一、链与表之间的对应关系
PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING | |
---|---|---|---|---|---|
raw | ✔ | ✔ | |||
mangle | ✔ | ✔ | ✔ | ✔ | ✔ |
filter | ✔ | ✔ | ✔ | ||
nat | ✔ | ✔ | ✔ |
PREROUTING链中的raw表与OUTPUT链中的raw表不是同一张表,是不一样的,这种情况在其他链与表中的情况是一样的
二、基础命令介绍
iptables 链 表 rule-specification(规则)
rule-specification = [matches…] [target]
match = -m matchname [per-match-options]
target = -j targetname [per-target-options]
规则的关键知识点:
Rules包括一个条件和一个目标(target)
如果满足条件,就执行目标(target)中的规则或者特定值。
如果不满足条件,就判断下一条Rules。
1、列出所有链中的filter表中的规则
iptables -L
iptables -L -t filter
查询命令相关的选项如下
-t : 查看的表
-n :不进行 IP 与 HOSTNAME 的反解
-v :列出更多的信息,包括通过该规则的封包总位数、相关的网络接口等.
-L :列出目前的 table 的规则.
-S :查看规则定义,
–line-number用于查看规则号.
2、列出所有链中的nat表中的规则
iptables -L -t nat
root@master02 ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PREROUTING_direct all -- anywhere anywhere
PREROUTING_ZONES_SOURCE all -- anywhere anywhere
PREROUTING_ZONES all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
RETURN all -- 192.168.122.0/24 base-address.mcast.net/24
RETURN all -- 192.168.122.0/24 255.255.255.255
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
POSTROUTING_direct all -- anywhere anywhere
POSTROUTING_ZONES_SOURCE all -- anywhere anywhere
POSTROUTING_ZONES all -- anywhere anywhere
Chain OUTPUT_direct (1 references)
target prot opt source destination
Chain POSTROUTING_ZONES (1 references)
target prot opt source destination
POST_public all -- anywhere anywhere [goto]
POST_public all -- anywhere anywhere [goto]
Chain POSTROUTING_ZONES_SOURCE (1 references)
target prot opt source destination
Chain POSTROUTING_direct (1 references)
target prot opt source destination
Chain POST_public (2 references)
target prot opt source destination
POST_public_log all -- anywhere anywhere
POST_public_deny all -- anywhere anywhere
POST_public_allow all -- anywhere anywhere
Chain POST_public_allow (1 references)
target prot opt source destination
Chain POST_public_deny (1 references)
target prot opt source destination
Chain POST_public_log (1 references)
target prot opt source destination
Chain PREROUTING_ZONES (1 references)
target prot opt source destination
PRE_public all -- anywhere anywhere [goto]
PRE_public all -- anywhere anywhere [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
target prot opt source destination
Chain PREROUTING_direct (1 references)
target prot opt source destination
Chain PRE_public (2 references)
target prot opt source destination
PRE_public_log all -- anywhere anywhere
PRE_public_deny all -- anywhere anywhere
PRE_public_allow all -- anywhere anywhere
Chain PRE_public_allow (1 references)
target prot opt source destination
Chain PRE_public_deny (1 references)
target prot opt source destination
Chain PRE_public_log (1 references)
target prot opt source destination
[root@master02 ~]#
3、列出某个链(INPUT)中的对应表中的规则
iptables -L INPUT -t filter
4、数字化展示信息(ip、prot等信息)
iptables -L INPUT -t filter -n
[root@master02 ~]# iptables -L INPUT -t filter -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@master02 ~]# iptables -L INPUT -t filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[root@master02 ~]#
5、展示规则在该链该表中的位置,加行数在一行的开头
[root@master02 ~]# iptables -L INPUT -t filter --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:domain
2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
5 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
6 ACCEPT all -- anywhere anywhere
7 INPUT_direct all -- anywhere anywhere
8 INPUT_ZONES_SOURCE all -- anywhere anywhere
9 INPUT_ZONES all -- anywhere anywhere
10 DROP all -- anywhere anywhere ctstate INVALID
11 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[root@master02 ~]#
6、删除某个链表中的规则(按照序号删除)
#确认需要删除的规则对应的num,然后使用命令删除即可
iptables [-t table] -D chain rulenum
7、删除某个链表中的规则(按照规则删除)
iptables -D INPUT -s 192.168.1.5 -j DROP