with icmp-host-prohibited-A forward-j REJECT--reject-with icmp-host-Prohibitedcommit

Specify the table:

[[Email protected]0002~]# iptables-t NAT-Nvlchain prerouting (Policy ACCEPT thePackets4222bytes) pkts bytes Target prot optinch      outSource Destination Chain INPUT (policy ACCEPT1Packets -bytes) pkts bytes Target prot optinch      outSource Destination Chain OUTPUT (policy ACCEPT1Packets inbytes) pkts bytes Target prot optinch      outSource Destination Chain postrouting (policy ACCEPT1Packets inbytes) pkts bytes Target prot optinch      outSource destination

Purge rule:

[[Email protected]0002~]# Iptables-F[[email protected]-0002~]# Iptables-Nvlchain INPUT (Policy ACCEPT +Packets3132bytes) pkts bytes Target prot optinch      outSource Destination Chain FORWARD (policy ACCEPT0Packets0bytes) pkts bytes Target prot optinch      outSource Destination Chain OUTPUT (policy ACCEPT inPackets2516bytes) pkts bytes Target prot optinch      outSource destination

After you clear the rule, if you do not save it, the restart will revert to the original rule.

Save:

[Email protected]0002 ~/etc/sysconfig/iptables:[  OK  ][[email protected]-  0002 ~]# Vim/etc/sysconfig/iptables

Restart Service:

[Email protected]0002 ~/bin/systemctl Restart  iptables.service

Clear the counter 0:

[Email protected] ~]# iptables-Nvlchain INPUT (Policy ACCEPT 18M packets, 2965M bytes) pkts bytes Target prot optinch      outSource Destination Chain FORWARD (policy ACCEPT0Packets0bytes) pkts bytes Target prot optinch      outSource Destination Chain OUTPUT (policy ACCEPT 15M packets, 5501M bytes) pkts bytes Target Prot optinch      outsource destination [[email protected]~]# Iptables-Z[[email protected]~]# Iptables-Nvlchain INPUT (Policy ACCEPT thePackets2984bytes) pkts bytes Target prot optinch      outSource Destination Chain FORWARD (policy ACCEPT0Packets0bytes) pkts bytes Target prot optinch      outSource Destination Chain OUTPUT (policy ACCEPT -Packets2456bytes) pkts bytes Target prot optinch      outSource destination

Add a rule:

110.229. 26.253  REJECT

This rule means that the IP that enters the input chain is 110.229.26.253 access to port 80 for the request to deny. In short, this IP is not allowed to access our 80 port.

Delete the rule above:

110.229. 26.253  REJECT

In addition to this deletion, there is another way to remove it:

First get the serial number of this rule:

[Email protected] ~]# IPTABLES-NVL--line-Numberschain INPUT (Policy ACCEPT2462packets, 554K bytes) num pkts bytes target prot optinch      outSource Destination1      277 22324ACCEPT TCP--* *0.0.0.0/0            0.0.0.0/0Multiport Dports -, +, theChain FORWARD (Policy ACCEPT0Packets0bytes) num pkts bytes target prot optinch      outSource Destination Chain OUTPUT (policy ACCEPT2457packets, 562K bytes) num pkts bytes target prot optinch      outSource destination

Then delete according to the serial number:

[Email protected] ~]# iptables-d INPUT1[[Email protected]~]# Iptables-Nvlchain INPUT (Policy ACCEPT -Packets3008bytes) pkts bytes Target prot optinch      outSource Destination Chain FORWARD (policy ACCEPT0Packets0bytes) pkts bytes Target prot optinch      outSource Destination Chain OUTPUT (policy ACCEPT *Packets3614bytes) pkts bytes Target prot optinch      outSource destination

In addition to using-A to add rules, we can also add a rule with-I, which means to insert the rule to the front:

8 -j DROP
[Email protected] ~]# iptables-nvlchain INPUT (Policy ACCEPT packets, 4425 bytes) pkts bytes Target     prot opt in
   out     Source               destination  6216 DROP       ICMP--  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes Target     prot opt in     out     source
   destination         Chain OUTPUT (Policy ACCEPT packets, 11135 bytes) pkts bytes Target     prot opt in     out
   
    source               Destination    
   

The purpose of this rule is not to let others ping your machine.

Look at the status of the ping before and after:

#设置iptables之前
[[Email protected]0002~]# Ping101.200.168.135PING101.200.168.135(101.200.168.135) About( -) bytes of data. -bytes from 101.200.168.135: icmp_seq=1Ttl= -Time=16.1Ms -bytes from 101.200.168.135: icmp_seq=2Ttl= -Time=13.7Ms -bytes from 101.200.168.135: icmp_seq=3Ttl= -Time=13.2Ms^C---101.200.168.135Ping Statistics---3Packets Transmitted,3Received0%packet loss, time 2004msrtt min/avg/max/mdev =13.252/14.370/16.135/1.262ms
#设置之后 [[Email protected]-0002~]# Ping101.200.168.135PING101.200.168.135(101.200.168.135) About( -) bytes of data.

Set the default state of the chain:

[Email protected] ~]# iptables-P INPUT accept[[email protected]~]# Iptables-Nvlchain INPUT (Policy ACCEPT $Packets2732bytes) pkts bytes Target prot optinch      outSource Destination212 17808DROP ICMP--* *0.0.0.0/0            0.0.0.0/0Icmptype8Chain FORWARD (Policy ACCEPT0Packets0bytes) pkts bytes Target prot optinch      outSource Destination Chain OUTPUT (policy ACCEPT toPackets3454bytes) pkts bytes Target prot optinch      outSource destination

Linux Learning (28) iptables (ii) Iptables rule syntax

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.