查看iptables规则:
[root@ruanwenwu-0002 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1786 140K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1 64 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 122 10168 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 1513 packets, 135K bytes) pkts bytes target prot opt in out source destination
在这条命令中我们没有指定表名,那么它显示的 就是filter表的规则。现在我们还没有写任何的规则,那么它读取的就是默认的规则。我们可以在/etc/sysconfig/iptables中看到默认的规则。
vim /etc/sysconfig/iptables:
# sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
指定表:
[root@ruanwenwu-0002 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 49 packets, 4222 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 1 packets, 64 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 71 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1 packets, 71 bytes) pkts bytes target prot opt in out source destination
清空规则:
[root@ruanwenwu-0002 ~]# iptables -F [root@ruanwenwu-0002 ~]# iptables -nvL Chain INPUT (policy ACCEPT 43 packets, 3132 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 29 packets, 2516 bytes) pkts bytes target prot opt in out source destination
清空规则后,如果不保存,重启后将恢复到原来的规则。
保存:
[root@ruanwenwu-0002 ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ] [root@ruanwenwu-0002 ~]# vim /etc/sysconfig/iptables
重启服务:
[root@ruanwenwu-0002 ~]# service iptables restart Redirecting to /bin/systemctl restart iptables.service
将计数器清零:
[root@iZ25lzba47vZ ~]# iptables -nvL Chain INPUT (policy ACCEPT 18M packets, 2965M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15M packets, 5501M bytes) pkts bytes target prot opt in out source destination [root@iZ25lzba47vZ ~]# iptables -Z [root@iZ25lzba47vZ ~]# iptables -nvL Chain INPUT (policy ACCEPT 49 packets, 2984 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 33 packets, 2456 bytes) pkts bytes target prot opt in out source destination
添加一条规则:
iptables -A INPUT -s 110.229.26.253 --dport 80 REJECT
这条规则的意思是把进入INPUT链的ip是110.229.26.253访问80端口的请求给拒绝。简而言之就是不让这个ip访问我们的80端口。
删除上面那条规则:
iptables -D INPUT -s 110.229.26.253 --dport 80 REJECT
除了这样删除之外,还有另一种删除方法:
首先得到这条规则的序号:
[root@iZ25lzba47vZ ~]# iptables -nvL --line-numbers Chain INPUT (policy ACCEPT 2462 packets, 554K bytes) num pkts bytes target prot opt in out source destination 1 277 22324 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 20,21,80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2457 packets, 562K bytes) num pkts bytes target prot opt in out source destination
然后根据序列号删除:
[root@iZ25lzba47vZ ~]# iptables -D INPUT 1 [root@iZ25lzba47vZ ~]# iptables -nvL Chain INPUT (policy ACCEPT 48 packets, 3008 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 35 packets, 3614 bytes) pkts bytes target prot opt in out source destination
除了用-A来添加规则,我们还可以用-I来添加规则,它的意思是,将规则插入到最前面:
[root@iZ25lzba47vZ ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
[root@iZ25lzba47vZ ~]# iptables -nvL Chain INPUT (policy ACCEPT 71 packets, 4425 bytes) pkts bytes target prot opt in out source destination 74 6216 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 55 packets, 11135 bytes) pkts bytes target prot opt in out source destination
这条规则的作用是不让别人Ping你的机器。
看看前后Ping的状态:
#设置iptables之前
[root@ruanwenwu-0002 ~]# ping 101.200.168.135 PING 101.200.168.135 (101.200.168.135) 56(84) bytes of data. 64 bytes from 101.200.168.135: icmp_seq=1 ttl=128 time=16.1 ms 64 bytes from 101.200.168.135: icmp_seq=2 ttl=128 time=13.7 ms 64 bytes from 101.200.168.135: icmp_seq=3 ttl=128 time=13.2 ms ^C --- 101.200.168.135 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 13.252/14.370/16.135/1.262 ms
#设置之后 [root@ruanwenwu-0002 ~]# ping 101.200.168.135 PING 101.200.168.135 (101.200.168.135) 56(84) bytes of data.
设置链的默认状态:
[root@iZ25lzba47vZ ~]# iptables -P INPUT ACCEPT [root@iZ25lzba47vZ ~]# iptables -nvL Chain INPUT (policy ACCEPT 45 packets, 2732 bytes) pkts bytes target prot opt in out source destination 212 17808 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 31 packets, 3454 bytes) pkts bytes target prot opt in out source destination
208
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
