配置与管理IPtable防火墙
默认的四个规则表:
rwa表:确定是否对该数据包进行状态跟踪
mangle表: 为数据包设置标记
nat表:修改数据中的源、目标IP地址或端口
filter表:确定是否对该数据包进行放行(过滤)
默认 的5种规则链:
INPUT:处理入站数据
OUTPUT:处理出站数据
FORWARD:处理转发数据包
POSTROUTING:在进行路由选择后处理数据包
PRE ROUTING:在进行路由选择后处理数据包
iptables命令的语法格式 :
iptable [it 表名] 管理选项 [链名] [条件匹配] [-j 目标动作]
注意:
不指定表名时,默认为filter表
不指定链名时,默认表示该表所有链
除非设置规则链的缺省策略,否则需要指定匹配条件
Management options:
-A: append a new rule at the end of the chain
-I: insert a new rule at the specified position (or the beginning of the chain)
-P: set the default policy of the specified chain
-L: view the information of each rule in a list
-D : Delete the rule of the specified location or content
-F: Clear all the rules in the rule chain
-h View the help of the iptables command
Practical operation:
view chain:
clear all chains in the filter,
deny a host of 192.168.0.100 to access me:
Insert a host access of 192.168.0.200:
Note: If it does not specify a location, it will be displayed in the first one.
Delete the first rule in the input chain:
Modify the policy to deny:
Tip: If the connection is disconnected after modification during remote connection It only needs to be modified to ACCEPT on the host.
Condition matching includes:
General condition matching:
Implicit condition matching:
Display condition matching:
Target action:
Want to deny access to a 192.168.0.1:
filter: simple filtering
-A: add a rule
INPUT: inbound traffic
-s: source IP address
-p: protocol name, here is tcp
-dport 80: destination port is port 80
Reject a certain network segment to ping me:
"-t filter" is omitted here. This can be written or omitted
. Clients from a certain network are allowed to access my port 21 and 80 (in this case, you can use multi-port matching):