A. View existing firewall policy
-L iptables - the n-
iptables -L -n --line-Number The # - Line-Number The parameter displays the policy number, which is used when Delete Policy
II. Adding firewall policies (with 22 ports, for example)
-A the INPUT -s iptables 192.168 . 220.0 / 24 -p --dport the TCP 22 is - J segment increases ACCEPT # iptables -A the INPUT -s 192.168 . 1.1 -p --dport the TCP 22 is - J # ACCEPT single increase the IP iptables - -p the TCP --dport the INPUT A 22 is -j the DROP
Description:
1. -A agent is added at the end, to be inserted at the beginning of use if -I
2. Multi-IP uses a comma (half-width) apart, then a multi-port add -m multiport port using a comma (half-width) apart
iptables -A INPUT -s 127.0.0.1,1192.168.1.1 -p tcp -m multiport --dport 22,23 -j ACCEPT iptables -A INPUT -p tcp -m multiport --dport 22,23 -m comment --comment "deny all 22,23" -j DROP
3. For continuous combination --src-range IP
iptables -I INPUT -m iprange --src-range 192.168.220.128-192.168.220.139 -p tcp -m multiport --dport 22,23 -m comment --comment "subnet:22,23" -j ACCEPT
Note that this statement will result in the source become 0.0.0.0/0, but do not worry he will release all IP, source IP range behind there is the description that is active IP
4. If they had no case without conflict or strategy, and -I -A result is the same; but in "Remote Add Firewall" and "22-port restriction" two conditions, -I might get you into deadly Trouble:
iptables -I INPUT -p TCP --dport 22 -j DROP iptables -I INPUT -s 192.168.1.1 -p TCP --dport 22 -j ACCEPT iptables -I INPUT -s 192.168.220.0/24 -p TCP --dport 22 -j ACCEPT
It seems that three -A three and the result is the same, but the firewall policy is effective immediately is after the "iptables -I INPUT -p TCP --dport 22 -j DROP" execution, as soon as your ssh will be disconnected behind the two will not be executed
III. Modifying a Firewall Policy
-R the INPUT iptables 2 -s 192.168 . 1.1 -p TCP --dport 22 -j DROP # 2 is --line-nember found in all parameters should write -R not modify the original policy on the basis of which is the direct taking of Therefore, although the original is here -s 192. 168.1 .1 but still want to write, otherwise the result is DROP out all ip connection requests on port 22
IV. Delete firewall policy
-D the INPUT iptables 2 # 2 is --line- Number The found, the sentence will be deleted in Article 2 strategy iptables -F # sentence will clear all firewall rules, caution
V. Save firewall rules
Modify the top of the firewall is only temporary and not saved to a configuration file (/ etc / sysconfig / iptables), then restart the firewall service policies will be returned to a previously saved state policy; permanent firewall configuration to be saved
service iptbales save
Transfer: https://www.cnblogs.com/lsdb/p/7060251.html