First add rule has two arguments: -A and -I, wherein -A is added to the end of the rule; -I may be inserted to the specified position, the position is not specified, then the default rule is inserted into the header, since it is from the matching rules to under, click Find, and possible configuration of the rules of conflict led to the subsequent effect of the rules can not afford
Save iptables rules
sudo iptables-save
Save the iptables rules of ipv6
sudo ip6tables-save
View iptables rules
sudo iptables -L
View iptables rules to digital form
sudo iptables -L -n
Check the serial number of iptables rules, rules for deleting reference
sudo iptables -L -n --line-numbers
Clear all the rules all the iptables filter in the preset table
sudo iptabels -F
Clear default user filter table in the rules defined chain
sudo iptables -X
Clear single iptables rule
sudo iptables -D INPUT(链) 3(规则对应的序号)
Modify a single iptables rule, -R, modify INPUT chain rule number 3 to allow, deny rule 4, discarded
sudo iptables -R INPUT 3 -j ACCEPT
sudo iptables -R INPUT 4 -j DROP
Allows sending and receiving data connection has been established, so as to set the chain remote ssh DROP OFF
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Ensure VPS can run, they can add the operating rules for the loopback card, into the first row
sudo iptables -I INPUT 1 -i lo -j ACCEPT
All types of the machine to allow access to certain IP ports to all
sudo iptables -I INPUT -s 192.168.2.0/24 -p all -j ACCEPT
sudo iptables -I INPUT -s 192.168.0.0/16 -p all -j ACCEPT
127.0.0.1 allows native access to all their ports
sudo iptables -I INPUT -s 127.0.0.1 -p all -j ACCEPT
Allow certain IP to access the machine's TCP 3306 port
sudo iptables -I INPUT -s 192.168.2.0/24 -p tcp --dport 3306 -j ACCEPT
Allow certain IP access to the machine certain TCP port
sudo iptables -I INPUT -s 192.168.2.0/24 -p tcp --dport 3306:65525 -j ACCEPT
All IP connection to remote open ssh, here is the 19515 port has been changed, the default is port 22
sudo iptables -A INPUT -p tcp --dport 19515 -j ACCEPT
The default INPUT OUTPUT FORWORD chain are all accepted, rejected needs to be changed
to ensure that ssh remote connection port has been added to allow IPUNT rules , or execute the following command may be disconnected remotely
sudo iptables -A INPUT -p tcp --dport 19515 -j ACCEPT #这里ssh端口为19515
sudo iptables -P INPUT DROP
Optionally, the need to ensure the SSH port has been added to allow the rules of each chain, otherwise it will not disconnect the SSH connection and remote connection
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWORD DROP
After iptables rule configuration, can not access the external network, can not receive the data back, as follows, and to ensure OUTPUT ACCEPT state, iptables will allow data requests by the server itself by
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables persistence, due to the restart iptables rules will lead to the disappearance of ubuntu, requires persistence
1. Install iptables-persistent tool to help us to persist
sudo apt-get update
sudo apt-get install iptables-persistent -y
Run persistence
sudo netfilter-persistent save
sudo netfilter-persistent reload
2. iptables ruleset into a file, load the card with the state, save
save save iptables rules into the current user's files
sudo iptables-save > /home/user/iptables.rules
Adding the corresponding content in the / etc / network / interfaces NIC configuration file
vim /etc/network/interfaces
添加内容
pre-up iptables-restore < /home/user/iptables.rules
post-down iptables-save > /home/user/iptables.rules
Parameters used to explain:
the action before the card is enabled: pre-up
up: When enabled action
post-up: after the opening action
pre-down: action before closing
down: shut down when the action
post-down: shut down after action
iptables off, use the cleanup rules to achieve
sudo iptables-save > /home/user/iptables.rules
sudo iptables -X 清除默认filter表里的自定义规则
sudo iptables -t nat -F 清除nat表里的规则
sudo iptables -t nat -X
sudo iptables -t mangle -F 清除nat表里的规则
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT 将INPUT链默认更改为全部接受
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWORD ACCEPT