Iptables firewall rules for writing 1

iptables/netfilter:

Table: (Table)
    filter, NAT, and the mangle raw

链:(chain)
    PREROUTING、INPUT、FORWARD、OUTPUT和POSTROUTING

filter:
    INPUT、FORWARD和OUTPUT

nat:
    PREROUTING(DNAT)、OUTPUT、POSTROUTING(SNAT)

mangle:
    PREROUTING、INPUT、FORWARD、OUTPUT和POSTROUTING

raw:
    PREROUTING、OUTPUT

iptables：

iptables [-t table] Management Options [Chain Name] [matching conditions] [-j control type]

• 表名, : 链名Specifies the iptablescommand operation 表and 链is used by default when the table name is not specified filtertable;

• 管理选项: Represents the iptablesoperation of the rule, such 插入as: 增加, 删除, , 查看and the like;

• 匹配条件: Specifies wherein processing packets, do not meet the specified criteria are not processing the data packet;

• 控制类型: Packet handling means, such 允许as: 拒绝, , 丢弃and the like;

Matching condition
    generic matches
        -s: ip packet source address
        -d: ip packet destination address
        -p {tcp | udp | icmp} : matches a protocol
        -i INTERFACE: an interface specification data packets of packet flows
            can be used to define the standard chain: the PREROUTING, the INPUT, the FORWARD
        -o the INTERFACE: designating data packets flowing out of the interface where
            the chain can be used to defined criteria: OUTPUT, POSTROUTING, FORWARD
  expanded matches
        implicit extension
            -p TCP
                --sport pORT [-port]: source port
                - -dport pORT [-PORT]: destination port
                --tcp-flags mask comp: check mask specifies only the flag, the flag is a comma separated list;
                CoMP: flag appears in this list must be 1, comp not in appear, appearing mask, it must be 0;
                    --tcp the SYN-the flags, the FIN, the ACK, the RST = --syn the SYN
                --syn
                example:

                     iptables -I INPUT -d 172.16.100.7 -p tcp --dport 80 -j ACCEPT
                     iptables -I OUTPUT -s 172.16.100.7 -p tcp --sport 80 -j ACCEPT
                     iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
                     iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -o lo -j ACCEPT
                      
                

            -p icmp
                --icmp-type 
                    0: echo-reply
                    8: echo-request
                    例如:

                         iptables -A OUTPUT -s 172.16.100.7 -p icmp  --icmp-type 8 -j ACCEPT
                         iptables -A INPUT -d 172.16.100.7 -p icmp --icmp-type 0 -j ACCEPT
                         

            -p udp
                --sport
                --dport

            -p tcp --dport
        explicit extension: the use of additional matching mechanisms
            -m EXTESTION --spe-opt

            state: State extended
                binding ip_conntrack trace session status
                    NEW: a new connection request
                    ESTABLISHED: established connection
                    INVALID: illegal connections
                    RELATED: associated
                -m state --state NEW, ESTABLISHED -j ACCEPT
                example: iptables -R INPUT 6 - State TCP -m -p 172.16.100.7 D --state NEW, the ESTABLISHED, The RELATED -j ACCEPT
                iptables -I -p TCP 172.16.100.7 the INPUT -d -m --state NEW State, the ESTABLISHED, The RELATED -j ACCEPT

 

https://mp.weixin.qq.com/s/W6Z0K0eq-ZMe3sf6_CwqOw