Example tutorial for adding and deleting iptables firewall rules
How to add and delete iptables firewall rules
Only the more commonly used parameters are listed here, detailed man iptables
1. Check the firewall rules
iptables -nvL --line-number
-L Check all the rules of the current table, the filter table is checked by default, if you want to check the NAT table, you can add the -t NAT parameter
-n to not check the ip address, Adding this parameter to display the speed will be much faster
-v output detailed information, including the number of packets passing the rule, the total number of bytes and the corresponding network interface
--line-number Display the serial number of the rule, this parameter is used to delete or modify the rule will be used when
2. Add firewall rules
There are two parameters for adding rules: -A and -I. Where -A is added to the end of the rule; -I can be inserted at the specified position, if there is no specified position, it will be inserted into the head of the rule by default
For example:
current rules:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP all -- 192.168.1.1 0.0.0.0/0
2 DROP all -- 192.168.1.2 0.0.0.0/0
3 DROP all -- 192.168.1.4 0.0.0.0/0
Add a rule to the end:
Insert another rule on the third line:
View firewall rules:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP all -- 192.168.1.1 0.0.0.0/0
2 DROP all -- 192.168.1.2 0.0.0.0/0
3 DROP all -- 192.168.1.3 0.0.0.0/0
4 DROP all -- 192.168.1.4 0.0.0.0/0
5 DROP all -- 192.168.1.5 0.0.0.0/0
可以看到192.168.1.3插入到第三行,而原来的第三行192.168.1.4变成了第四行。
3、删除防火墙规则
删除用-D参数
删除之前添加的规则(iptables -A INPUT -s 192.168.1.5 -j DROP):
有时有些规则太长,删除时要写一大串,既浪费时间又容易写错,这时我们可以先使用–line-number查看出该条规则的行号,再通过行号删除
iptables v1.4.7: no command specified
Try `iptables -h' or 'iptables --help' for more information.
[root@test ~]# iptables -nL --line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP all -- 192.168.1.1 0.0.0.0/0
2 DROP all -- 192.168.1.2 0.0.0.0/0
3 DROP all -- 192.168.1.3 0.0.0.0/0
删除第二行规则
4、修改规则
修改使用-R参数
将第三行规则改为ACCEPT
当前规则:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP all -- 192.168.1.1 0.0.0.0/0
2 DROP all -- 192.168.1.2 0.0.0.0/0
3 DROP all -- 192.168.1.5 0.0.0.0/0
修改:
[root@test ~]# iptables -R INPUT 3 -j ACCEPT
再查看下:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP all -- 192.168.1.1 0.0.0.0/0
2 DROP all -- 192.168.1.2 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
第三条规则的target已改为ACCEPT。
二、Linux清空所有iptables规则
linux下清空iptables规则方法:
iptables -t nat -F
iptables -t nat -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -F
iptables -X
iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t raw -F
iptables -t raw -X
iptables -t raw -P PREROUTING ACCEPT
iptables -t raw -P OUTPUT ACCEPT