Some practical methods for Iptables

In our daily O & M work, Iptables is often used to set IP information packet filtering and firewall configuration. First, the Iptables configuration file is/etc/sysconfig/iptables, all rules must be written to this file. Otherwise, it will become invalid after restart.
1. IPtables generally includes three tables (Fliter, NAT, and Mangle)
Filter: mainly related to the Linux host, which is a preset table. There are usually three chains below ):
INPUT: it mainly depends on the data packets that want to enter our Linux host;
OUTPUT: mainly related to the data to be sent from the Linux host;
FORWARD: This is irrelevant to the Linux host. It can FORWARD data packets to the backend computer, which is related to the nat table.
NAT: it is mainly used to convert the source and destination IP addresses or ports, and has nothing to do with the linux host.
PREROUTING: rules to be performed (DNAT/REDIRECT) POSTROUTING before route determination: rules to be performed (SNAT/MASQUERADE) after route determination OUTPUT: Related to sent packets
Mangle: This table is mainly related to the routing flag of special packets. In the early stage, only the PREROUTING and OUTPUT chains were added, but the INPUT and FORWARD chains were added after kernel2.4.18. This table is highly correlated with the special flag, so mangle is rarely used in simple environments like ours.
2. Common Iptables commands
View existing iptables rules:
# Iptables-L-n
Clear existing iptables rules:
# Iptables-F # Clear the rules of all rule chains in the filter of the preset table:
Allow all hosts in the LAN 192.168.0.0/24 to access the proxy server except 192.168.0.3:
# Iptables-AINPUT-ieth0-s192.168.0.3-jDROP
# Iptables-AINPUT-ieth0-s192.168.0.0/24-jACCEPT
Receive all packets from eth0:
# Iptables-AINPUT-ieth0-jACCEPT
Redirect port 80 of the server to port 8080:
# Iptables-tnat-APREROUTING-Ptcp -- dport80-jREDIRECT -- to-ports8080
Enable the server to allow data from the network interface eth1 and from port 80 to the server:
# Iptables-AINPUT-ieth1-ptcp -- sport80-jACCEPT
Open Port 80 of the server to the outside world:
# Iptables-AINPUT-ieth0-ptcp -- dport80-jACCEPT
Allow external ping tests

#iptables-AINPUT-picmp--icmp-typeecho-request-jACCEPT

#iptables-AOUTPUT-picmp--icmp-typeecho-reply-jACCEPT

Only allow SSH connection requests from the specified network
The following rules only allow networks from 192.168.100.0/24:

#iptables-AINPUT-ieth0-ptcp-s192.168.100.0/24--dport22-mstate--stateNEW,ESTABLISHED-jACCEPT

#iptables-AOUTPUT-oeth0-ptcp--sport22-mstate--stateESTABLISHED-jACCEPT

Allow outbound DNS connection

#iptables-AOUTPUT-pudp-oeth0--dport53-jACCEPT

#iptables-AINPUT-pudp-ieth0--sport53-jACCEPT