iptables

-A, --append chain rule-specification

              Append one or more rules to the end of the selected chain.  When the source and/or destination names resolve to more  than  one  address,  a

              rule will be added for each possible address combination.

给指定的链（chain）增加一条规则，

iptables -t nat -A PREROUTING -d 10.7.9.176/20 -j DNAT --to-destination 54.165.94.3

给nat表（table）的PREROUTING链增加一条DNAT规则

       -C, --check chain rule-specification

              Check  whether a rule matching the specification does exist in the selected chain. This command uses the same logic as -D to find a matching

              entry, but does not alter the existing iptables configuration and uses its exit code to indicate success or failure.

       -D, --delete chain rule-specification

       -D, --delete chain rulenum

              Delete one or more rules from the selected chain.  There are two versions of this command: the rule can be specified  as  a  number  in  the

              chain (starting at 1 for the first rule) or a rule to match.

从指定的链删除规则，

iptables -D INPUT 3

INPUT是指定的链，3是规则的排序，可以通过iptables  -L --line-number查看

       -I, --insert chain [rulenum] rule-specification

              Insert one or more rules in the selected chain as the given rule number.  So, if the rule number is 1, the rule or rules are inserted at the

              head of the chain.  This is also the default if no rule number is specified.

       -R, --replace chain rulenum rule-specification

              Replace a rule in the selected chain.  If the source and/or destination names resolve to multiple addresses, the command will  fail.   Rules

              are numbered starting at 1.

       -L, --list [chain]

              List  all rules in the selected chain.  If no chain is selected, all chains are listed. Like every other iptables command, it applies to the

              specified table (filter is the default), so NAT rules get listed by

               iptables -t nat -n -L

              Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups.  It is legal  to  specify  the  -Z  (zero)

              option as well, in which case the chain(s) will be atomically listed and zeroed.  The exact output is affected by the other arguments given.

              The exact rules are suppressed until you use

               iptables -L -v

查看规则，如果不加 -t参数，就默认是查看filter表，如果 -t nat，就是查看nat表

iptables -t nat  -L, -v可以展示更多信息

       -S, --list-rules [chain]

              Print all rules in the selected chain.  If no chain is selected, all chains are printed like iptables-save. Like every other  iptables  com‐

              mand, it applies to the specified table (filter is the default).

查看指定链的所有规则，也可以-t指定表

iptables -S SIPDOS

查看filter表（默认）里SIPDOS链的所有规则

       -F, --flush [chain]

              Flush the selected chain (all the chains in the table if none is given).  This is equivalent to deleting all the rules one by one.

清空指定链的规则，

iptables -F SIPDOS

清除SIPDOS链的所有规则

       -Z, --zero [chain [rulenum]]

              Zero  the packet and byte counters in all chains, or only the given chain, or only the given rule in a chain. It is legal to specify the -L,

              --list (list) option as well, to see the counters immediately before they are cleared. (See above.)

       -N, --new-chain chain

              Create a new user-defined chain by the given name.  There must be no target of that name already.

新增一个链

iptables -N SIPDOS

在filter表（默认）中自己一个SIPDOS链

       -X, --delete-chain [chain]

              Delete the optional user-defined chain specified.  There must be no references to the chain.  If there are, you must delete or  replace  the

              referring  rules  before  the  chain can be deleted.  The chain must be empty, i.e. not contain any rules.  If no argument is given, it will

              attempt to delete every non-builtin chain in the table.

删除一个用户定义的链

iptables -X SIPDOS

删除链SIPDOS，好像链里不能有规则才能删