Skill--iptables (b)

iptabls 查、增、删、改，保存

One: Check

Parameters	Description
-T	Specify the table to view, default to the filter table
-L	List rules in a table
-V	View more information
-X	Displays the exact value of the counter
-N	Do not name reverse IP address, directly display IP
--line-number	Displays the line number of the rule, abbreviated to--line

Case one:
Query the rules in the Fileter table input chain discard ip:192.168.8ptables-t FILTER-VL input

The meanings of each column are described below

set forth	Description
Pkts	The number of packets to match
bytes	The total size of packets matched to
Target	Represents an action, that is, the action to take after a successful match
Prot	Protocol corresponding to the rule
Opt	Options for the rule
Inch	Indicates that the packet is flowed in by that interface (network card), and we can set the incoming packet through which NIC needs to match the current rule
Out	Indicates that the packet is out of that interface (network card), and we can set the packet that flows out through which network card needs to match the current rule
Source	Represents the source address of the rule, such as: IP, network segment
Destination	Represents the destination address for the rule, such as IP, network segment

Case TWO:
Lists the rules in the INPUT chain of the Fileter table and displays line numbers without name inversion for IP addresses

Can be compared to the above figure, the following explanation of the meaning of the second line of underline

set forth	Description
Policy	Represents the default policy for the current chain, that is, when a corresponding policy is not found in the rule, the policy is applied
Packets	Represents the number of packages to which the current chain default policy matches
bytes	Represents the total size of all packages to which the current chain default policy matches

Two: Increase

Parameters	Description
-I. Insert	Indicates that the rule is inserted into the chain, that is, adding
-A Append	Append rule
-S source	Source address, indicating the address in match condition
-j	When the condition is met, the corresponding action

Case one:
Add a rule that discards ip:192.168.80.138 in the Fileter table INPUT chain

Ping or SSH connections on 80.138 of machines to see the results

See changes in 80.144, such as: number of messages, total size

Case TWO:
The difference between using-I and-a add
For example, use the-I add rule in the first row

For example, the rule added using-A is in the third row, that is, the difference between-I and-A

Case THREE:
Use-I to add a rule to the second line

Note: The matching rule in iptables is top-down, and when matched to the first compliant rule, it does not match down

Three: Delete

Parameters	Description
-F Flush	Clears the list, does not specify a chain to specify only the table, that is, delete all the rules in the table
-D	Delete a corresponding rule based on matching criteria

Case one:
Delete the corresponding rule according to the Rule line number

Case TWO:
Delete rules based on match conditions and actions

Case THREE:
Empty list

Note: When no-t indicates a table, the default is the filter table
Four: Change
Modify the use of-R, not commonly used, if you want to change, the individual proposed to remove the added
Case one:
Modifying actions in a rule

Note: In the modification (-R chain serial number) can be, but modify some rules, the requirement to add the original matching conditions, that is, Connaught to modify, the original matching conditions also to add, there are multiple, write multiple

Five: Save rules
CENTOS6: use service iptables save to save forever, rules are saved in/etc/sysconfig/iptables file by default
If a misoperation occurs but is not saved, use service iptables restart to restart Iptables, and the rule will return to the last saved (/etc/sysconfig/iptables) appearance

Centos7: need to install Iptables and iptables-service and then just like in CENTOS6.
The installation steps are as follows:

#配置好 yum 源以后安装 iptables-serviceyum?install?-y?iptables-services#停止 firewalldsystemctl?stop?firewalld#禁止 firewalld 自动启动systemctl?disable?firewalld#启动 iptablessystemctl?start?iptables#将 iptables 设置为开机自动启动，以后即可通过 iptables-service 控制 iptables 服务systemctl?enable?iptables

You can also use overloaded methods to save, but when you overload a rule, existing rules will be overwritten
As follows:

iptables-save?>?/etc/sysconfig/iptablesiptables-restore?<?/etc/sysconfig/iptables

Skill--iptables (b)