本篇涉及的指令包括:文件权限、用户/组操作、yum软件安装、计划任务、进程与服务、设置系统启动级别、网络、远程登录、samba:文件夹共享
补充
[root@localhost ~]# find /tmp ! -type d //找出tmp目录下除了文件夹以外的所有文件
[root@localhost ~]# find /tmp -type d -exec chmod 0755 {} ; \修改找到的文件夹的权限,其中{}是占位符,表示find搜索到的每一条记录。
文件权限
drwxr-xr-x. 2 root root 4096 Feb 12 09:55 account
左起第一位:文件类型;
后面9位:权限,常称为mode;
.:表示文件有隐藏属性。lsattr命令可以查看。
数字:此文件被硬链接的次数;
属主:owner,文件的拥有者
属组:group,文件所属的组;
4096:文件大小,单位是字节。-h:human-readable,自动做单位换算。
文件最后一次被修改的时间
文件名
chown: Change the owner and/or group of each FILE to OWNER and/or GROUP.
chown user2:group1 a.txt
chmod: Change the mode of each FILE to MODE.
chmod 0777 a.txt
chmod u+x a.txt
chmod g+x a.txt
chmod o+x a.txt
umask:get or set the file mode creation mask
umask
0022
umask -S
u=rwx,g=rx,o=rx
chgrp g1 test1.txt//change group ownership
用户/组操作
主要的两个文件:/etc/passwd; /etc/shadow
cat /etc/passwd | grep user1
user1:x:501:501::/home/user1:/bin/bash
user1:用户名;
x:密码占位;早期的Linux中用户密码会在这里存放,现在存放在/etc/shadow中
501:uid;
501: gid;
:说明信息;
/home/user1:家目录;
/bin/bash: bash
cat /etc/shadow | grep user1
user1:!!:17056:0:99999:7:::
user1:用户名;
!!:密码;!!表示没有密码;
w: Show who is logged on and what they are doing.查看当前登录用户
17:34:33 up 1 day, 1:08, 5 users, load average: 0.00, 0.03, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
user1 tty2 - 17:28 5:57 0.02s 0.02s -bash
root tty1 :0 06Sep16 15days 5:11 5:11 /usr/bin/Xorg :0 -nr -verbos
root pts/0 :0.0 Sun11 13:51 0.13s 0.13s /bin/bash
root pts/1 :0.0 Fri13 38:28m 0.27s 0.01s -bash
root pts/2 192.168.142.1 17:20 0.00s 0.14s 0.02s w
[root@localhost ~]# write user1 tty2//向user1发送消息,按ctrl+d退出会话
[root@localhost ~]# wall "this is broadcast message"//发送广播
id:print real and effective user and group IDs
id user1
uid=501(user1) gid=501(user1) groups=501(user1)
passwd:修改用户密码
当登陆用户是root时
passwd user1//为user1设置密码
当登陆用户为普通账户
passwd//修改自己的账户密码
passwd -l user1//锁定user1账户
passwd -u user1//解锁user1账户
chage:change user password expiry information
用户操作
useradd/adduser:添加用户
useradd user1//添加用户user1,user1默认的用户组为user1;
useradd -M user1//添加用户user1,但是不在/home下创建相应的user1目录
useradd user5 -g group1//id user2: uid=505(user5) gid=503(g1) groups=503(g1)
useradd user4 -G group1//id user4: uid=504(user4) gid=505(user4) groups=505(user4),503(g1)
[root@localhost ~]# useradd -s /sbin/nologin zhangsan//创建一个账户,使其不具备登录权限
usermod:
usermod -g g1 user1//把user1的primary group修改为g1
usermod -G g1 user1//把user1的附加组supplementary group修改为g1
usermod -L user1//锁定user1账户,user1将无法登陆系统
usermod -U user1//解锁user1账户
usermod -s /sbin/nologin zhangsan//修改一个账户,使其不具备登录权限
userdel:删除用户
userdel user1//删除user1,但是不删除/home/user1
userdel -r user1//删除user1,同时删除/home/user1
su:切换用户
su - user1//切换用户,连同其环境变量一起切换过来
su user1//切换用户,环境变量不切换。
当切换到某个用户执行完操作以后,想要切换回原来的用户,只需exit,即退回到原用户。
sudo:execute a command as another user
sudo -u user1 touch /home/user1/hh.txt//以user1的身份执行某个操作
sudo touch /home/user1/hh.txt//以root的身份执行某个操作
组操作
groupadd:
groupadd group1;
groupdel
groupdel g1//删除组g1,注意只有g1不是任何用户的primary group时,g1才能被删除;
软件安装
1、源码安装
./configure:检测GCC编译器、依赖函数库或软件是否已经安装;当检测通过后,生成makefile文件;
指定文件的安装路径:./configure --prefix=/usr/local/memcache
make:根据makefile生成可执行文件(二进制文件)
make install:安装。默认情况下徽章/etc下放置配置文件,/lib和/usr/lib放置依赖的静态函数库,/usr/share下放置依赖的动态函数库,/var/lib下...
可以合起来执行:make clean && make && make install
make clean:清除make是产生的文件
如何让动态函数库自动加载到内存中:
查看/etc/ld.so.conf.d/下的配置
或者直接修改/etc/ld.so.conf,在其中加入动态函数库的路径(如:/usr/local/lib),然后执行ldconfig命令
2、rpm(RPM Package Manager)包形式安装
rpm包:根据特定的硬件环境已经编译(make)好的可执行文件。在RedHat/CentOS中格式为rpm,在Debian/Ubantu中为deb,在Apple中为dmg,在Windows中为exe
利用rpm包安装的好处
会在/var/lib/rpm/下以数据库的形式记录软件安装的文件的位置信息,便于软件查找和删除
-i: --install
-U: --upgrade
-v:Print verbose information - normally routine progress messages will be displayed.
-h: Print 50 hash marks as the package archive is unpacked. Use with -v|--verbose for a nicer display.打印进度条
常用命令:
安装:-ivh, --nodeps, --replacepkgs
卸载:-e, --nodeps
升级:-Uvh, Fvh, --nodeps, --oldpackage
查询:
-q, -qa, -qf, -qd,
-qc(查询程序的配置文件信息)
rpm -qal | egrep -i 'vim'//查看所有包括vim的安装文件,其中-i指不区分大小写
校验:-V
3、yum安装
yum is an interactive, 【rpm based】, package manager.
会在/var/chche/yum/下缓存服务器中的所有软件信息
配置yum源为163
cd /etc/yum.repos.d/
执行 rm -rf *
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
yum makecache//从服务器端下载缓存列表
SYNOPSIS
yum [options] [command] [package ...]
command is one of:
显示仓库列表
* repolist [all|enabled|disabled]
显示程序包
yum list [all | glob_exp1] [glob_exp2] [...]
yum list {available|updates|installed} [glob_exp1] [...]
安装程序包
* install package1 [package2] [...]
升级程序包
* update [package1] [package2] [...]
检查可用升级
* check-update
卸载程序包
* remove | erase package1 [package2] [...]
查看程序包信息
* info [...]
查看指定的特性(可以是某文件)是由哪个程序包所提供
* provides | whatprovides feature1 [feature2] [...]
清理本地缓存
* clean [ packages | metadata | expire-cache | rpmdb | plugins | all ]
搜索
* search string1 [string2] [...]
以指定的关键字搜索包名及Summary信息
yum将系统更新到最新状态
yum [-y] update
计划任务
1、at单一计划
[root@localhost ~]# ps aux | grep atd//查看atd服务是否启动
[root@localhost ~]# service atd start//启动atd
[root@localhost ~]# at 17:53 2013-4-1
[root@localhost ~]# at 17:53 //在17:53分设置一个单一计划,如果不添加日期,默认为未来最近的17:53
at> touch /tmp/17-t-53.txt
at>
[root@localhost ~]# at -l //查看现有的单一计划
2 2016-09-21 17:53 a root
[root@localhost ~]# at -c 2//查看某个单一计划的具体内容
[root@localhost ~]# at -d 2//删除计划任务
/etc/at.deny //添加禁止创建计划任务的用户名单,不在名单中的用户都允许创建计划任务
/etc/at.allow //添加允许创建计划任务的用户名单,不在名单中的用户都禁止创建计划任务,优先级比at.deny高
2、crontab周期计划
-e: 编辑周期计划
This option is used to edit the current crontab using the editor specified by the VISUAL or EDITOR environment variables. After you exit from the editor, the modified crontab will be installed automatically.
几个周期计划示例:
* * * * * date >> /tmp/cron.log //每分钟执行一次date命令,输出到/tmp/cron.log
-l The current crontab will be displayed on standard output.
-r The current crontab will be removed.
[root@localhost cron]# crontab -e
no crontab for root - using an empty one
crontab: installing new crontab
[root@localhost cron]# crontab -l
* * * * * date >> /tmp/cron.log
[root@localhost cron]# watch cat /tmp/cron.log//watch - execute a program periodically(每隔2s), showing output fullscreen
//格式参考/etc/crontab
[root@localhost ~]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
进程与服务
Ctrl+z:如果进程在前台需要运行较长时间,可以让程序停止,并退到后台。
&:让进程在后台运行
yum -y update >/tmp/yum.log 2>&1 &
bg [jobspec]:
Resume each suspended job jobspec in the background, as if it had been started with &. If jobspec is not present, the shell’s notion of the current job is used. bg jobspec returns 0 unless run when job control is disabled or, when run with job control enabled, any specified jobspec was not found or was started without job control.
fg [jobspec]:把后台进程调到前台运行
Resume jobspec in the foreground, and make it the current job. If jobspec is not present, the shell’s notion of the current job is used. The return value is that of the command placed into the foreground, or failure if run when job control is disabled or, when run with job control enabled, if jobspec does not specify a valid job or jobspec specifies a job that was started without job control.
jobs -x command [ args ... ]
The first form lists the active jobs. The options have the following meanings:
-l List process IDs in addition to the normal information.
-p List only the process ID of the job’s process group leader.
-n Display information only about jobs that have changed status
since the user was last notified of their status.
-r Restrict output to running jobs.
-s Restrict output to stopped jobs.
If jobspec is given, output is restricted to information about that job. The return status is 0 unless an invalid option is encountered or an invalid jobspec is supplied.
If the -x option is supplied, jobs replaces any jobspec found in command or args with the corresponding process group ID, and executes command passing it args, returning its exit status.
ps: report a snapshot of the current processes.
-l long format. The -y option is often useful with this.
-y Do not show flags; show rss in place of addr. This option can only be used with -l.
ps aux 或者 ps -ef: To see every process on the system
[root@localhost ~]# ps -l
F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD
4 S 0 43133 43129 0 80 0 - 27085 wait pts/3 00:00:00 bash
4 T 0 43206 43133 0 80 0 - 29772 signal pts/3 00:00:00 vi
4 T 0 43207 43133 0 80 0 - 35893 signal pts/3 00:00:00 vim
4 R 0 43209 43133 1 80 0 - 27035 - pts/3 00:00:00 ps
PID: 进程ID;
PPID:父进程ID;
kill - terminate a process
kill 43207: 试着删除进程43207,不一定能删掉
kill -9 43207: 强制删除进程43207
pkill - signal processes based on name and other attributes
[root@localhost ~]# pkill -9 vim
[2]+ Killed vim
killall - kill processes by name
-i, --interactive
Interactively ask for confirmation before killing.
[root@localhost ~]# killall -9 -i vi
Signal vi(43337) ? (y/N) y
[1]+ Killed vi
uptime - Tell how long the system has been running.
[root@localhost ~]# uptime
18:26:05 up 1 day, 8:54, 5 users, load average: 0.00, 0.00, 0.00
当前时间 当前登录用户 CPU负载情况
top - display Linux tasks
service - run a System V init script,注意并不是所有的Linux都有该命令
运行/etc/rc.d/init.d目录下的相应脚本
service mysqld start //开启服务,等价于 /etc/rc.d/init.d/mysqld start
service mysqld stop
service mysqld restart
service mysqld status //查看服务运行状态
设置系统启动级别
系统启动顺序:
根据/etc/inittab找到启动级别
-->去相应启动级别的目录中如:/etc/rc.d/rc5.d启动以S开头的服务
-->执行/etc/rc.d/rc.local
-->用户登录界面
[root@localhost ~]# tail -10 /etc/inittab
# Default runlevel. The runlevels used are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
id:5:initdefault:
通过修改id的值,可以修改系统的启动级别。其中作为服务器启动时的一般设为3;5为图形界面
[root@localhost rc5.d]# cd /etc/rc.d/rc5.d
[root@localhost rc5.d]# ls //查看级别5中的服务,其中K开头的服务默认未启动,S开头的服务默认启动
K01smartd K73winbind S08ip6tables S23NetworkManager S80postfix
K05wdaemon K74ntpd S08iptables S25blk-availability S82abrt-ccpp
K10psacct K75ntpdate S10network S25cups S82abrtd
K10saslauthd K75quota_nld S11auditd S25netfs S90crond
K15htcacheclean K84wpa_supplicant S11portreserve S26acpid S95atd
K15httpd K87restorecond S12rsyslog S26haldaemon S95jexec
K36mysqld K89rdisc S13cpuspeed S26udev-post S99firstboot
K50dnsmasq K99rngd S13irqbalance S50bluetooth S99local
K50netconsole S01sysstat S15mdmonitor S55sshd
K50snmpd S02lvm2-monitor S20kdump S57vmware-tools-thinprint
K50snmptrapd S03vmware-tools S22messagebus S70spice-vdagentd
chkconfig - updates and queries runlevel information for system services
[root@localhost rc5.d]# chkconfig --list | grep mysql
mysqld 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@localhost rc5.d]# chkconfig --level 35 mysqld on//开启mysqld服务,实质是把相应启动级别的目标下的文件开头的K替换为S
[root@localhost rc5.d]# chkconfig --list | grep mysql
mysqld 0:off 1:off 2:off 3:on 4:off 5:on 6:off
实质上服务的程序都放在/etc/rc.d/init.d目录下,在每个启动级别的目录(如/etc/rc.d/rc5.d)下的文件都为到/etc/rc.d/init.d目录下文件的软连接
[root@localhost rc5.d]# ll | grep mysql
lrwxrwxrwx. 1 root root 16 Sep 26 22:42 S64mysqld -> ../init.d/mysqld
[root@localhost rc5.d]# chkconfig --del mysqld //删除mysqld服务,注意这里只是把每个启动级别目录下的软连接删除,并没有删除/etc/rc.d/init.d目录下的文件
[root@localhost rc5.d]# chkconfig --add mysqld //添加mysqld服务,为/etc/rc.d/init.d目录下的相应文件在启动级别目录中创建一个软连接
网络
ifconfig - configure a network interface
修改网络配置
[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
BOOTPROTO="dhcp" //ip分配,dhcp为动态ip,也可以配置为static,静态ip
HWADDR="00:0C:29:A3:39:10"
IPV6INIT="yes"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"
UUID="b0b34ae4-6e3c-4e7a-878c-56f35bb6a290"
另外一个版本
[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
HWADDR="00:0C:29:A3:39:10"
IPV6INIT="yes"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"
UUID="b0b34ae4-6e3c-4e7a-878c-56f35bb6a290"
BOOTPROTO="static"
IPADDR=192.168.142.128
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
DNS1=8.8.8.8
[root@localhost ~]# system-config-network //图形和配置界面,不推荐使用
[root@localhost ~]# chkconfig NetworkManager off
[root@localhost ~]# chkconfig --list | grep net
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ping, ping6 - send ICMP ECHO_REQUEST to network hosts
host - DNS lookup utility 查看主机IP地址,如果成功,说明DNS配置没有问题
[root@localhost ~]# host www.baidu.com
localhost.localdomain has address XX.XX.XX.XX
nslookup - query Internet name servers interactively
[root@localhost ~]# nslookup www.baidu.com
netstat - Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. 查看系统中开启的服务
[--tcp|-t] [--udp|-u]
-p, --program
Show the PID and name of the program to which each socket belongs.
-l, --listening
Show only listening sockets. (These are omitted by default.)
-a, --all
Show both listening and non-listening (for TCP this means established con-
nections) sockets. With the --interfaces option, show interfaces that are
not marked
[root@localhost ~]# netstat -a | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:6379 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 localhost:smtp *:* LISTEN
tcp 0 0 localhost:x11-ssh-offset *:* LISTEN
tcp 0 0 localhost:6011 *:* LISTEN
tcp 0 0 *:mysql *:* LISTEN
[root@localhost ~]# netstat -at //查看系统中所有基于tcp服务
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:6379 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 localhost:smtp *:* LISTEN
tcp 0 0 localhost:x11-ssh-offset *:* LISTEN
tcp 0 0 localhost:6011 *:* LISTEN
tcp 0 0 *:mysql *:* LISTEN
tcp 0 0 192.168.142.128:ssh 192.168.142.1:49367 ESTABLISHED
[root@localhost ~]# netstat -atl //显示正在监听的服务,
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:6379 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 localhost:smtp *:* LISTEN
tcp 0 0 localhost:x11-ssh-offset *:* LISTEN
tcp 0 0 localhost:6011 *:* LISTEN
tcp 0 0 *:mysql *:* LISTEN
远程登录
ssh:
OpenSSH SSH client (remote login program) 远程登录
[root@localhost ~]# ssh [email protected]
什么是SSH?SSH是一种网络协议,用于计算机之间加密登录。SSH有多种实现,有商业实现,也有开源实现OpenSSH。
公钥加密
SSH之所以能够保证安全,原因在于它采用公钥加密。整个过程是这样的:1)远程主机收到用户的登录请求,把自己的公钥发给用户;2)用户使用这个公钥,将登录密码加密之后,发送回来;3)远程主机用自己的私钥,解密登录密码,如果密码正确,就同意用户登录。
口令登录
如果你第一次登录对方主机,系统会出现如下提示:
[root@localhost ~]# ssh [email protected]
The authenticity of host '192.168.142.128 (192.168.142.128)' can't be established.
RSA key fingerprint is 86:c5:1e:9c:f9:98:4f:57:8b:da:0b:1f:31:25:77:da.
Are you sure you want to continue connecting (yes/no)?
这段话的意思是无法确认主机真实性,只知道它的公钥指纹fingerprint。但是用户怎么知道远程主机的公钥指纹是多少呢?答案是没有好的办法,远程主机必须在自己的网站上贴出公钥指纹,以便用户自己核对。当远程主机的公钥被接受以后,它就会被保存在$HOME/.ssh/known_hosts之中。下次再次连接这台主机,系统就会认出它的公钥已经保存在本地了,从而跳过警告部分,直接输入密码。
每个用户都有自己的known_hosts文件,此外系统也有一个这样的文件,通常是/etc/ssh/ssh_known_hosts,保存一些对所有用户都可信赖的远程主机的公钥。
公钥登录
使用密码登录,每次都必须输入密码,非常麻烦。公钥登录正好解决了这个问题。
公钥登录的原理很简单:就是用户先把自己的公钥存储在远程主机上,登录的时候,远程主机会向用户发送一段随机字符串,用户用自己的私钥加密后,再发回来。远程主机用事先存储的公钥进行解密,如果成功,就证明用户是可信的,直接允许登录shell,不再要求密码。
这种方法要求用户必须提供自己的公钥,如果没有现成的,可以使用ssh-keygen生成一个。
[root@localhost ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
e0:6b:8a:ec:1e:60:1d:66:b8:22:71:67:45:1f:d3:50 [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
| .o ++E |
| . . . o. |
|...+o . . |
| o=o.. . |
|+o . . S |
|+. . |
| . o |
| . o o |
| o= . |
+-----------------+
运行结束以后,会在$HOME/.ssh/目录下生成两个文件:
[root@localhost .ssh]# ll
total 12
-rw-------. 1 root root 1675 Oct 6 06:26 id_rsa
-rw-r--r--. 1 root root 408 Oct 6 06:26 id_rsa.pub
其中id_rsa是私钥,id_rsa.pub是公钥。
输入下面的命令,将公钥传送到远程主机上面:
ssh-copy-id user@host
好了,以后再登陆,就不需要输入密码了。
scp:
secure copy (remote file copy program)。 scp copies files between hosts on a network. It uses ssh for data transfer, and uses the same authentication and provides the same security as ssh.
VNC:图形化远程登录终端。
略
samba:文件夹共享
安装
yum -y install samba
启动
/etc/init.d/smb start
设置Samba启动级别
chkconfig --level 35 smb on
关闭防火墙
iptables -F
查看服务是否启动
netstat -tnulap | grep smb
samba配置文件
/etc/samba/smb.conf
iptables:administration tool for IPv4 packet filtering and NAT(网络地址转换,network address translation)
是与Linux内核集成的IP信息包过滤系统
针对于Iptables,有两种策略:
1)一切未被允许的都被禁止;
2)一切未被禁止的都被允许
iptables的表和链
表
filter表
过滤数据包,是默认表;做iptables匹配的时候,如果不指定表,默认就是这个表
nat表
主要是来做nat:转换包的源地址或目标地址
DNAT:目标地址转换
SNAT:源地址转换
MASQUERADE
mangle表
对数据包做mangle 修改?
TTL
TOS type of service
mark
链
input
output
forward
postrouting
prerouting
iptables命令
参数:
-A, --append chain rule-specification
Append one or more rules to the end of the selected chain. When the
source and/or destination names resolve to more than one address, a
rule will be added for each possible address combination.
[root@localhost ~]# iptables -A INPUT -j DROP //添加一条规则
[root@localhost ~]# iptables -A INPUT -s 192.168.142.1 -j DROP
[root@localhost ~]# iptables -L --line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP all -- 192.168.142.1 anywhere
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
-D, --delete chain rule-specification
[root@localhost ~]# iptables -D INPUT 1
-F, --flush [chain]
Flush the selected chain (all the chains in the table if none is
given). This is equivalent to deleting all the rules one by one.
-I, --insert chain [rulenum] rule-specification
Insert one or more rules in the selected chain as the given rule num-
ber. So, if the rule number is 1, the rule or rules are inserted at
the head of the chain. This is also the default if no rule number is
specified.
-L, --list [chain]
List all rules in the selected chain. If no chain is selected, all
chains are listed.
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT) //表示默认的规则是ACCEPT,可以选择的还有DROP,REJECT
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -L --line-number //为过滤规则添加行号
-P, --policy chain target Set the policy for the chain to the given target. 修改链的默认规则
[root@localhost ~]# iptables -P INPUT DROP
[root@localhost ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination