iptables -t table name <-A/I/D/R> rule chain name [rule number] <-i/o network card name> -p protocol name <-s source IP/source subnet> --sport source port< -d target IP/target subnet > --dport target port -j action -t <table>: specifies the table to be manipulated; -A: add an entry to the rule chain; -D: remove the entry from the rule chain; -i: insert an entry into the rule chain; -R: replace the entry in the rule chain; -L: Display existing entries in the rule chain; -F: Clear existing entries in the rule chain; -Z: Clear the packet counter and byte counter in the rule chain; -N: create a new user-defined rule chain; -P: define the default target in the rule chain; -h: display help information; -p: Specifies the type of packet protocol to match; -s: Specify the source ip address of the packet to be matched; -j<target>: Specify the target to jump to; -i<network interface>: Specify the network interface where the data packet enters the machine; -o<network interface>: Specifies the network interface used by the data packet to leave the machine. //Clear existing iptables rules iptables -F iptables -X iptables -Z iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #Allow the local loopback interface (that is, run this machine to access this machine) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow established or associated traffic iptables -A OUTPUT -j ACCEPT #Allow all local outgoing access iptables -A INPUT -p tcp --dport 22 -j ACCEPT #Allow access to port 22 iptables -A INPUT -p tcp --dport 80 -j ACCEPT #Allow access to port 80 iptables -A INPUT -p tcp --dport 21 -j ACCEPT #Allow port 21 for ftp service iptables -A INPUT -p tcp --dport 20 -j ACCEPT #Allow port 20 for FTP service iptables -A INPUT -j reject #Prohibit access to other unallowed rules iptables -A FORWARD -j REJECT #Prohibit access to other unallowed rules iptables -I INPUT -s 123.45.6.7 -j DROP #Command to block a single IP iptables -I INPUT -s 123.0.0.0/8 -j DROP #Seal the entire segment, that is, the command from 123.0.0.1 to 123.255.255.254 iptables -I INPUT -s 124.45.0.0/16 -j DROP #The IP segment is the command from 123.45.0.1 to 123.45.255.254 iptables -I INPUT -s 123.45.6.0/24 -j DROP #The command to seal the IP segment from 123.45.6.1 to 123.45.6.254 is iptables -L -n -v Chain INPUT (policy DROP 48106 packets, 2690K bytes) pkts bytes target prot opt in out source destination 5075 589K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 191K 90M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 1499K 133M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 4364K 6351M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 6256 327K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3382K packets, 1819M bytes) pkts bytes target prot opt in out source destination 5075 589K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 iptables -L -n --line-numbers //Display all iptables with serial number marks, execute: iptables -D INPUT 8 //For example, to delete the rule with serial number 8 in INPUT, execute: