netfilter iptables based firewall framework implemented tool, the basic function is to achieve filtering of data packets, depending on the position of the packet processing rules chain different categorized as follows:
Processing packet flows: INPUT
Processing outgoing packets: OUTPUT
The packet forwarding process made: FORWAARD
Performing pre-processing routing data packets: PREROUTING
After performing routing processing packets: POSTROUTING
Packet processing operation of: generally ACCEPT LOG DROP REJECT
INPUT chain rules are commonly used:
iptables -L -nv # view existing chain of rules
Article 3 iptables -D INPUT 3 # delete INPUT chain
service iptables save # Save the rule has been added chain, so that after the restart can take effect, or use iptables rules to add chain will expire after the restart.
iptables -P INPUT ACCEPT # Set the default policy for the INPUT rule chain ACCEPT, of course, can be DROP, need to be careful when you want to set as DROP, if other rules are not likely to be directly off the server.
iptables -I INPUT -p icmp -j ACCEPT # Add to the INPUT chain to allow ICMP protocol traffic into the strategy
# Follows, was added to the INPUT chain only allow access to hosts specified network port of the machine 139, 445, discarding traffic from all other hosts.
iptables -I INPUT -s 192.168.1.0/24 -p tcp -m multiport --dports 139,445 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dport 139,445 -j DROP
# Follows, was added to the INPUT chain only allow access to hosts specified network port of the machine 22, drop traffic from all other hosts.
iptables -I INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
# As long as the sender or receiver end if one party has successfully established a connection, then we believe that this state is ESTABLISHED, use in special cases. Adding to the INPUT chain is udp protocols and traffic allowed through the ESTABLISHED state.
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT