Iptables 语法
- [root@aminglinux-001 ~]# iptables nvl 查看 iptables 默认规则
- iptables v1.4.21: unknown option "-nvl"
- Try `iptables -h'or'iptables --help' for more information.
- [root@aminglinux-001 ~]# iptables -nvL
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 2947 230K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
- 1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
- 34 5641 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain OUTPUT (policy ACCEPT 2151 packets, 318K bytes)
- pkts bytes target prot opt in out source destination
默认 iptables 规则保存位置:
- [root@aminglinux-001 ~]# cat /etc/sysconfig/iptables
- # sample configuration for iptables service
- # you can edit this manually or use system-config-firewall
- # please do not ask us to add additional ports/services to this default configuration
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -p icmp -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
- -A INPUT -j REJECT --reject-with icmp-host-prohibited
- -A FORWARD -j REJECT --reject-with icmp-host-prohibited
- COMMIT
- [root@aminglinux-001 ~]# iptables F 清空所有规则
- [root@aminglinux-001 ~]# service iptables save 将当前规则保存到配置文件中
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ]
[root@aminglinux-001 ~]#
只要没有保存规则, 重启服务后规则就会恢复默认配置;
刚修改过的规则仅在当前内存中生效
- [root@aminglinux-001 ~]# iptables -t filter nvL t 指定表操作
- Chain INPUT (policy ACCEPT 172 packets, 12679 bytes)
- pkts bytes target prot opt in out source destination
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- Chain OUTPUT (policy ACCEPT 102 packets, 9696 bytes)
- pkts bytes target prot opt in out source destination
- [root@aminglinux-001 ~]# iptables -t nat -nvL
- Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- [root@aminglinux-001 ~]# iptables Z 清空规则的数据包过滤信息
- [root@aminglinux-001 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
-A: 表示 add, 增加规则
INPUT 针对 input 链
-s 指定来源 ip
-p 指定协议 (tcpudp)
--sport 来源端口
-d 目标 ip
-dport 目标端口
-j 指定执行的操作
DROP 丢弃数据 (reject 拒绝),drop 会在不给对方任何信息的情况下直接丢弃数据; reject 会丢弃数据, 但会给对方信息
- [root@aminglinux-001 ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
- [root@aminglinux-001 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ]
- [root@aminglinux-001 ~]# iptables -nvL
- Chain INPUT (policy ACCEPT 47 packets, 3468 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
- 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- Chain OUTPUT (policy ACCEPT 34 packets, 3648 bytes)
- pkts bytes target prot opt in out source destination
-I 与 - A 的区别:-I 相当于插队, 会将规则插入队伍最前列;-A 是添加规则, 会将规则添加在队伍最后
- [root@aminglinux-001 ~]# iptables -D INPUT -p tcp --dport 80 -j DROP 删除一条规则
- [root@aminglinux-001 ~]# iptables -nvL --line-number 按序列号删除规则
- Chain INPUT (policy ACCEPT 53 packets, 3921 bytes)
- num pkts bytes target prot opt in out source destination
- 1 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- num pkts bytes target prot opt in out source destination
- Chain OUTPUT (policy ACCEPT 34 packets, 2932 bytes)
- num pkts bytes target prot opt in out source destination
- [root@aminglinux-001 ~]# iptables -D INPUT 1
- [root@aminglinux-001 ~]# iptables -nvL --line-number
- Chain INPUT (policy ACCEPT 5 packets, 388 bytes)
- num pkts bytes target prot opt in out source destination
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- num pkts bytes target prot opt in out source destination
- Chain OUTPUT (policy ACCEPT 4 packets, 496 bytes)
- num pkts bytes target prot opt in out source destination
- [root@aminglinux-001 ~]#
- [root@aminglinux-001 ~]# iptables -P OUTPUT DROP 设置 output 链的默认策略为 drop
Iptables filter 小案例
-t 用于指定表, 默认不加 - t 则为 filter 表
-p 定义默认策略
来源: http://www.bubuko.com/infodetail-2535995.html