iptables start and stop
1 to see if the start: #service iptables status
2, start: #service iptables start
3, stop: #service iptables stop
4, to see whether each boot startup: #chkconfig --list | grep iptables
5, set each boot: #chkconfig --level 35 iptables on
6. Save rule: #service iptables save can also specify the storage file # iptables-save> / etc / sysconfig / iptables
iptables structure
1, four tables: Raw tracking table --mangle modify the address conversion table --nat --filter filter table (the default table, used) (table according to priority level four) -t parameter table selection table
2, five chains: prerouting, input (common), forward, output, postrouting parameter (-P before chain: New chain -L: lists the rules -A: -D addition rules: Rule -I Delete: Insert Rule - R: replace rule -F: delete rule -Z: clear count -X: remove chain) rules of operation on the chain
3, the filter rule: Source IP -s, source PORT --sport, target IP -d, target PORT --dport, protocol (tcp, udp, icmp) -p, --state state, -i incoming interface, data -o outgoing interface
4, to perform the action: -j: accept, drop, reject, MASQUERADE (rewrites the source IP firewall ip)
5, loading of other modules filtration -m (state state (NEW, ESTABLISHED, RELATED, INVALID), multiport multi-port, limit packet traffic, the network card MAC address)
Examples of iptables
. 1, iptables -A --dport the INPUT -p 22 -j REJECT --reject the TCP with the ICMP echo-Reply-target port ## flows into the package 22 to be rejected, the rejection message and returns
2, iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT - to-ports 8081 ## that flow into the packet to the target port 80 of the steering to port 8081
3, iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 21000-31000 ## flows to modify the source packet protocol tcp ip ip firewall
4, iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source 192.168.10.15-192.168.10.160: 2100-3200 ## to eth0 card - Po effluent of the conversion source ip protocol tcp
5, iptables -A INPUT -p tcp --dport 80 -j ACCEPT ## receives the target port 80 flows into the bag
6, iptables -A INPUT -p tcp -m multiport --destination-port 22,53,80,110 -j ACCEPT ## receives the packet destination port flows into the 22/53/80/110
7, iptables -A INPUT -m limit --limit 3 / hour ## limit the flow into three packages per hour
8, iptables -A INPUT -m mac --mac-source 00: 00: 00: 00: 00: 01 -j ACCEPT ## receives the specified source packet flows into the mac
9, iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT ## connected to the reception state and packet flows associated
10, iptables -R INPUT 2 -s 172.16.0.0/16 -d 172.16.100.1 -p tcp --dport 22 -m state --state NEW, ESTABLISHED -j ACCEPT ## Alternatively the second rule specifies a source IP destination / PORT and the state is established and the new packet flows