iptables use

When doing testing work, sometimes the dependent external environment is not allowed to start and stop casually, but the module under test needs to simulate the scenario that the external module hangs or disconnects from the network. At this time, iptable can be used to complete

http://man.linuxde.net /iptables
The iptables command is commonly used firewall software on Linux and is part of the netfilter project. It can be configured directly or through a number of front ends and graphical interfaces.

Syntax
iptables (options) (parameters)
options
-t <table>: specify the table to be manipulated;
-A: add an entry to the rule chain;
-D: delete an entry from the rule chain;
-i: insert an entry into the rule chain ;
-R: replace the entry in the rule chain;
-L: display the existing entry in the rule chain;
-F: clear the existing entry in the rule chain;
-Z: clear the packet counter and bytes in the rule chain Counter;
-N: create a new user-defined rule chain;
-P: define the default target in the rule chain;
-h: display help information;
-p: specify the packet protocol type to match;
-s: specify to match
-j<target>: specify the destination to jump to;
-i<network interface>: specify the network interface where the data packet enters the machine; -o
<network interface>: specify the data packet to leave the local the network interface used by the machine.
iptables command options input order:

iptables -t table name <-A/I/D/R> rule chain name [rule number] <-i/o network card name> -p protocol name <-s source IP/source subnet> --sport source port< -d target IP/target subnet> --dport target port -j Actions
Table names include:

raw: advanced features such as URL filtering.
mangle: Packet modification (QOS), used to achieve quality of service.
net: Address translation, for gateway routers.
filter: Packet filtering, used for firewall rules.
Rule chain names include:

INPUT chain: Process incoming packets.
OUTPUT chain: Processes output packets.
PORWARD chain: Handles forwarding packets.
PREROUTING chain: used for destination address translation (DNAT).
POSTOUTING chain: used for source address translation (SNAT).
Actions include:

accept: Receive the packet.
DROP: Drop the packet.
REDIRECT: redirection, mapping, transparent proxy.
SNAT: Source Address Translation.
DNAT: Destination Address Translation.
MASQUERADE: IP Masquerading (NAT) for ADSL.
LOG: log record.
Example
Clearing existing iptables rules

iptables -F
iptables -X
iptables -Z
Open the specified port

iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #Allow the local loopback interface (that is, run the machine to access the machine)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow established or related traffic
iptables -A OUTPUT -j ACCEPT #Allow all local outbound access
iptables -A INPUT -p tcp --dport 22 -j ACCEPT #Allow access to port 22
iptables -A INPUT -p tcp --dport 80 -j ACCEPT #Allow access to port 80
iptables -A INPUT -p tcp --dport 21 -j ACCEPT #Allow port 21
iptables for ftp services -A INPUT -p tcp --dport 20 -j ACCEPT #Allow port 20 of FTP service
iptables -A INPUT -j reject #Forbid other unallowed rules to access
iptables -A FORWARD -j REJECT #Forbid other unallowed rules to access
Block IP

iptables -I INPUT -s 123.45.6.7 -j DROP #Command to block a single IP
iptables -I INPUT -s 123.0.0.0/8 -j DROP #The entire segment is the command from 123.0.0.1 to 123.255.255.254
iptables -I INPUT -s 124.45.0.0/16 -j DROP #The IP segment is sealed from 123.45 The command from .0.1 to 123.45.255.254
iptables -I INPUT -s 123.45.6.0/24 -j DROP #The command to seal the IP segment from 123.45.6.1 to 123.45.6.254 is to
view the added iptables rules

iptables -L -n - v
Chain INPUT (policy DROP 48106 packets, 2690K bytes)
pkts bytes target prot opt ​​in out source destination        
5075 589K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0          
191K 90M ACCEPT tcp -- * * 0.0.0.0 /0 0.0.0.0/0 tcp dpt:22
1499K 133M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
4364K 6351M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6256 327K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0          

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes )
pkts bytes target prot opt ​​in out source destination        

Chain OUTPUT (policy ACCEPT 3382K packets, 1819M bytes)
pkts bytes target prot opt ​​in out source destination        
5075 589K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 
Deleted Added iptables

rules Display all iptables with serial number marks, execute:

iptables -L -n --line-numbers
For example, to delete the rule with serial number 8 in INPUT, execute:

iptables -D INPUT 8