查看规则
[root@localhost ~]# iptables -t filter -nvL INPUT --line
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 369 32355 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 11 1961 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 11 1961 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 11 1961 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 10 1897 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
清除规则
[root@localhost ~]# iptables -t filter -F INPUT
[root@localhost ~]# iptables -t filter -nvL INPUT --line
Chain INPUT (policy ACCEPT 9 packets, 636 bytes)
num pkts bytes target prot opt in out source destination
ping 该主机
新增规则
[root@localhost ~]# iptables -t filter -I INPUT -s 192.168.1.39 -j DROP
[root@localhost ~]# iptables -t filter -nxL INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 192.168.1.39 0.0.0.0/0
ping不通
-I --表示添加
-s 表示源地址
-j --表示执行的动作
[root@localhost ~]# iptables -t filter -nxvL INPUT
Chain INPUT (policy ACCEPT 41 packets, 3289 bytes)
pkts bytes target prot opt in out source destination
231 19404 DROP all -- * * 192.168.1.39 0.0.0.0/0
APPEND 追加规则不生效,原因是同一个规则,只要在最前面才生效
[root@localhost ~]# iptables -t filter -A INPUT -s 192.168.1.39 -j ACCEPT
[root@localhost ~]# iptables -t filter -nxvL INPUT
Chain INPUT (policy ACCEPT 7 packets, 488 bytes)
pkts bytes target prot opt in out source destination
393 33012 DROP all -- * * 192.168.1.39 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.1.39 0.0.0.0/0
添加的方式加规则,通了
[root@localhost ~]# iptables -t filter -nxvL INPUT
Chain INPUT (policy ACCEPT 8 packets, 588 bytes)
pkts bytes target prot opt in out source destination
74 6216 ACCEPT all -- * * 192.168.1.39 0.0.0.0/0
595 49980 DROP all -- * * 192.168.1.39 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.1.39 0.0.0.0/0
指定添加规则位置
[root@localhost ~]# iptables -t filter -I INPUT 1 -s 192.168.1.39 -j DROP
删除规则
两种方式删除
1.根据规则号去删除
[root@localhost ~]# iptables -t filter -nxvL INPUT --line
hain INPUT (policy ACCEPT 9 packets, 636 bytes)
num pkts bytes target prot opt in out source destination
1 298 25032 DROP all -- * * 192.168.1.39 0.0.0.0/0
2 157 13188 ACCEPT all -- * * 192.168.1.39 0.0.0.0/0
3 595 49980 DROP all -- * * 192.168.1.39 0.0.0.0/0
4 0 0 ACCEPT all -- * * 192.168.1.39 0.0.0.0/0
[root@localhost ~]# iptables -t filter -D INPUT 1
[root@localhost ~]# iptables -t filter -nxvL INPUT --line
Chain INPUT (policy ACCEPT 7 packets, 488 bytes)
num pkts bytes target prot opt in out source destination
1 163 13692 ACCEPT all -- * * 192.168.1.39 0.0.0.0/0
2 595 49980 DROP all -- * * 192.168.1.39 0.0.0.0/0
3 0 0 ACCEPT all -- * * 192.168.1.39 0.0.0.0/0
2.根据具体的比配条件以及动作删除
[root@localhost ~]# iptables -t filter -nxvL INPUT --line
Chain INPUT (policy ACCEPT 19 packets, 1352 bytes)
num pkts bytes target prot opt in out source destination
1 286 24024 ACCEPT all -- * * 192.168.1.39 0.0.0.0/0
2 595 49980 DROP all -- * * 192.168.1.39 0.0.0.0/0
3 0 0 ACCEPT all -- * * 192.168.1.39 0.0.0.0/0
[root@localhost ~]# iptables -t filter -D INPUT -s 192.168.1.39 -j ACCEPT
[root@localhost ~]# iptables -t filter -nxvL INPUT --line
Chain INPUT (policy ACCEPT 7 packets, 488 bytes)
num pkts bytes target prot opt in out source destination
1 599 50316 DROP all -- * * 192.168.1.39 0.0.0.0/0
2 0 0 ACCEPT all -- * * 192.168.1.39 0.0.0.0/0
删除某张表的所有的规则
iptables -t filter -F
删除某张表的对应的链下的所有的规则
iptables -t filter -F INPUT
修改规则
[root@localhost ~]# iptables -t filter -nxL INPUT --line
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 192.168.1.39 0.0.0.0/0
2 ACCEPT all -- 192.168.1.39 0.0.0.0/0
修改默认策略iptables -t 表 -P 链 动作
[root@localhost ~]# iptables -t filter -nxvL INPUT --line
Chain INPUT (policy ACCEPT 20 packets, 1424 bytes)
num pkts bytes target prot opt in out source destination
1 124 10416 REJECT all -- * * 192.168.1.39 0.0.0.0/0 reject-with icmp-port-unreachable
2 0 0 ACCEPT all -- * * 192.168.1.39 0.0.0.0/0
[root@localhost ~]# iptables -t filter -P INPUT DROP
iptables -t filter -P INPUT ACCEPT
[root@localhost ~]# iptables -t filter -xnvL INPUT
Chain INPUT (policy ACCEPT 92 packets, 8623 bytes)
pkts bytes target prot opt in out source destination
444 37296 ACCEPT all -- * * 192.168.1.39 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.1.39 0.0.0.0/0
保存规则
上面所做的操作都是临时的,重启就失效了,所以得保存起来
配置好yum源以后安装iptables-service
# yum install -y iptables-services
#停止firewalld
# systemctl stop firewalld
#禁止firewalld自动启动
# systemctl disable firewalld
#启动iptables
# systemctl start iptables
#将iptables设置为开机自动启动,以后即可通过iptables-service控制iptables服务
# systemctl enable iptables
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ]
cat /etc/sysconfig/iptables
iptables-save >/etc/sysconfig/iptables
重载iptable
iptables-restore </etc/sysconfig/iptables
参考:
规则管理