-A, --append chain rule-specification
Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a
rule will be added for each possible address combination.
给指定的链(chain)增加一条规则,
iptables -t nat -A PREROUTING -d 10.7.9.176/20 -j DNAT --to-destination 54.165.94.3
给nat表(table)的PREROUTING链增加一条DNAT规则
-C, --check chain rule-specification
Check whether a rule matching the specification does exist in the selected chain. This command uses the same logic as -D to find a matching
entry, but does not alter the existing iptables configuration and uses its exit code to indicate success or failure.
-D, --delete chain rule-specification
-D, --delete chain rulenum
Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the
chain (starting at 1 for the first rule) or a rule to match.
从指定的链删除规则,
iptables -D INPUT 3
INPUT是指定的链,3是规则的排序,可以通过iptables -L --line-number查看
-I, --insert chain [rulenum] rule-specification
Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the
head of the chain. This is also the default if no rule number is specified.
-R, --replace chain rulenum rule-specification
Replace a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail. Rules
are numbered starting at 1.
-L, --list [chain]
List all rules in the selected chain. If no chain is selected, all chains are listed. Like every other iptables command, it applies to the
specified table (filter is the default), so NAT rules get listed by
iptables -t nat -n -L
Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups. It is legal to specify the -Z (zero)
option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given.
The exact rules are suppressed until you use
iptables -L -v
查看规则,如果不加 -t参数,就默认是查看filter表,如果 -t nat,就是查看nat表
iptables -t nat -L, -v可以展示更多信息
-S, --list-rules [chain]
Print all rules in the selected chain. If no chain is selected, all chains are printed like iptables-save. Like every other iptables com‐
mand, it applies to the specified table (filter is the default).
查看指定链的所有规则,也可以-t指定表
iptables -S SIPDOS
查看filter表(默认)里SIPDOS链的所有规则
-F, --flush [chain]
Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
清空指定链的规则,
iptables -F SIPDOS
清除SIPDOS链的所有规则
-Z, --zero [chain [rulenum]]
Zero the packet and byte counters in all chains, or only the given chain, or only the given rule in a chain. It is legal to specify the -L,
--list (list) option as well, to see the counters immediately before they are cleared. (See above.)
-N, --new-chain chain
Create a new user-defined chain by the given name. There must be no target of that name already.
新增一个链
iptables -N SIPDOS
在filter表(默认)中自己一个SIPDOS链
-X, --delete-chain [chain]
Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the
referring rules before the chain can be deleted. The chain must be empty, i.e. not contain any rules. If no argument is given, it will
attempt to delete every non-builtin chain in the table.
删除一个用户定义的链
iptables -X SIPDOS
删除链SIPDOS,好像链里不能有规则才能删