iptables syntax

Others 2022-04-23 01:36:09 views: 0

10.14 iptables syntax

iptavles -nvL View rules

/etc/sysconfig/iptables rule save path

iptables -F Clear the rules  Note: After clearing the rules, use the command iptables -nvL to see the default rules, but the content in the configuration file /etc/sysconfig/iptables has not changed. That is to say, if you want to save the current rules to the configuration file, you also need to execute a command service iptables save, so that the emptied rules will take effect. If you don't save it, you can restart iptables and load it back

That is to say, restarting the server or restarting the iptables rules will load the rules on the configuration file.
These default rules are all on the filter table. -t is the specified table. If -t is not used, the default is the filter table. There are no rules in the nat table, see the figure below,

 

service iptables save saves the rules. When we finish writing the rules, they only take effect in the current memory. If you want it to still take effect after restarting, you need to do this save rule operation.

iptables -Z can clear the counter

Now add a rule to the filter table,

iptables command options input order:

iptables -t table name <-A/I/D/R> rule chain name [rule number] <-i/o network card name> -p protocol name <-s source IP/source subnet> --sport source port< -d target IP/target subnet > --dport target port -j action

Enter the command iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP 

This command omits -t, the default is the filter table; -A means adding a rule, and -I (capital i) means inserting a rule, -D deleting a rule; INPUT means the target chain, or OUTPUT or FORWORD; -s means followed by the specified source IP, -p means protocol (tcp, udp, icmp), --sport/--dport followed by source port/destination port; -d followed by destination IP (mainly for intranet or external network); -j followed by action (DROP means to drop the packet, REJECT means to reject the packet; ACCEPT means to allow the packet). In the picture above, the red box at the bottom contains the rule that was just added.
Summarize the role of each option:
-A/-D: add and delete a rule;
-I: insert a rule, which is actually the same as -A;
-p: specify the protocol, which can be tcp, udp or icmp;
--dport : Use with -p to specify the destination port;
--sport : Use with -p to specify the source port;
-s : Specify the source IP (can be an ip segment);
-d : Specify the destination IP (can be an ip segment);
-j : Followed by actions, where ACCEPT means allow packets, DROP means drop packets, REJECT means reject packets;
-i : Specify network cards (not commonly used, but sometimes used);
there is also a usage -I (uppercase ) i), enter the command iptables -I INPUT -p tcp --dport 80 -j DROP , press Enter, see the figure below,

You can see that with the -I option, the rule is inserted into the first line.
Since it can be added and inserted, it can also be deleted, use the option -D, enter the command iptables -D INPUT -p tcp --dport 80 -j DROP 

iptables -nvL --line-number View rule line number

Enter the command iptables -D INPUT 7 to delete the rule according to the line number

There is also an option -P (uppercase), which means the default policy, which is the default rule. If you log in remotely on PuTTY, enter the command iptables -P OUTPUT DROP and press Enter, you will find that the whole is broken and nothing can be executed. , only restart. -P is followed by the chain name, the content of the policy is either DROP or ACCEPT, the default is ACCEPT.

Table names include:

  • raw : Advanced features like: URL filtering.
  • mangle : Packet modification (QOS), used to achieve quality of service.
  • net : Address translation, for gateway routers.
  • filter : Packet filtering, used for firewall rules.

Rule chain names include:

  • INPUT chain : Process incoming packets.
  • OUTPUT chain : Processes output packets.
  • PORWARD chain : Handles forwarding packets.
  • PREROUTING chain : used for destination address translation (DNAT).
  • POSTOUTING chain : used for source address translation (SNAT).

Actions include:

  • accept : Receive packets.
  • DROP : Drop the packet.
  • REDIRECT : redirection, mapping, transparent proxy.
  • SNAT : Source Address Translation.
  • DNAT : Destination Address Translation.
  • MASQUERADE : IP Masquerading (NAT) for ADSL.
  • LOG : Log records.

 

 

 

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325351963&siteId=291194637
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com