转载 2010年05月27日 11:44:00



From Gentoo Linux Wiki

Jump to: navigation , search


[hide ]


[edit ] Introduction

iptables is a program for controlling the Linux Kernel's firewall. By default it allows all incoming and outgoing connections.

[edit ] Installation

emerge -av


[edit ] Getting Started

By default iptables permits all incoming and outgoing connections, however it is possible that some rules may already exist on your system. To see the current set of rules type:

/sbin/iptables -L


You should see three Chains, all empty, if you don't you can back up your rules by running


> ~/rules.save

which will put the rules.save file into your home directory. Should you want to reload your old configuration you can run


< ~/rules.save

So now that any old rules have been saved for later reference, you can type:

iptables -F

to flush (delete everything in) the rules set. The most basic rule to apply is the default policy. If no other rules match on the chain, the default destination (policy) is used. For input we want this to be DROP, but before setting that you want to be sure that you won't get cut off from the internet by doing it (since this would block ALL traffic). To make this policy viable you need for your kernel to be able to keep track of active TCP connections as well as related udp packets. Therefore, you must enable connection tracking in the kernel:

Linux Kernel Configuration: iptables configuration

Networking support --->

   Networking options  --->

[*] Network packet filtering framework (Netfilter) --->

Core Netfilter Configuration --->

<*> Netfilter connection tracking support

-*- Netfilter Xtables support (required for ip_tables)

<*> "state" match support

After configuring your kernel, you can now type:

iptables -A INPUT


What this is telling iptables is that you want to add a rule to the input (-A INPUT) that will accept (-j ACCEPT) packets as long as they are related to previous packets. the -m state tells iptables to use the module (or match extension) state, and the --state RELATED,ESTABLISHED are arguments to the module state. Thus -m state --state isn't actually redundant. --state is defining which states to match, namely (RELATED and ESTABLISHED). Now you are ready to secure your system. Change the default policy for input to DROP,

iptables -P INPUT


Now you should still be able to get on the internet and do all your normal tasks, its just that no new connections can be made from the outside in. Assuming you have no need for incoming connections you are set, however if you want to do something more advanced, move on to the next section.

And last you need to allow outgoing connections.

iptables -I INPUT

-i lo -j ACCEPT

[edit ] Advanced

[edit ] Logging

Logging messages requires syslog-ng to be installed and running:

emerge -av



It may be a good idea to make this a default process:

rc-update add

syslog-ng default

Once this is set up, you can add the LOG rule to your chains:

iptables -A INPUT

-j LOG

The LOG chain returns, so if you put it at the beginning of the chain then you will log ALL packets. If you put it at the end, and the policy is to drop it will log all the dropped packets. If your default policy is ACCEPT then you should probably create a chain called LOGDROP and instead of just dropping packets you can drop/log them. To do this you just run the following commands:

iptables -N


creates a new chain named LOGDROP,

iptables -A


logs the packets that come to the chain

iptables -A


drops the packets. Now instead of using "-j DROP" you should use "-j LOGDROP" when you want to do both, for instance if you were blocking specific ports.

Once all this is done, any logged packets will be sent to /var/log/messages, along with the rest of the dmesg output.

[edit ] Routing

A very good guide to using your linux box as a router can be found here: http://www.gentoo.org/doc/en/home-router-howto.xml Many of the iptables tips in this section will cross over and allow you to better understand/modify what you do in that guide.

[edit ] Command Examples

  • Appends a rule that allows udp packets from port 22 to the INPUT chain
iptables -A INPUT

-p udp --dport 22 -j ACCEPT
  • Inserts a rule between rule 1 and 2 that does the same as above.
iptables -I INPUT

2 -p tcp --dport 22 -j ACCEPT
  • Deletes all the rules that match, for instance the previous two lines.
iptables -D INPUT

-p tcp --dport 22 -j ACCEPT
  • Deletes the second rule in the INPUT chain.
iptables -D INPUT

  • Prints out all the current rules with the option of printing just a specific chain
iptables -L -v

  • Zeros out the packet count, with the option of only zeroing the count for a particular chain.
iptables -Z



*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [626295:43656927] -A INPUT -m state...
  • m0_37886429
  • m0_37886429
  • 2017年03月29日 17:16
  • 504

【提醒】使用 iptables 时,特别注意 规则的顺序

【提醒】使用 iptables 时,特别注意 规则的顺序
  • AloneSword
  • AloneSword
  • 2014年12月01日 16:01
  • 9738


 1 iptables不错脚本(参考 ) Quote: [root@server ~]# cat /opt/iptables/iptables.rule #!/bin/bash # # The int...
  • yeqihong
  • yeqihong
  • 2007年01月21日 21:06
  • 3022


Iptabels是与Linux内核集成的包过滤防火墙系统,几乎所有的linux发行版本都会包含Iptables的功能。如果 Linux 系统连接到因特网或 LAN、服务器或连接 LAN 和因特网的代理...
  • reyleon
  • reyleon
  • 2013年10月23日 18:54
  • 40029

linux iptables的简单用法

Iptables 是标准的 Linux防火墙应用程序,在没有硬件防火墙的情况下,使用iptables也是一种简单经济的解决方案。本例中如何通过使用iptables限制客户端访问ftp和ssh端口 开...
  • hijk139
  • hijk139
  • 2013年11月26日 16:14
  • 10166

centos6 升级防火墙iptables 1.4.21

centos6 升级防火墙iptables
  • u011704394
  • u011704394
  • 2017年01月16日 11:21
  • 1966


1、关闭firewall: systemctl stop firewalld.service #停止firewall systemctl disable firewalld.service #...
  • u012486840
  • u012486840
  • 2016年11月14日 17:39
  • 13809


千万千万不要使用下面的命令卸载iptables yum remove iptables 这样操作会卸载掉很多系统必要的组件,那就开不了机了,链接不上了。切记切记。 如果想永远停用,使用以下命令...
  • u014759533
  • u014759533
  • 2017年01月13日 09:00
  • 4130

iptables 无法启动

Linux 的防火墙无法启动,并且没有错误提示,怎么回事啊!!! 2013-01-06 02:28jqjberigtx  分类:安全软件 | 浏览 1357 次 [root@localho...
  • M1011566442
  • M1011566442
  • 2015年06月25日 15:32
  • 1396