Linux學習(二十八)iptables (二) iptables規則語法
阿新 • • 發佈:2017-12-24
star amp accept log saving linux 意思 root bit
查看iptables規則:
[root@ruanwenwu-0002 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1786 140K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1 64 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 122 10168 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 1513 packets, 135K bytes) pkts bytes target prot optin out source destination
在這條命令中我們沒有指定表名,那麽它顯示的 就是filter表的規則。現在我們還沒有寫任何的規則,那麽它讀取的就是默認的規則。我們可以在/etc/sysconfig/iptables中看到默認的規則。
vim /etc/sysconfig/iptables:
# sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
指定表:
[root@ruanwenwu-0002 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 49 packets, 4222 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 1 packets, 64 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 71 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1 packets, 71 bytes) pkts bytes target prot opt in out source destination
清空規則:
[root@ruanwenwu-0002 ~]# iptables -F [root@ruanwenwu-0002 ~]# iptables -nvL Chain INPUT (policy ACCEPT 43 packets, 3132 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 29 packets, 2516 bytes) pkts bytes target prot opt in out source destination
清空規則後,如果不保存,重啟後將恢復到原來的規則。
保存:
[root@ruanwenwu-0002 ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 確定 ] [root@ruanwenwu-0002 ~]# vim /etc/sysconfig/iptables
重啟服務:
[root@ruanwenwu-0002 ~]# service iptables restart Redirecting to /bin/systemctl restart iptables.service
將計數器清零:
[root@iZ25lzba47vZ ~]# iptables -nvL Chain INPUT (policy ACCEPT 18M packets, 2965M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15M packets, 5501M bytes) pkts bytes target prot opt in out source destination [root@iZ25lzba47vZ ~]# iptables -Z [root@iZ25lzba47vZ ~]# iptables -nvL Chain INPUT (policy ACCEPT 49 packets, 2984 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 33 packets, 2456 bytes) pkts bytes target prot opt in out source destination
添加一條規則:
iptables -A INPUT -s 110.229.26.253 --dport 80 REJECT
這條規則的意思是把進入INPUT鏈的ip是110.229.26.253訪問80端口的請求給拒絕。簡而言之就是不讓這個ip訪問我們的80端口。
刪除上面那條規則:
iptables -D INPUT -s 110.229.26.253 --dport 80 REJECT
除了這樣刪除之外,還有另一種刪除方法:
首先得到這條規則的序號:
[root@iZ25lzba47vZ ~]# iptables -nvL --line-numbers Chain INPUT (policy ACCEPT 2462 packets, 554K bytes) num pkts bytes target prot opt in out source destination 1 277 22324 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 20,21,80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2457 packets, 562K bytes) num pkts bytes target prot opt in out source destination
然後根據序列號刪除:
[root@iZ25lzba47vZ ~]# iptables -D INPUT 1 [root@iZ25lzba47vZ ~]# iptables -nvL Chain INPUT (policy ACCEPT 48 packets, 3008 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 35 packets, 3614 bytes) pkts bytes target prot opt in out source destination
除了用-A來添加規則,我們還可以用-I來添加規則,它的意思是,將規則插入到最前面:
[root@iZ25lzba47vZ ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP
[root@iZ25lzba47vZ ~]# iptables -nvL Chain INPUT (policy ACCEPT 71 packets, 4425 bytes) pkts bytes target prot opt in out source destination 74 6216 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 55 packets, 11135 bytes) pkts bytes target prot opt in out source destination
這條規則的作用是不讓別人Ping你的機器。
看看前後Ping的狀態:
#設置iptables之前
[root@ruanwenwu-0002 ~]# ping 101.200.168.135 PING 101.200.168.135 (101.200.168.135) 56(84) bytes of data. 64 bytes from 101.200.168.135: icmp_seq=1 ttl=128 time=16.1 ms 64 bytes from 101.200.168.135: icmp_seq=2 ttl=128 time=13.7 ms 64 bytes from 101.200.168.135: icmp_seq=3 ttl=128 time=13.2 ms ^C --- 101.200.168.135 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 13.252/14.370/16.135/1.262 ms
#設置之後 [root@ruanwenwu-0002 ~]# ping 101.200.168.135 PING 101.200.168.135 (101.200.168.135) 56(84) bytes of data.
設置鏈的默認狀態:
[root@iZ25lzba47vZ ~]# iptables -P INPUT ACCEPT [root@iZ25lzba47vZ ~]# iptables -nvL Chain INPUT (policy ACCEPT 45 packets, 2732 bytes) pkts bytes target prot opt in out source destination 212 17808 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 31 packets, 3454 bytes) pkts bytes target prot opt in out source destination
Linux學習(二十八)iptables (二) iptables規則語法