转载:http://blog.sina.com.cn/s/blog_4c197d4201017rgl.html
root@mysql101 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target
RH-Firewall-1-INPUT
Chain FORWARD (policy ACCEPT)
target
RH-Firewall-1-INPUT
Chain OUTPUT (policy ACCEPT)
target
Chain RH-Firewall-1-INPUT (2 references)
target
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
REJECT
[root@mysql101 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Jul 12 15:54:52 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [91:8616]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jul 12 15:54:52 2012
[root@mysql101 ~]# iptables -A INPUT
[root@mysql101 ~]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [
[root@mysql101 ~]# /etc/init.d/iptables restart
Flushing firewall rules: [
Setting chains to policy ACCEPT: filter [
Unloading iptables modules: [
Applying iptables firewall rules: [
Loading additional iptables modules: ip_conntrack_netbios_ns [
发现mysql远程还是不能访问...
[root@mysql101 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target
RH-Firewall-1-INPUT
ACCEPT
Chain FORWARD (policy ACCEPT)
target
RH-Firewall-1-INPUT
Chain OUTPUT (policy ACCEPT)
target
Chain RH-Firewall-1-INPUT (2 references)
target
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
REJECT
[root@localhost sysconfig]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Jul 12 02:41:58 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [95:9540]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -s 192.168.2.66 -p tcp -m tcp --dport 3306 -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jul 12 02:41:58 2012
**************************************************************************************************
删除刚加入的那条对66的accept...重来...
**************************************************************************************************
[root@mysql101 ~]# iptables -I INPUT
[root@mysql101 ~]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [
[root@mysql101 ~]# /etc/init.d/iptables restart
Flushing firewall rules: [
Setting chains to policy ACCEPT: filter [
Unloading iptables modules: [
Applying iptables firewall rules: [
Loading additional iptables modules: ip_conntrack_netbios_ns [
发现mysql远程可以访问了...
[root@mysql101 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target
ACCEPT
RH-Firewall-1-INPUT
Chain FORWARD (policy ACCEPT)
target
RH-Firewall-1-INPUT
Chain OUTPUT (policy ACCEPT)
target
Chain RH-Firewall-1-INPUT (2 references)
target
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
REJECT
[root@mysql101 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Jul 12 17:03:31 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [121:11860]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -s 192.168.2.66 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jul 12 17:03:31 2012
原因:
-A 在当前的规则后添加,也就是排在所有规则后
-I 作为第一条规则插入
iptables执行规则时,是从从规则表中从上至下顺序执行的。
参考资料:http://linux.chinaunix.net/techdoc/net/2009/02/11/1061724.shtml
一个很直观的例子说明iptables自上而下的执行顺序(iptables中的不封截取)。
情况一:
-A INPUT -s 192.168.2.66 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.1.145 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
上面这种写法的时候,是66和145都能访问的。
情况二:
-A INPUT -s 192.168.2.66 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -s 192.168.1.145 -p tcp -m tcp --dport 3306 -j ACCEPT
上面这种写法的时候,只有66能访问的。
情况三:
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -s 192.168.2.66 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.1.145 -p tcp -m tcp --dport 3306 -j ACCEPT
上面这种写法的时候,是66和145都不能访问的。
**************************************************************************************************
其实可以选择iptables -F -> service iptables save ->/etc/init.d/iptables restart...
然后再执行iptable -A等等...这样就没有刚才的问题了,因为iptables -F会解除所有现有的规则。但是,这是由风险滴...
so,还不如...vi /etc/sysconfig/iptables ->添加自定义规则 ->/etc/init.d/iptables restart...
参考资料:
http://www.linuxeden.com/html/softuse/20100607/103309.html