First add rule has two arguments: -A and -I, wherein -A is added to the end of the rule; -I may be inserted to the specified position, the position is not specified, then the default rule is inserted into the header, since it is from the matching rules to under, click Find, and possible configuration of the rules of conflict led to the subsequent effect of the rules can not afford
Save iptables rules
sudo iptables-saveSave the iptables rules of ipv6
sudo ip6tables-saveView iptables rules
sudo iptables -LView iptables rules to digital form
sudo iptables -L -nCheck the serial number of iptables rules, rules for deleting reference
sudo iptables -L -n --line-numbersClear all the rules all the iptables filter in the preset table
sudo iptabels -FClear default user filter table in the rules defined chain
sudo iptables -XClear single iptables rule
sudo iptables -D INPUT(链) 3(规则对应的序号)Modify a single iptables rule, -R, modify INPUT chain rule number 3 to allow, deny rule 4, discarded
sudo iptables -R INPUT 3 -j ACCEPT
sudo iptables -R INPUT 4 -j DROPAllows sending and receiving data connection has been established, so as to set the chain remote ssh DROP OFF
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTEnsure VPS can run, they can add the operating rules for the loopback card, into the first row
sudo iptables -I INPUT 1 -i lo -j ACCEPTAll types of the machine to allow access to certain IP ports to all
sudo iptables -I INPUT -s 192.168.2.0/24 -p all -j ACCEPT
sudo iptables -I INPUT -s 192.168.0.0/16 -p all -j ACCEPT127.0.0.1 allows native access to all their ports
sudo iptables -I INPUT -s 127.0.0.1 -p all -j ACCEPTAllow certain IP to access the machine's TCP 3306 port
sudo iptables -I INPUT -s 192.168.2.0/24 -p tcp --dport 3306 -j ACCEPTAllow certain IP access to the machine certain TCP port
sudo iptables -I INPUT -s 192.168.2.0/24 -p tcp --dport 3306:65525 -j ACCEPTAll IP connection to remote open ssh, here is the 19515 port has been changed, the default is port 22
sudo iptables -A INPUT -p tcp --dport 19515 -j ACCEPTThe default INPUT OUTPUT FORWORD chain are all accepted, rejected needs to be changed
to ensure that ssh remote connection port has been added to allow IPUNT rules , or execute the following command may be disconnected remotely
sudo iptables -A INPUT -p tcp --dport 19515 -j ACCEPT #这里ssh端口为19515
sudo iptables -P INPUT DROPOptionally, the need to ensure the SSH port has been added to allow the rules of each chain, otherwise it will not disconnect the SSH connection and remote connection
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWORD DROPAfter iptables rule configuration, can not access the external network, can not receive the data back, as follows, and to ensure OUTPUT ACCEPT state, iptables will allow data requests by the server itself by
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables persistence, due to the restart iptables rules will lead to the disappearance of ubuntu, requires persistence
1. Install iptables-persistent tool to help us to persist
sudo apt-get update
sudo apt-get install iptables-persistent -yRun persistence
sudo netfilter-persistent save
sudo netfilter-persistent reload2. iptables ruleset into a file, load the card with the state, save
save save iptables rules into the current user's files
sudo iptables-save > /home/user/iptables.rulesAdding the corresponding content in the / etc / network / interfaces NIC configuration file
vim /etc/network/interfaces
添加内容
pre-up iptables-restore < /home/user/iptables.rules
post-down iptables-save > /home/user/iptables.rulesParameters used to explain:
the action before the card is enabled: pre-up
up: When enabled action
post-up: after the opening action
pre-down: action before closing
down: shut down when the action
post-down: shut down after action
iptables off, use the cleanup rules to achieve
sudo iptables-save > /home/user/iptables.rules
sudo iptables -X 清除默认filter表里的自定义规则
sudo iptables -t nat -F 清除nat表里的规则
sudo iptables -t nat -X
sudo iptables -t mangle -F 清除nat表里的规则
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT 将INPUT链默认更改为全部接受
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWORD ACCEPT