iptables
iptables [-t table] -L -n
View the rules on a table
iptables [-t 表 ] -F 清空所有规则
iptables -P 链 动作 设置某个链的默认规则
Add iptables rules
iptables [-t 表] -A 链 匹配的条件 -j 动作
-I -p 协议 ACCEPT 放行
-D -s 源IP地址 DROP 丢弃
-L -d 目的IP地址 REJECT 拒绝
--sport 源端口 DNAT --to-destication 目的地址转换
--dport 目的端口 SNAT --source 源地址转换
iptables -A INPUT -p tcp --dport 80 -j DROP
"Blocking" strategy, the default rule is "Release", add a "blocking" rule
The default rule of the "pass" policy is "block", add a "release" rule
Example
Block 80 port in INPUT chain
iptables -A INPUT -p tcp --dport 80 -j DROP
Release port 3306 in the INPUT chain
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
Access to port 81 through 192.168.189.131
iptables -A INPUT -p tcp --dport 81 -d 192.168.189.131 -j ACCEPT
Ban ping
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -p icmp -j REJECT
In the OUTPUT chain, add a request with a release source port of 22
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
In the OUTPUT chain, add a request whose source IP is 192.168.189.161
iptables -I OUTPUT -s 192.168.189.161 -j ACCEPT
In the OUTPUT chain, add a request with a release source port of 81
iptables -A OUTPUT -p tcp --sport 81 -j ACCEPT
Destination address translation
forwards the request to access port 192.168.189.161 as 2222 to port 22 of 10.30.0.128
iptables -t nat -A PREROUTING -p tcp -d 192.168.189.161 --dport 2222 -j DNAT --to-destination 10.30.0.128:22
Source address conversion, all request source addresses from the 10.30.0.0/24 network segment are converted to 192.168.189.161
iptables -t nat -A POSTROUTING -p tcp -s 10.30.0.0/24 -j SNAT --to-source 192.168.189.161