查看iptables规则:
[[email protected]0002 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1786 140K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1 64 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 122 10168 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 1513 packets, 135K bytes) pkts bytes target prot opt in out source destination
在这条命令中我们没有指定表名,那么它显示的 就是filter表的规则。现在我们还没有写任何的规则,那么它读取的就是默认的规则。我们可以在/etc/sysconfig/iptables中看到默认的规则。
vim /etc/sysconfig/iptables:
# sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
指定表:
[[email protected]0002 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 49 packets, 4222 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 1 packets, 64 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 71 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1 packets, 71 bytes) pkts bytes target prot opt in out source destination
清空规则:
[[email protected]0002 ~]# iptables -F [[email protected]-0002 ~]# iptables -nvL Chain INPUT (policy ACCEPT 43 packets, 3132 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 29 packets, 2516 bytes) pkts bytes target prot opt in out source destination
清空规则后,如果不保存,重启后将恢复到原来的规则。
保存:
[[email protected]0002 ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ] [[email protected]-0002 ~]# vim /etc/sysconfig/iptables
重启服务:
[[email protected]0002 ~]# service iptables restart Redirecting to /bin/systemctl restart iptables.service
将计数器清零:
[[email protected] ~]# iptables -nvL Chain INPUT (policy ACCEPT 18M packets, 2965M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15M packets, 5501M bytes) pkts bytes target prot opt in out source destination [[email protected] ~]# iptables -Z [[email protected] ~]# iptables -nvL Chain INPUT (policy ACCEPT 49 packets, 2984 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 33 packets, 2456 bytes) pkts bytes target prot opt in out source destination
添加一条规则:
iptables -A INPUT -s 110.229.26.253 --dport 80 REJECT
这条规则的意思是把进入INPUT链的ip是110.229.26.253访问80端口的请求给拒绝。简而言之就是不让这个ip访问我们的80端口。
删除上面那条规则:
iptables -D INPUT -s 110.229.26.253 --dport 80 REJECT
除了这样删除之外,还有另一种删除方法:
首先得到这条规则的序号:
[root[email protected] ~]# iptables -nvL --line-numbers Chain INPUT (policy ACCEPT 2462 packets, 554K bytes) num pkts bytes target prot opt in out source destination 1 277 22324 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 20,21,80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2457 packets, 562K bytes) num pkts bytes target prot opt in out source destination
然后根据序列号删除:
[[email protected] ~]# iptables -D INPUT 1 [[email protected] ~]# iptables -nvL Chain INPUT (policy ACCEPT 48 packets, 3008 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 35 packets, 3614 bytes) pkts bytes target prot opt in out source destination
除了用-A来添加规则,我们还可以用-I来添加规则,它的意思是,将规则插入到最前面:
[[email protected] ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
[[email protected] ~]# iptables -nvL Chain INPUT (policy ACCEPT 71 packets, 4425 bytes) pkts bytes target prot opt in out source destination 74 6216 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 55 packets, 11135 bytes) pkts bytes target prot opt in out source destination
这条规则的作用是不让别人Ping你的机器。
看看前后Ping的状态:
#设置iptables之前
[[email protected]0002 ~]# ping 101.200.168.135 PING 101.200.168.135 (101.200.168.135) 56(84) bytes of data. 64 bytes from 101.200.168.135: icmp_seq=1 ttl=128 time=16.1 ms 64 bytes from 101.200.168.135: icmp_seq=2 ttl=128 time=13.7 ms 64 bytes from 101.200.168.135: icmp_seq=3 ttl=128 time=13.2 ms ^C --- 101.200.168.135 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 13.252/14.370/16.135/1.262 ms
#设置之后 [[email protected]-0002 ~]# ping 101.200.168.135 PING 101.200.168.135 (101.200.168.135) 56(84) bytes of data.
设置链的默认状态:
[[email protected] ~]# iptables -P INPUT ACCEPT [[email protected] ~]# iptables -nvL Chain INPUT (policy ACCEPT 45 packets, 2732 bytes) pkts bytes target prot opt in out source destination 212 17808 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 31 packets, 3454 bytes) pkts bytes target prot opt in out source destination