iptables 有三个表,分别是filter, nat, mangle
filter 默认有三个chain链,分别是INPUT, FORWARD, OUTPUT
[root@localhost ~]# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1425 122K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
2 120 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
1462 162K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 1410 packets, 125K bytes)
pkts bytes target prot opt in out source destination
nat 默认有三个chain链,分别是PREROUTING, POSTROUTING, OUTPUT
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
mangle 默认有五个chain链,分别是PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING
[root@localhost ~]# iptables -t mangle -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
filter 主要用于过滤数据包(常用)
查看防火墙filter表现有规则,默认是filter,所以这里的-t filter可以忽略
[root@localhost ~]# iptables -nvL -t filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1713 146K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
2 120 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
1606 181K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 1661 packets, 150K bytes)
pkts bytes target prot opt in out source destination
清空防火墙规则数据包计数器,默认是filter,所以这里的-t filter可以忽略
[root@localhost ~]# iptables -Z -t filter
一次性清空防火墙规则,默认是filter,所以这里的-t filter可以忽略
[root@localhost ~]# iptables -F -t filter
保存防火墙配置到/etc/sysconfig/iptables
[root@localhost ~]# service iptables save
iptables:将防火墙规则保存到 /etc/sysconfig/iptables: [确定]
备份防火墙配置
[root@localhost ~]# iptables-save > 1.ipt
恢复防火墙配置
[root@localhost ~]# iptables-restore < 1.ipt
更改防火墙总开关为默认DROP丢弃、REJECT拒绝、ACCEPT允许,新装系统总开关默认是允许,这条命令需慎用,因为一旦设置为DROP或REJECT,远程也将被断开
[root@localhost ~]# iptables -P INPUT DROP
插入防火墙规则
[root@localhost ~]# iptables -t filter -I INPUT -p tcp --dport 80 -s 192.168.10.111 -j DROP
指定表是 filter
指定链是 INPUT
INPUT前面的参数如果是-A表示增加,结果是这条规则在filter最底,-I表示插入,在filter最上面,-D是删除(匹配后再删除)这条规则
指定协议是 tcp
指定端口是 80
指定源IP是 192.168.10.111
指定动作是 DROP
匹配规则删除,把上面的规则删除
[root@localhost ~]# iptables -t filter -D INPUT -p tcp --dport 80 -s 192.168.10.111 -j DROP