Skill -- iptables (5)

Black/white list

Blacklist:That is, the Default policy is accept, and the action corresponding to the rule in the chain should be drop or reject, indicating that only the packets matching the rule will be rejected, and packets not matching the rule will be released by default.
Whitelist:That is, the Default policy is drop or reject, and the action corresponding to the rule in the chain should be accept, indicating that only the packets matching the rule will be released, and messages not matching the rule will be rejected by default.
That is to say:
When whitelist is used, only good people are allowed.
When blacklisting, all users are good people by default and only reject bad people.
Case 1:
Simple blacklist (the Default policy is accept, and the action corresponding to the chain rule is drop or reject)

Case 2:
Simple whitelist (the Default policy is drop or reject, and the action corresponding to the rule in the chain is accept)
First, add the chain with the rule action "accept" so that port 22 can be accessed, and then use "-P" to change the default policy to "drop ".
For example:

Note: however, if this rule is deleted by mistake or iptables-F inout is executed to clear the chain, the SSH being connected will be disconnected, this is obviously not what we want
You can make the following changes:
Allow the Default policy to continue to "accept" and add a rule to reject all requests after the rule to be released.
It means that if the message meets the allow rule, it will be matched by the allow rule and passed. If not, it will be blocked by the last deny rule.

The purpose of this operation is to clear the chain (iptables-F inout clears the chain) in case of misoperations, and ensure that the connection is smooth.

Custom chain

It is used to solve the problem of many rules in the default chain, which facilitates classification management,For example, you can define a chain and only store inbound rules for port 80.
Case 3

1. Create a custom chain
   Note: As mentioned earlier,-T filter can be omitted, which is the default value.
   
   
2. Add and view rules to in_web
   Note: The operation custom chain is no different from the default chain.
   
3. Use default chain to reference custom chain
   Note: When no default Chain Reference is available, the previously defined rules cannot be used normally, which default link is referenced depends on the actual scenario (you can also reference other custom links)
   Note: The "-J action" indicates that the TCP packet accessing port 80 of the local machine will be processed by the custom chain. We can also find that the references value in in_web is changed to 1, indicates that the custom chain has been referenced once.
   
   
4. Rename a custom chain
   
   
5. Delete a custom chain
   Note: To delete a custom chain, two conditions must be met.
   1) There are no rules in the Custom chain, that is, the custom chain is empty.
   2) The Custom chain is not referenced by any default chain, that is, the reference count of the custom chain is 0.
   

Skill -- iptables (5)