2018-05-04 13:34:19
Commands and how to use them
iptables -nL View firewall rules
-n display IP as a number
-L list
iptables -F clears firewall rules
iptables -X clears user-defined chains
iptables -Z chain counters are cleared
Configuration Statement Example
iptables -t Filter -A INPUT -p tcp --dport 52113 -j DROP
-t specifies the table
-A append
-I insert to the front
-p specifies the protocol, the protocol can be the default all, non-default tcp, udp, icmp
--dport specifies the destination port
-j specifies the operation, which can be ACCEPT, DROP, REJECT (generally not reject)
Delete rule statement instance
iptables -nL --line-number
--line-number display the serial number of each rule
iptables -D INPUT 1 delete the first rule of the INPUT chain
-D delete
Configuration Statement Example 2
iptables -I INPUT 2 -p tcp --dport 10000 -j DROP insert rule before line 2
Block links from a certain network segment
iptables -A INPUT -s 10.0.0.0/24 -j DROP
-s specifies the network segment
Negate
iptables -A INPUT ! -s 10.0.0.0/24 -j DROP
Control of the network card
iptables -A INPUT -p tcp --dport 6211 -i eth0 ! -s10.0.0.0/24 -j DROP
-i matches the incoming NIC interface
-o matches the outgoing NIC interface
port closure
--dport represents the destination port
--sport represents the source port
port range
iptables -A INPUT -p tcp --dport 5000:6000 -j DROP
5000:6000 means to block ports from 5000 to 6000
iptables -A INPUT -p tcp -m mutiport --dport 23,25,27,29 -j DROP
-m mutiport --dport 23,25,27,29 Block different ports
An example of sealing the icmp protocol
iptables -A INPUT -p icmp --icmp-type 8 -j DROP
--icmp-type 8 means that the ping of the ICMP protocol is disabled
match network status
Allow associated state packets to pass through the instance
iptbales -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptbales -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-P controls default rules
Enterprise standard firewall deployment
There are two general modes, the park mode and the movie mode.
Park mode - everyone is allowed in first (ACCEPT), those who can are quarantined (DROP)
Movie-watching mode - first refuse everyone to enter (DROP), certified people can enter (ACCEPT)
Configuration process
iptables -F iptables -A INPUT -s 10.0 . 0.0 / 24 - j ACCEPT ## indicates that access to the specified external network is allowed iptables -A INPUT -s 172.16 . 1.0 / 24 - j ACCEPT ## indicates that access to the specified intranet is allowed iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT ##Allow access to port 80 iptables -A INPUT -p icmp --icmp-type any -j ACCEPT ##Allow icmp protocol
iptables -P INPUT DROP ##Modify default rules
iptables -P OUTPUT DROP
iptables -P FOWORD DROP
iptables -nL /etc/init.d/iptables start
Preservation arrangement
The iptables rules will become invalid after restarting. To save the configuration, you can use
/etc/init.d/iptables save file to /etc/sysconfig/iptables
Method 2:
iptables-save >/etc/sysconfig/iptables