-F iptables?
# -F meaning is clear, the role is to rule all chains are empty FILTRE TABLE
-A INPUT -s -m 172.20.20.1/32 iptables State --state NEW, ESTABLISHED, RELATED -j ACCEPT
# in FILTER Table INPUT chain matches the source address of a host of 172.20.20.1 state are NEW, ESTABLISHED, RELATED They are released.
-A 172.20.20.1/32 the INPUT -s -m iptables --state NEW State, the ESTABLISHED -p TCP -j ACCEPT -m Multiport --dport 123,110
# -p specified protocol, -m module designated role, multiport module is to be each successive match the port number and more non-adjacent. Means that the complete source address 172.20.20.1 host state are NEW, ESTABLISHED, RELATED of, the TCP protocol, destination port, respectively 123 and data packets 110 can be passed.
iptables -A INPUT -s 172.20.22.0/24 -m state --state NEW,ESTABLISHED -p tcp -m multiport --dport 123,110 -j ACCEPT
-A the INPUT 0/0 -s -m iptables State --state NEW -p TCP -j -m Multiport 123,110 --dport the DROP
# phrase meaning the source address is 0/0 NEW state of the TCP packet is prohibited visit my 123 and 110 ports.
-A the INPUT -s iptables! 172.20.89.0/24 State --state NEW -m -m -p TCP -j 1230,110 Multiport --dport the DROP
# "! " means number negated. Is in addition to 172.20.89.0 this address IP segment are DROP.
iptables -R INPUT 1 -s 192.168.6.99 -p tcp --dport 22 -j ACCEPT
Alternatively the first rule in the INPUT chain
iptables -t filter -L INPUT -vn
in digital form is shown in detail in the filter table rules INPUT chain
# ------------------------------- NAT IP ---------------- ----------------------
# the following operations are in NAT TABLE finished inside. Please note.
iptables -t nat -F
iptables -t nat -A PREROUTING -d 192.168.102.55 -p tcp --dport 90 -j DNAT --to 172.20.11.1:800
# -A PREROUTING specified before routing to do. Complete means that the pre-routing NAT TABLE treatment, destined for the destination port 192.168.102.55 for us to do 90 DNAT process, he turned to give 172.20.11.1:800 go.
iptables -t nat -A POSTROUTING -d 172.20.11.1 -j SNAT --to 192.168.102.55
# -A POSTROUTING the route. Meaning in the treatment of routing NAT TABLE, all destined for the 172.20.11.1, we gave him to do SNAT conversion, rewrite the source address 192.168.102.55.
iptables -A INPUT -d 192.168.20.0/255.255.255.0 -i eth1 -j DROP
iptables -A INPUT -s 192.168.20.0/255.255.255.0 -i eth1 -j DROP
iptables -A OUTPUT -d 192.168.20.0/255.255.255.0 -o eth1 -j DROP
iptables -A OUTPUT -s 192.168.20.0/255.255.255.0 -o eth1 -j DROP
# Above example, eth1 with the outside is a connected Internet, and the 192.168.20.0 network is the internal network number of the rules to prevent IP spoofing, because access eth1 packet ip should be public IP
iptables -A INPUT -s 255.255.255.255 -i eth0 -j DROP
iptables -A INPUT -s 224.0.0.0/224.0.0.0 -i eth0 -j DROP
iptables -A INPUT -d 0.0.0.0 -i eth0 -j DROP
# Prevent broadcast packets from entering the LAN IP proxy server:
iptables -A INPUT -p tcp -m tcp --sport 5000 -j DROP
iptables -A INPUT -p udp -m udp --sport 5000 -j DROP
iptables -A OUTPUT -p tcp -m tcp --dport 5000 -j DROP
iptables -A OUTPUT -p udp -m udp --dport 5000 -j DROP
# Shield port 5000
iptables -A INPUT -s 211.148.130.129 -i eth1 -p tcp -m tcp --dport 3306 -j DROP
iptables -A INPUT -s 192.168.20.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -A INPUT -s 211.148.130.128/255.255.255.240 -i eth1 -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 3306 -j DROP
# Prevent users of Internet network access MySQL server (that is, port 3306)
iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
#REJECT, similar to DROP, but the reply from the host sends the packet to the specified information --reject-with, can be nicely hidden presence of a firewall