-
[root@mail ~]# iptables -L #查看当前内存中iptables策略,默认是filter表
-
Chain INPUT (policy ACCEPT)
-
target prot opt source destination
-
-
Chain FORWARD (policy ACCEPT)
-
target prot opt source destination
-
-
Chain OUTPUT (policy ACCEPT)
-
target prot opt source destination
-
[root@mail ~]# iptables -t filter -vnL #加vn参数,有更多选项
-
Chain INPUT (policy ACCEPT 31471 packets, 4322K bytes)
-
pkts bytes target prot opt in out source destination
-
-
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
-
pkts bytes target prot opt in out source destination
-
-
Chain OUTPUT (policy ACCEPT 37490 packets, 3056K bytes)
-
pkts bytes target prot opt in out source destination
-
-
#策略格式:iptables 表名 链名 匹配条件 动作
-
-
#下面这句话的意思是
-
-
对于filter表的INPUT链,源地址为192.169.1.0/24网段内的使用tcp #协议80端口的输入包,都执行REJECT(拒绝)动作
-
-
[root@mail ~]# iptables -t filter -A INPUT -s 192.169.1.0/24 -p tcp --dport 80 -j REJECT
-
-
[root@mail ~]# iptables -L #需要注意的是,该策略目前只在内存中,/etc/sysconfig/iptables配置文件中是没有的
-
-
Chain INPUT (policy ACCEPT)
-
target prot opt source destination
-
-
-
-
REJECT tcp -- 192.169.1.0/24 anywhere tcp dpt:http reject-with icmp-port-unreachable
-
-
Chain FORWARD (policy ACCEPT)
-
target prot opt source destination
-
-
Chain OUTPUT (policy ACCEPT)
-
target prot opt source destination
-
[root@mail ~]# iptables -vnL #看的更详细点
-
Chain INPUT (policy ACCEPT 88 packets, 8188 bytes)
-
pkts bytes target prot opt in out source destination
-
4 240 REJECT tcp -- * * 192.169.1.0/24 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable
-
-
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
-
pkts bytes target prot opt in out source destination
-
-
Chain OUTPUT (policy ACCEPT 131 packets, 11625 bytes)
-
pkts bytes target prot opt in out source destination
-
[root@mail ~]# vim /etc/sysconfig/iptables #iptables中没有
-
-
-
# Firewall configuration written by system-config-firewall
-
# Manual customization of this file is not recommended.
-
*filter
-
:INPUT ACCEPT [0:0]
-
:FORWARD ACCEPT [0:0]
-
:OUTPUT ACCEPT [0:0]
-
COMMIT
-
-
-
#执行save后会将这条策略写入/etc/sysconfig/iptables,在保存的时候,是执行覆盖式的保存
-
-
#内存中有的保存下来,内存中没有的,这个文件中有的将会被删除。
-
-
[root@mail ~]# service iptables save
-
iptables:将防火墙规则保存到 /etc/sysconfig/iptables: [确定]
-
[root@mail ~]# vim /etc/sysconfig/iptables
-
-
-
# Generated by iptables-save v1.4.7 on Wed Aug 15 17:28:53 2012
-
*filter
-
:INPUT ACCEPT [4:352]
-
:FORWARD ACCEPT [0:0]
-
:OUTPUT ACCEPT [4:298]
-
-A INPUT -s 192.169.1.0/24 -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-
COMMIT
-
# Completed on Wed Aug 15 17:28:53 2012
-
-
-
#表的每条链后面都有一个默认动作,Chain INPUT (policy ACCEPT),默认动作意思是
-
-
#没有匹配所以策略的匹配条件时(按序匹配),就执行的动作,可以修改链的默认动作
-
-
[root@mail ~]# iptables -t filter -P INPUT DROP
-
-
#修改filter表的INPUT链的默认动作
-
[root@mail ~]# iptables -L
-
-
Chain INPUT (policy DROP)
-
-
target prot opt source destination
-
REJECT tcp -- 192.169.1.0/24 anywhere tcp dpt:http reject-with icmp-port-unreachable
-
-
Chain FORWARD (policy ACCEPT)
-
target prot opt source destination
-
-
Chain OUTPUT (policy ACCEPT)
-
target prot opt source destination
-
-
[root@mail ~]# iptables -t filter -P INPUT ACCEPT #暂时改回来
-
-
#可以删除一条策略,策略是有序的,从1开始,要删除一条策略,需要知道它的序号
-
-
[root@mail ~]# iptables -L --line-numbers #查看策略的序号
-
-
Chain INPUT (policy ACCEPT)
-
num target prot opt source destination
-
1 REJECT tcp -- 192.169.1.0/24 anywhere tcp dpt:http reject-with icmp-port-unreachable
-
-
Chain FORWARD (policy ACCEPT)
-
num target prot opt source destination
-
-
Chain OUTPUT (policy ACCEPT)
-
num target prot opt source destination
-
-
[root@mail ~]# iptables -D INPUT 1 #删除INPUT链的序号为1的策略
-
-
[root@mail ~]# vim /etc/sysconfig/iptables #和前面一样,这只是删除内存中
-
的,/etc/sysconfig/iptables中仍然存在
-
-
# Generated by iptables-save v1.4.7 on Wed Aug 15 17:28:53 2012
-
*filter
-
:INPUT ACCEPT [4:352]
-
:FORWARD ACCEPT [0:0]
-
:OUTPUT ACCEPT [4:298]
-
-A INPUT -s 192.169.1.0/24 -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-
COMMIT
-
# Completed on Wed Aug 15 17:28:53 2012
-
-
-
[root@mail ~]# service iptables save #执行保存,配置文件中也被删除了
-
iptables:将防火墙规则保存到 /etc/sysconfig/iptables: [确定]
-
-
[root@mail ~]# vim /etc/sysconfig/iptables
-
-
# Generated by iptables-save v1.4.7 on Wed Aug 15 17:45:03 2012
-
*filter
-
:INPUT ACCEPT [0:0]
-
:FORWARD ACCEPT [0:0]
-
:OUTPUT ACCEPT [0:0]
-
COMMIT
-
# Completed on Wed Aug 15 17:45:03 2012
-
-
-
#除了INPUT,FORWARD,OUTPUT链,可以定义自己的链
-
-
[root@mail ~]# iptables -N chen #定义一个chen链,相当于多了一扇门
-
-
#拒绝通过chen链,地址为192.169.1.99,协议为tcp端口为80的数据包
-
-
[root@mail ~]# iptables -t filter -A chen -s 192.169.1.99 -p tcp --dport 80 -j REJECT
-
[root@mail ~]# iptables -t filter -A INPUT -j chen #把经过INPUT链的数据引入到chen这个链上
-
-
[root@mail ~]# iptables -L --line-numbers
-
-
Chain INPUT (policy ACCEPT)
-
num target prot opt source destination
-
1 chen all -- anywhere anywhere #INPUT链的target变为chen了
-
-
Chain FORWARD (policy ACCEPT)
-
num target prot opt source destination
-
-
Chain OUTPUT (policy ACCEPT)
-
num target prot opt source destination
-
-
Chain chen (1 references) #可以看到多了一个链,下面的策略也存在
-
num target prot opt source destination
-
-
1 REJECT tcp -- 192.169.1.99 anywhere tcp dpt:http reject-with icmp-port-unreachable
-
[root@mail ~]#
-
[root@mail ~]# service iptables save
-
-
iptables:将防火墙规则保存到 /etc/sysconfig/iptables: [确定]
-
-
[root@mail ~]# vim /etc/sysconfig/iptables
-
-
-
# Generated by iptables-save v1.4.7 on Wed Aug 15 18:11:28 2012
-
*filter
-
:INPUT ACCEPT [1:125]
-
:FORWARD ACCEPT [0:0]
-
:OUTPUT ACCEPT [1:71]
-
:chen - [0:0]
-
-A INPUT -j chen
-
-A chen -s 192.169.1.99/32 -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-
COMMIT
-
# Completed on Wed Aug 15 18:11:28 2012
-
-
-
[root@mail ~]# iptables -X chen #删除chen这条链
-
-
iptables: Too many links.
-
-
[root@mail ~]# iptables -F #删除前需要清空策略,否则删除不掉
-
-
[root@mail ~]# iptables -X chen
-
[root@mail ~]# iptables -L
-
Chain INPUT (policy ACCEPT)
-
target prot opt source destination
-
-
Chain FORWARD (policy ACCEPT)
-
target prot opt source destination
-
-
Chain OUTPUT (policy ACCEPT)
-
target prot opt source destination
-
[root@mail ~]#