1. View
iptables -nvL –line-number
-L View all the rules of the current table, the filter table is viewed by default, if you want to view the NAT table, you can add the -t NAT parameter
-n to not check the ip address, and the display speed of this parameter will be much faster
-v output Detailed information, including the number of packets passing through the rule, the total number of bytes and the corresponding network interface
--line-number Display the serial number of the rule, this parameter will be used when deleting or modifying the rule 2. There are two
add
-add rules Parameters: -A and -I. Where -A is added to the end of the rule; -I can be inserted at the specified position, if there is no specified position, it will be inserted into the head of the rule by default.
Current rules:
[root@test ~]# iptables -nL --line-number
Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP all -- 192.168.1.1 0.0.0.0/0 2 DROP all -- 192.168.1.2 0.0.0.0/0 3 DROP all -- 192.168.1.4 0.0.0.0/0Add a rule to the end:
[root@test ~]# iptables -A INPUT -s 192.168.1.5 -j DROPInsert another rule into the third line, and write the number of lines directly after the rule chain:
[root@test ~]# iptables -I INPUT 3 -s 192.168.1.3 -j DROPCheck:
[root@test ~]# iptables -nL --line-number
Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP all -- 192.168.1.1 0.0.0.0/0 2 DROP all -- 192.168.1.2 0.0.0.0/0 3 DROP all -- 192.168.1.3 0.0.0.0/0 4 DROP all -- 192.168.1.4 0.0.0.0/0 5 DROP all -- 192.168.1.5 0.0.0.0/0You can see that 192.168.1.3 is inserted into the third row, and the original third row 192.168.1.4 becomes the fourth row.
3.
Delete the -D parameter for deletion
Remove the previously added rule (iptables -A INPUT -s 192.168.1.5 -j DROP):
[root@test ~]# iptables -D INPUT -s 192.168.1.5 -j DROPSometimes the rules to be deleted are too long, and it is necessary to write a long list when deleting, which is time-consuming and easy to write mistakes. At this time, we can use –line-number to find out the line number of the rule, and then delete the rule by the line number.
[root@test ~]# iptables -nv --line-number
iptables v1.4.7: no command specified
Try `iptables -h' or 'iptables --help' for more information. [root@test ~]# iptables -nL --line-number Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP all -- 192.168.1.1 0.0.0.0/0 2 DROP all -- 192.168.1.2 0.0.0.0/0 3 DROP all -- 192.168.1.3 0.0.0.0/0remove second line rule
[root@test ~]# iptables -D INPUT 24. Modify and
modify the use of the -R parameter
First look at the current rules:
[root@test ~]# iptables -nL --line-number
Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP all -- 192.168.1.1 0.0.0.0/0 2 DROP all -- 192.168.1.2 0.0.0.0/0 3 DROP all -- 192.168.1.5 0.0.0.0/0Change the third rule to ACCEPT:
[root@test ~]# iptables -R INPUT 3 -j ACCEPTCheck it out again:
[root@test ~]# iptables -nL --line-number
Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP all -- 192.168.1.1 0.0.0.0/0 2 DROP all -- 192.168.1.2 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0The target of the third rule has been changed to ACCEPT.
iptables can easily configure multiple ports. According to the continuity of the port, it can be divided into continuous port configuration and discontinuous port configuration.
1. Serial port configuration
Such as:
-A INPUT -p tcp –dport 21:25-j DROP
Note: Here is the colon in the English state.
2. Use the multiport parameter to configure discontinuous ports
Such as:
-A INPUT -p tcp -m multiport –dport 21:25,135:139-j DROP
Note that drop closes the port and does not accept data
http://www.cnblogs.com/alimac/p/5848372.html