https://fedoraproject.org/wiki/How_to_edit_iptables_rules?rd=User_talk:Rforlot

Listing Rules

Current running iptables Rules can be viewed with the command

iptables -L

.

Numeric port value
The list of Rules with the -L command option shows ports by their service name rather than port number. To see the port number instead, include the -nargument.

iptables -L -n
Viewing counters
Rules listed with the -L command option do not include matching counters. To include matching counters, include -v argument.

iptables -L -v

Example of iptables Rules allowing any connections already established or related, icmp requests, all local traffic, and ssh communication:

[root@server ~]# iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

ACCEPT     icmp --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

Note that Rules are applied in order of appearance, and the inspection ends immediately when there is a match. Therefore, for example, if a Rule rejecting ssh connections is created, and afterward another Rule is specified allowing ssh, the Rule to reject is applied and the later Rule to accept the ssh connection is not.

Appending Rules

The following adds a Rule at the end of the specified chain of iptables:

[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

[root@server ~]# iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

ACCEPT     icmp --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

Notice the last line in chain INPUT. There are now five Rules in that chain.

Deleting Rules

To delete a Rule, you must know its position in the chain. The following example deletes an existing Rule created earlier that is currently in the fifth position:

[root@server ~]# iptables -D INPUT 5

[root@server ~]# iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

ACCEPT     icmp --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

Inserting Rules

Create a Rule at the top (first) position:

[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT

[root@server ~]# iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

ACCEPT     icmp --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

The number given after the chain name indicates the position before an existing Rule. So, for example, if you want to insert a Rule before the third rule you specify the number 3. Afterward, the existing Rule will then be in the fourth position in the chain.

Replacing Rules

Rules may be specified to replace existing Rules in the chain.

In the example shown previously, the first Rule given allows connections to the http port (port 80) from anywhere. The following replaces this Rule, restricting connections to the standard http port (port 80) only from the network address range 192.168.0.0/24:

[root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT

[root@server ~]# iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:http

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

ACCEPT     icmp --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

Flushing Rules

To flush or clear iptables Rules, use the --flush-F option :

iptables -F <chain>

Specifying a <chain> is optional; without a chain specification, all chains are flushed.

Example to flush Rules in the OUTPUT chain :

[root@server ~]# iptables -F OUTPUT
Default chain policys care
Be aware of the default chain policy. For example, if the INPUT policy is DROP or REJECT and the Rules are flushed, all incoming traffic will be dropped or rejected and network communication broken.

Making changes persistent

The iptables Rules changes using CLI commands will be lost upon system reboot. However, iptables comes with two useful utilities: iptables-save and iptables-restore.

  • iptables-save prints a dump of current iptables rules to stdout. These may be redirected to a file:
[root@server ~]# iptables-save > iptables.dump

[root@server ~]# cat iptables.dump

# Generated by iptables-save v1.4.12 on Wed Dec  7 20:10:49 2011

*filter

:INPUT DROP [45:2307]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1571:4260654]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

COMMIT

# Completed on Wed Dec  7 20:10:49 2011
  • iptables-restore : restore a dump of rules made by iptables-save.
[root@server ~]# iptables-restore < iptables.dump

[root@server ~]# iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

ACCEPT     icmp --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

Upon stopping the service, the current iptables Rules are saved in a file, and upon starting the service, this file is restored. The affected files are:

  • /etc/sysconfig/iptables

    for IPv4

  • /etc/sysconfig/ip6tables

    for IPv6

If preferred, these files may be editted directly, and iptables service restarted to commit the changes. The format is similar to that of the iptables CLI commands:

# Generated by iptables-save v1.4.12 on Wed Dec  7 20:22:39 2011

*filter <--------------------------------------------------------- Specify the table of the next rules

:INPUT DROP [157:36334] <----------------------------------------- This is the three chain belong to filter table, then the policy of the chain

:FORWARD ACCEPT [0:0] <------------------------------------------- and between brackets [<packet-counter>:<byte-counter>] numbers is for

:OUTPUT ACCEPT [48876:76493439] <--------------------------------- debug/informations purpose only. Leave them at their current value.

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <--------- A rule.

-A INPUT -p icmp -j ACCEPT <-------------------------------------- You just have to take all arguments

-A INPUT -i lo -j ACCEPT <---------------------------------------- of an iptables command.

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

COMMIT <---------------------------------------------------------- Needed at each end of table definition. Commit rules in that table.

# Completed on Wed Dec  7 20:22:39 2011

If needed, to reset packet and byte counters, use -Z--zero :

iptables -Z <chain> <rule_number>

It is possible to reset only reset a single rule counter. It can be useful, if you want to know how many packets were captured for a specific rule.

iptables修改的更多相关文章

  1. docker通过iptables修改或新增镜像映射端口

    443 8088 22 端口是初始映射端口 [root@SERVER ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAM ...

  2. iptables实现反向代理

    拓扑图 实现目标 公网用户通过Firewall服务器(iptables实现)访问内网http服务 配置 #iptables iptables -t nat -A PREROUTING -p tcp - ...

  3. 阿里云服务器上使用iptables设置安全策略

    转自:http://www.netingcn.com/aliyun-iptables.html 公司的产品一直运行在云服务器上,从而有幸接触过aws的ec2,盛大的云服务器,最近准备有使用阿里云的弹性 ...

  4. centos6.5下系统编译定制iptables防火墙扩展layer7应用层访问控制功能及应用限制QQ2016上网

    iptables防火墙扩展之layer7应用层访问控制 概述: iptables防火墙是工作在网络层,针对TCP/IP数据包实施过滤和限制,属于典型的包过滤防火墙.以基于网络层的数据包过滤机制为主,同 ...

  5. iptables配置顺序-两条规则会忽略后边的

    oracle在centos本机能够正常访问,关闭防火墙也能够远程访问,但是一旦开启防火墙则不能远程访问 尝试添加规则iptables -A INPUT -m state --state NEW -m ...

  6. Linux下针对路由功能配置iptables的方法详解

    作为公司上网的路由器需要实现的功能有nat地址转换.dhcp.dns缓存.流量控制.应用程序控制,nat地址转换通过iptables可以直 接实现,dhcp服务需要安装dhcpd,dns缓存功能需要使 ...

  7. 阿里云服务器CentOS6.9防火墙启动无效--iptables消失

    iptables 是与最新的 3.5 版本 Linux 内核集成的 IP 信息包过滤系统.如果 Linux 系统连接到因特网或 LAN.服务器或连接 LAN 和因特网的代理服务器, 则该系统有利于在 ...

  8. mysql 监听ip地址修改

    如何修改MySQL监听IP地址 Mysql默认在本地环路地址127.0.0.1的3306端口监听,要使用其它IP地址需要修改配置文件. 1.编辑/etc/my.cnf 在[mysqld]节中增加下面一 ...

  9. iptables内网访问外网 ε=ε=ε=(~ ̄▽ ̄)~

    介绍 iptables概述: netfilter/iptables : IP信息包过滤系统,它实际上由两个组件netfilter 和 iptables 组成. netfilter/iptables 关 ...

随机推荐

  1. ASP.NET Core 2.2 基础知识(七) 选项模式

    承接上一篇 配置, 选项模式是专门用类来表示相关配置的服务. 基本选项配置 新建一个选项类,该类必须是包含无参数的构造函数的非抽象类. public class MyOptions { public ...

  2. java.sql.SQLException: Access denied for user ''@'localhost' (using password: No)

    出错原因: 连接数据库是忘记配username 和 password 了 刚在学hiberbate4,把持久层从纯粹的jdbc改为hiberbate 出现的错误.(原来的是直接读取properties ...

  3. [CF911G]Mass Change Queries

    题目大意: 给你一个长度为n的数列a,按顺序进行以下m次操作,每次将区间[l,r]中的所有x变成y,问最后数列是怎样的. 思路: 线段树. 每个线段树结点上维护当前区间每个数分别会变成多少.时间复杂度 ...

  4. 使用jQuery操作DOM(ppt练习)

    <!DOCTYPE html> <html> <head> <title>test3.html</title> <meta http- ...

  5. linux-更改文件属性-chattr与lsattr

    chattr命令的用法:chattr [ -RVf ] [ -v version ] [ mode ] 文件 最关键的是在[mode]部分,[mode]部分是由+-=和[ASacDdIijsTtu]这 ...

  6. P2P通信标准协议(四)之SIP

    在前面几篇文章中我们介绍了建立p2p通信的一般协议(簇),以及一种完整的NAT传输解决方案ICE, 但是对于多用户的通信情况,还有一些通用协议来实现标准化的管理,如之前讲过的SDP和SIP等,SIP( ...

  7. 常用 ARM 指令集及汇编

    ARM7TDMI(-S)指令集及汇编 ARM 处理器是基于精简指令集计算机(RISC)原理设计的,指令集和相关译码机制 较为简单,ARM7TDMI(-S)具有 32 位 ARM 指令集和 16 位 T ...

  8. python3读取html文件

    # htmlf=open('E:\\test2.html','r',encoding="utf-8") # htmlcont=htmlf.read() # print(type(h ...

  9. macOS中Vim基本配置,颜色主题/语法/indent设置

    macOS中Vim基本配置 Vim的初始化配置 .vimrc 存放位置 macOS 环境下 vim 的初始化配置文件为 .vimrc , 通常有两个(系统版本和用户版本),一个位于 /usr/shar ...

  10. 设置html属性为disabled时flask后台获取数据失败

    标签input的值如果不需要用户修改,则设置属性为 readonly,不要设置为 disabled.因为设置disabled会导致flask后端获取不到这个input得value rule_maker ...