作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.iptables命令概述
1>.iptables是一个高度模块化工具
[root@hdp101.yinzhengjie.org.cn ~]# yum info iptables
Loaded plugins: fastestmirror
Determining fastest mirrors
* base: mirrors.tuna.tsinghua.edu.cn
* extras: mirrors.huaweicloud.com
* updates: mirror.bit.edu.cn
Installed Packages
Name : iptables
Arch : x86_64
Version : 1.4.21
Release : 28.el7
Size : 1.5 M
Repo : installed
From repo : anaconda
Summary : Tools for managing Linux kernel packet filtering capabilities
URL : http://www.netfilter.org/
License : GPLv2
Description : The iptables utility controls the network packet filtering code in the
: Linux kernel. If you need to set up firewalls and/or IP masquerading,
: you should install this package.
Available Packages
Name : iptables
Arch : i686
Version : 1.4.21
Release : 33.el7
Size : 424 k
Repo : base/7/x86_64
Summary : Tools for managing Linux kernel packet filtering capabilities
URL : http://www.netfilter.org/
License : GPLv2
Description : The iptables utility controls the network packet filtering code in the
: Linux kernel. If you need to set up firewalls and/or IP masquerading,
: you should install this package.
Name : iptables
Arch : x86_64
Version : 1.4.21
Release : 33.el7
Size : 433 k
Repo : base/7/x86_64
Summary : Tools for managing Linux kernel packet filtering capabilities
URL : http://www.netfilter.org/
License : GPLv2
Description : The iptables utility controls the network packet filtering code in the
: Linux kernel. If you need to set up firewalls and/or IP masquerading,
: you should install this package.
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# yum info iptables
[root@hdp101.yinzhengjie.org.cn ~]# rpm -ql iptables
/etc/sysconfig/ip6tables-config
/etc/sysconfig/iptables-config
/usr/bin/iptables-xml
/usr/lib64/libip4tc.so.0
/usr/lib64/libip4tc.so.0.1.0
/usr/lib64/libip6tc.so.0
/usr/lib64/libip6tc.so.0.1.0
/usr/lib64/libiptc.so.0
/usr/lib64/libiptc.so.0.0.0
/usr/lib64/libxtables.so.10
/usr/lib64/libxtables.so.10.0.0
/usr/lib64/xtables
/usr/lib64/xtables/libip6t_DNAT.so
/usr/lib64/xtables/libip6t_DNPT.so
/usr/lib64/xtables/libip6t_HL.so
/usr/lib64/xtables/libip6t_LOG.so
/usr/lib64/xtables/libip6t_MASQUERADE.so
/usr/lib64/xtables/libip6t_NETMAP.so
/usr/lib64/xtables/libip6t_REDIRECT.so
/usr/lib64/xtables/libip6t_REJECT.so
/usr/lib64/xtables/libip6t_SNAT.so
/usr/lib64/xtables/libip6t_SNPT.so
/usr/lib64/xtables/libip6t_ah.so
/usr/lib64/xtables/libip6t_dst.so
/usr/lib64/xtables/libip6t_eui64.so
/usr/lib64/xtables/libip6t_frag.so
/usr/lib64/xtables/libip6t_hbh.so
/usr/lib64/xtables/libip6t_hl.so
/usr/lib64/xtables/libip6t_icmp6.so
/usr/lib64/xtables/libip6t_ipv6header.so
/usr/lib64/xtables/libip6t_mh.so
/usr/lib64/xtables/libip6t_rt.so
/usr/lib64/xtables/libipt_CLUSTERIP.so
/usr/lib64/xtables/libipt_DNAT.so
/usr/lib64/xtables/libipt_ECN.so
/usr/lib64/xtables/libipt_LOG.so
/usr/lib64/xtables/libipt_MASQUERADE.so
/usr/lib64/xtables/libipt_MIRROR.so
/usr/lib64/xtables/libipt_NETMAP.so
/usr/lib64/xtables/libipt_REDIRECT.so
/usr/lib64/xtables/libipt_REJECT.so
/usr/lib64/xtables/libipt_SAME.so
/usr/lib64/xtables/libipt_SNAT.so
/usr/lib64/xtables/libipt_TTL.so
/usr/lib64/xtables/libipt_ULOG.so
/usr/lib64/xtables/libipt_ah.so
/usr/lib64/xtables/libipt_icmp.so
/usr/lib64/xtables/libipt_realm.so
/usr/lib64/xtables/libipt_ttl.so
/usr/lib64/xtables/libipt_unclean.so
/usr/lib64/xtables/libxt_AUDIT.so
/usr/lib64/xtables/libxt_CHECKSUM.so
/usr/lib64/xtables/libxt_CLASSIFY.so
/usr/lib64/xtables/libxt_CONNMARK.so
/usr/lib64/xtables/libxt_CONNSECMARK.so
/usr/lib64/xtables/libxt_CT.so
/usr/lib64/xtables/libxt_DSCP.so
/usr/lib64/xtables/libxt_HMARK.so
/usr/lib64/xtables/libxt_IDLETIMER.so
/usr/lib64/xtables/libxt_LED.so
/usr/lib64/xtables/libxt_MARK.so
/usr/lib64/xtables/libxt_NFLOG.so
/usr/lib64/xtables/libxt_NFQUEUE.so
/usr/lib64/xtables/libxt_NOTRACK.so
/usr/lib64/xtables/libxt_RATEEST.so
/usr/lib64/xtables/libxt_SECMARK.so
/usr/lib64/xtables/libxt_SET.so
/usr/lib64/xtables/libxt_SYNPROXY.so
/usr/lib64/xtables/libxt_TCPMSS.so
/usr/lib64/xtables/libxt_TCPOPTSTRIP.so
/usr/lib64/xtables/libxt_TEE.so
/usr/lib64/xtables/libxt_TOS.so
/usr/lib64/xtables/libxt_TPROXY.so
/usr/lib64/xtables/libxt_TRACE.so
/usr/lib64/xtables/libxt_addrtype.so
/usr/lib64/xtables/libxt_bpf.so
/usr/lib64/xtables/libxt_cgroup.so
/usr/lib64/xtables/libxt_cluster.so
/usr/lib64/xtables/libxt_comment.so
/usr/lib64/xtables/libxt_connbytes.so
/usr/lib64/xtables/libxt_connlabel.so
/usr/lib64/xtables/libxt_connlimit.so
/usr/lib64/xtables/libxt_connmark.so
/usr/lib64/xtables/libxt_conntrack.so
/usr/lib64/xtables/libxt_cpu.so
/usr/lib64/xtables/libxt_dccp.so
/usr/lib64/xtables/libxt_devgroup.so
/usr/lib64/xtables/libxt_dscp.so
/usr/lib64/xtables/libxt_ecn.so
/usr/lib64/xtables/libxt_esp.so
/usr/lib64/xtables/libxt_hashlimit.so
/usr/lib64/xtables/libxt_helper.so
/usr/lib64/xtables/libxt_iprange.so
/usr/lib64/xtables/libxt_ipvs.so
/usr/lib64/xtables/libxt_length.so
/usr/lib64/xtables/libxt_limit.so
/usr/lib64/xtables/libxt_mac.so
/usr/lib64/xtables/libxt_mark.so
/usr/lib64/xtables/libxt_multiport.so
/usr/lib64/xtables/libxt_nfacct.so
/usr/lib64/xtables/libxt_osf.so
/usr/lib64/xtables/libxt_owner.so
/usr/lib64/xtables/libxt_physdev.so
/usr/lib64/xtables/libxt_pkttype.so
/usr/lib64/xtables/libxt_policy.so
/usr/lib64/xtables/libxt_quota.so
/usr/lib64/xtables/libxt_rateest.so
/usr/lib64/xtables/libxt_recent.so
/usr/lib64/xtables/libxt_rpfilter.so
/usr/lib64/xtables/libxt_sctp.so
/usr/lib64/xtables/libxt_set.so
/usr/lib64/xtables/libxt_socket.so
/usr/lib64/xtables/libxt_standard.so
/usr/lib64/xtables/libxt_state.so
/usr/lib64/xtables/libxt_statistic.so
/usr/lib64/xtables/libxt_string.so
/usr/lib64/xtables/libxt_tcp.so
/usr/lib64/xtables/libxt_tcpmss.so
/usr/lib64/xtables/libxt_time.so
/usr/lib64/xtables/libxt_tos.so
/usr/lib64/xtables/libxt_u32.so
/usr/lib64/xtables/libxt_udp.so
/usr/sbin/ip6tables
/usr/sbin/ip6tables-restore
/usr/sbin/ip6tables-save
/usr/sbin/iptables
/usr/sbin/iptables-restore
/usr/sbin/iptables-save
/usr/sbin/xtables-multi
/usr/share/doc/iptables-1.4.21
/usr/share/doc/iptables-1.4.21/COPYING
/usr/share/doc/iptables-1.4.21/INCOMPATIBILITIES
/usr/share/man/man1/iptables-xml.1.gz
/usr/share/man/man8/ip6tables-restore.8.gz
/usr/share/man/man8/ip6tables-save.8.gz
/usr/share/man/man8/ip6tables.8.gz
/usr/share/man/man8/iptables-extensions.8.gz
/usr/share/man/man8/iptables-restore.8.gz
/usr/share/man/man8/iptables-save.8.gz
/usr/share/man/man8/iptables.8.gz
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# rpm -ql iptables
如果你不是自己编译Linux内核安装的操作系统基本上常见的Linux发行版默认就已经安装了iptables工具了,如果你是CentOS操作系系统可以直接使用"yum -y install iptables"进行安装。
iptables命令是一个高度模块化工具,由诸多扩展模块实现其检查条件或处理动作的定义,我们通过"rpm -ql iptables"命令可以查看到"/usr/lib64/xtables/"目录下有很多iptables的文件,其中以"libip6t_*"开头的文件是用于处理IPV6的扩展匹配条件或扩展动作处理的,而以"libipt_*"或者"libxt_*"的文件则是用于处理IPV4的扩展匹配条件或扩展动作处理的。
2>.iptables的语法格式
查看"man iptables"可以查看到iptables命令的帮助信息,如下图所示。
3>.当我们关闭防火墙时,默认规则时允许(ACCEPT)的
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL
Chain INPUT (policy ACCEPT 618 packets, 74197 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 581 packets, 75073 bytes)
pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL
4>.查看"-t"参数支持的选项
通过"man iptables"中的文档可知,"-t"参数等效于"--table",即指定表名,可选的表面如下图所示。
5>."COMMANDS"的分类
通过"man iptables"可以查看到COMMANDS支持的各种参数,我们可以对齐分为以下三类。
链(chain)管理:
-N:
等效于"--new-chain"选项,即自定义一条新的规则链。新创建的链引用计数默认为0。
-X:
等效于"--delete-chain"选项,即删除自定义的规则链。注意,仅能删除用户自定义引用计数为0且规则为空(没有定义规则)的链。
-P:
等效于"--policy"选项,即设置默认策略,对于filter表中的链而言,其默认策略有:ACCEPT(接收),DROP(丢弃),REJECT(拒绝)。
-E:
等效于"--rename-chain"选项,即重命名自定义链,引用计数不为0的自定义链不能够被重命名,也不能被删除。
规则管理:
-A:
等效于"--append"选项,即最佳一条规则。
-I:
等效于"--insert"选项,即插入规则,可以指定插入的位置,省略时表示将新增的规则插入到第一条。
-D:
等效于"--delete"选项,即指明删除规则序号或规则本身。
-R:
等效于"--replace"选项,即替换指定链上的指定规则。
-F:
等效于"--flush"选项,即清空指定的规则链。
-Z:
等效于"--zero"选项,即将规则的计数器清空(即置零)。
iptables的每条规则都有两个计数器,一个是匹配到的报文个数(pkts),另一个是匹配到的所有报文的大小之和(bytes)
查看:
-L:
等效于"--list"选项,列出指定键上的所有规则。它还支持以下选项:
-n:
即numberic,表示以数字格式显式地址和端口号。如果不指定该参数默认情况下,iptables会将IP地址反解成主机名。使用-n参数后则不会进行反解操作,就以IP地址的形式显示。
-v:
即verbose,表示显式详细信息,会显示计数器(iptables的每条规则都有两个计数器,一个是匹配到的报文个数(pkts),另一个是匹配到的所有报文的大小之和(bytes))。
你甚至还可以些"-vv","--vvv"显式更详细的信息哟~
-x:
即exactly,表示显式计数器结果的精确值。
--line-numbers:
表示显式规则的行号。
6>.iptales的常用参数
基本匹配条件:
无需加载任何模块,由iptables/netfilter自行提供。
-s:
等效于"--source"选项,即检查报文中的源IP地址是否符合此处指定的地址或范围。
-d:
等效于"--destination"选项,即检查报文中目标地址是否符合此处指定的地址或范围,匹配所有地址可以使用"0.0.0.0/0"
-p:
等效于"--protocol"选项,即指定协议,支持指定的协议有:tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or the special keyword "all"。如果不指定协议默认则是"all",表示所有协议。
-i:
等效于"--in-interface"选项,即数据报文流入的接口,只能应用于数据报文流入的环节,只能应用于PREROUTING,INPUT和FORWARD链。
-o:
等效于"--out-interface"选项,即数据报文流出的接口,只能应用于数据报文流出的环节,只能应用于FORWARD,OUTPUT和POSTROUTING链。
-j:
等效于"--jump"选项,即表示如何处理规则的动作,如ACCEPT,REJECT,DROP。
扩展匹配条件:
需要加载扩展模块,方可生效。
隐式扩展:
不需要手动加载扩展模块,因为它们是对协议的扩展,所以,但凡使用"-p"指明了协议,就表示已经指明了要扩展的模块;
tcp:
"--spirce-port,--sport port[:prot]":
匹配报文的源端口,也可以是端口范围。
"--destination-port,--dport port[:prot]":
匹配报文的目标端口,可以是端口范围。
"--tcp-flags mask comp":
例如"--tcp-flages SYN,ACK,FIN,RST SYN"表示,要检查的标志位为SYN,ACK,FIN,RST四个,其中SYN必须为1,余下的必须为0。
udp:
7>.
二.使用iptables进行基础的查询操作
1>.查看filter表中的规则
[root@hdp101.yinzhengjie.org.cn ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
Feb 11 18:00:37 hdp101.yinzhengjie.org.cn systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 11 18:00:37 hdp101.yinzhengjie.org.cn systemd[1]: Started firewalld - dynamic firewall daemon.
Feb 11 18:01:04 hdp101.yinzhengjie.org.cn systemd[1]: Stopping firewalld - dynamic firewall daemon...
Feb 11 18:01:04 hdp101.yinzhengjie.org.cn systemd[1]: Stopped firewalld - dynamic firewall daemon.
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# systemctl start firewalld #为了看到实验效果,我们暂时把防火墙功能打开
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Tue 2020-02-11 18:01:18 CST; 1s ago
Docs: man:firewalld(1)
Main PID: 18613 (firewalld)
CGroup: /system.slice/firewalld.service
└─18613 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Feb 11 18:01:17 hdp101.yinzhengjie.org.cn systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 11 18:01:18 hdp101.yinzhengjie.org.cn systemd[1]: Started firewalld - dynamic firewall daemon.
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# systemctl start firewalld #为了看到实验效果,我们暂时把防火墙功能打开
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (1 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (1 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (1 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t filter -L #查看filter表中的规则
[root@hdp101.yinzhengjie.org.cn ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (1 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (1 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (1 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -L #我们也可以不用"-t"选项指定表名,因为默认就是查看filter表
[root@hdp101.yinzhengjie.org.cn ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (1 references)
target prot opt source destination
FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (1 references)
target prot opt source destination
FWDO_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_allow all -- 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (1 references)
target prot opt source destination
IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -L -n #以数字格式显式地址和端口
[root@hdp101.yinzhengjie.org.cn ~]# iptables -nL --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
4 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
5 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
6 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
4 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
5 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
6 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
7 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
8 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
num target prot opt source destination
1 FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
num target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
num target prot opt source destination
1 FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
num target prot opt source destination
Chain FORWARD_direct (1 references)
num target prot opt source destination
Chain FWDI_public (1 references)
num target prot opt source destination
1 FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
2 FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
3 FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
num target prot opt source destination
Chain FWDI_public_deny (1 references)
num target prot opt source destination
Chain FWDI_public_log (1 references)
num target prot opt source destination
Chain FWDO_public (1 references)
num target prot opt source destination
1 FWDO_public_log all -- 0.0.0.0/0 0.0.0.0/0
2 FWDO_public_deny all -- 0.0.0.0/0 0.0.0.0/0
3 FWDO_public_allow all -- 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
num target prot opt source destination
Chain FWDO_public_deny (1 references)
num target prot opt source destination
Chain FWDO_public_log (1 references)
num target prot opt source destination
Chain INPUT_ZONES (1 references)
num target prot opt source destination
1 IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
num target prot opt source destination
Chain INPUT_direct (1 references)
num target prot opt source destination
Chain IN_public (1 references)
num target prot opt source destination
1 IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
2 IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
3 IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
num target prot opt source destination
Chain IN_public_log (1 references)
num target prot opt source destination
Chain OUTPUT_direct (1 references)
num target prot opt source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -nL --line-numbers #显式行号
[root@hdp101.yinzhengjie.org.cn ~]# iptables -nL --line-numbers -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 30990 4292K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 598 31815 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 1 92 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 1 92 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 1 92 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
7 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 436 packets, 182K bytes)
num pkts bytes target prot opt in out source destination
1 31049 4288K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2 436 182K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 1 92 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public (1 references)
num pkts bytes target prot opt in out source destination
1 1 92 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 1 92 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 1 92 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
num pkts bytes target prot opt in out source destination
1 1 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -nL --line-numbers -v #显式详细信息
[root@hdp101.yinzhengjie.org.cn ~]# iptables -nL --line-numbers -vv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 31442 4349K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 599 31891 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 1 92 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 1 92 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 1 92 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
7 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 449 packets, 190K bytes)
num pkts bytes target prot opt in out source destination
1 31483 4345K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2 449 190K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 1 92 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public (1 references)
num pkts bytes target prot opt in out source destination
1 1 92 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 1 92 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 1 92 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
num pkts bytes target prot opt in out source destination
1 1 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
libiptc vlibxtables.so.10. 13584 bytes.
Table `filter'
Hooks: pre/in/fwd/out/post = ffffffff/0/650/dd0/ffffffff
Underflows: pre/in/fwd/out/post = ffffffff/5b8/d38/f00/ffffffff
Entry 0 (0):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 31442 packets, 4349425 bytes
Cache: 00000000
Match name: `conntrack'
Target name: `' [40]
verdict=NF_ACCEPT
Entry 1 (352):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `lo'/XXX.............to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 599 packets, 31891 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT
Entry 2 (504):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 1 packets, 92 bytes
Cache: 00000000
Target name: `' [40]
verdict=10608
Entry 3 (656):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 1 packets, 92 bytes
Cache: 00000000
Target name: `' [40]
verdict=10280
Entry 4 (808):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 1 packets, 92 bytes
Cache: 00000000
Target name: `' [40]
verdict=9800
Entry 5 (960):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Match name: `conntrack'
Target name: `' [40]
verdict=NF_DROP
Entry 6 (1312):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `REJECT' [40]
Entry 7 (1464):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT
Entry 8 (1616):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Match name: `conntrack'
Target name: `' [40]
verdict=NF_ACCEPT
Entry 9 (1968):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `lo'/XXX.............to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT
Entry 10 (2120):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=5784
Entry 11 (2272):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=4648
Entry 12 (2424):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=4168
Entry 13 (2576):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=5456
Entry 14 (2728):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=4976
Entry 15 (2880):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Match name: `conntrack'
Target name: `' [40]
verdict=NF_DROP
Entry 16 (3232):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `REJECT' [40]
Entry 17 (3384):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT
Entry 18 (3536):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `lo'/XXX.............
Protocol: 0
Flags: 00
Invflags: 00
Counters: 31483 packets, 4344956 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT
Entry 19 (3688):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 449 packets, 190168 bytes
Cache: 00000000
Target name: `' [40]
verdict=13256
Entry 20 (3840):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 449 packets, 190168 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT
Entry 21 (3992):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`FORWARD_IN_ZONES'
Entry 22 (4168):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `+'/................to `'/................
Protocol: 0
Flags: 02
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=6112
Entry 23 (4320):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 24 (4472):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`FORWARD_IN_ZONES_SOURCE'
Entry 25 (4648):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 26 (4800):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`FORWARD_OUT_ZONES'
Entry 27 (4976):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `+'/................
Protocol: 0
Flags: 02
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=8032
Entry 28 (5128):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 29 (5280):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`FORWARD_OUT_ZONES_SOURCE'
Entry 30 (5456):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 31 (5608):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`FORWARD_direct'
Entry 32 (5784):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 33 (5936):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`FWDI_public'
Entry 34 (6112):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=7704
Entry 35 (6264):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=7376
Entry 36 (6416):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=7048
Entry 37 (6568):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 1
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT
Entry 38 (6720):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 39 (6872):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`FWDI_public_allow'
Entry 40 (7048):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 41 (7200):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`FWDI_public_deny'
Entry 42 (7376):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 43 (7528):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`FWDI_public_log'
Entry 44 (7704):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 45 (7856):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`FWDO_public'
Entry 46 (8032):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=9472
Entry 47 (8184):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=9144
Entry 48 (8336):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=8816
Entry 49 (8488):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 50 (8640):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`FWDO_public_allow'
Entry 51 (8816):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 52 (8968):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`FWDO_public_deny'
Entry 53 (9144):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 54 (9296):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`FWDO_public_log'
Entry 55 (9472):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 56 (9624):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`INPUT_ZONES'
Entry 57 (9800):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `+'/................to `'/................
Protocol: 0
Flags: 02
Invflags: 00
Counters: 1 packets, 92 bytes
Cache: 00000000
Target name: `' [40]
verdict=10936
Entry 58 (9952):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 59 (10104):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`INPUT_ZONES_SOURCE'
Entry 60 (10280):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 1 packets, 92 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 61 (10432):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`INPUT_direct'
Entry 62 (10608):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 1 packets, 92 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 63 (10760):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`IN_public'
Entry 64 (10936):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 1 packets, 92 bytes
Cache: 00000000
Target name: `' [40]
verdict=12928
Entry 65 (11088):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 1 packets, 92 bytes
Cache: 00000000
Target name: `' [40]
verdict=12600
Entry 66 (11240):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 1 packets, 92 bytes
Cache: 00000000
Target name: `' [40]
verdict=11872
Entry 67 (11392):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 1
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT
Entry 68 (11544):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 69 (11696):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`IN_public_allow'
Entry 70 (11872):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 6
Flags: 00
Invflags: 00
Counters: 1 packets, 92 bytes
Cache: 00000000
Match name: `tcp'
Match name: `conntrack'
Target name: `' [40]
verdict=NF_ACCEPT
Entry 71 (12272):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 72 (12424):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`IN_public_deny'
Entry 73 (12600):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 1 packets, 92 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 74 (12752):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`IN_public_log'
Entry 75 (12928):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 1 packets, 92 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 76 (13080):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`OUTPUT_direct'
Entry 77 (13256):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 449 packets, 190168 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN
Entry 78 (13408):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`ERROR'
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -nL --line-numbers -vv #显式的信息更加详细
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 34735 4806K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 668 35479 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 1 92 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 1 92 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 1 92 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
7 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 687 packets, 324K bytes)
num pkts bytes target prot opt in out source destination
1 34559 4785K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2 687 324K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 1 92 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public (1 references)
num pkts bytes target prot opt in out source destination
1 1 92 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 1 92 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 1 92 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
num pkts bytes target prot opt in out source destination
1 1 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers #短选项是可以合并的,长选项则不行,需要注意的是,短选项需要放在命令(COMMANDS)"L"之前哟~否则会报错
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL INPUT --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 37538 5177K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 711 37739 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 1 92 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 1 92 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 1 92 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL INPUT --line-numbers #只查看input链的规则
2>.查看mangle表中的规则
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PREROUTING_direct all -- anywhere anywhere
PREROUTING_ZONES_SOURCE all -- anywhere anywhere
PREROUTING_ZONES all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
INPUT_direct all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
FORWARD_direct all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
POSTROUTING_direct all -- anywhere anywhere
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
Chain POSTROUTING_direct (1 references)
target prot opt source destination
Chain PREROUTING_ZONES (1 references)
target prot opt source destination
PRE_public all -- anywhere anywhere [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
target prot opt source destination
Chain PREROUTING_direct (1 references)
target prot opt source destination
Chain PRE_public (1 references)
target prot opt source destination
PRE_public_log all -- anywhere anywhere
PRE_public_deny all -- anywhere anywhere
PRE_public_allow all -- anywhere anywhere
Chain PRE_public_allow (1 references)
target prot opt source destination
Chain PRE_public_deny (1 references)
target prot opt source destination
Chain PRE_public_log (1 references)
target prot opt source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t mangle -L
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t mangle -vnL --line-numbers
Chain PREROUTING (policy ACCEPT 40397 packets, 5497K bytes)
num pkts bytes target prot opt in out source destination
1 40397 5497K PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
2 40397 5497K PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
3 40397 5497K PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 40397 packets, 5497K bytes)
num pkts bytes target prot opt in out source destination
1 40397 5497K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 40198 packets, 5779K bytes)
num pkts bytes target prot opt in out source destination
1 40198 5779K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 40198 packets, 5779K bytes)
num pkts bytes target prot opt in out source destination
1 40198 5779K POSTROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain PREROUTING_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 40397 5497K PRE_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain PREROUTING_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain PRE_public (1 references)
num pkts bytes target prot opt in out source destination
1 40397 5497K PRE_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 40397 5497K PRE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 40397 5497K PRE_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PRE_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain PRE_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain PRE_public_log (1 references)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t mangle -vnL --line-numbers
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t mangle -vnL PREROUTING --line-numbers
Chain PREROUTING (policy ACCEPT 41276 packets, 5653K bytes)
num pkts bytes target prot opt in out source destination
1 41276 5653K PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
2 41276 5653K PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
3 41276 5653K PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t mangle -vnL PREROUTING --line-numbers
3>.查看nat表中的规则
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PREROUTING_direct all -- anywhere anywhere
PREROUTING_ZONES_SOURCE all -- anywhere anywhere
PREROUTING_ZONES all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
POSTROUTING_direct all -- anywhere anywhere
POSTROUTING_ZONES_SOURCE all -- anywhere anywhere
POSTROUTING_ZONES all -- anywhere anywhere
Chain OUTPUT_direct (1 references)
target prot opt source destination
Chain POSTROUTING_ZONES (1 references)
target prot opt source destination
POST_public all -- anywhere anywhere [goto]
Chain POSTROUTING_ZONES_SOURCE (1 references)
target prot opt source destination
Chain POSTROUTING_direct (1 references)
target prot opt source destination
Chain POST_public (1 references)
target prot opt source destination
POST_public_log all -- anywhere anywhere
POST_public_deny all -- anywhere anywhere
POST_public_allow all -- anywhere anywhere
Chain POST_public_allow (1 references)
target prot opt source destination
Chain POST_public_deny (1 references)
target prot opt source destination
Chain POST_public_log (1 references)
target prot opt source destination
Chain PREROUTING_ZONES (1 references)
target prot opt source destination
PRE_public all -- anywhere anywhere [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
target prot opt source destination
Chain PREROUTING_direct (1 references)
target prot opt source destination
Chain PRE_public (1 references)
target prot opt source destination
PRE_public_log all -- anywhere anywhere
PRE_public_deny all -- anywhere anywhere
PRE_public_allow all -- anywhere anywhere
Chain PRE_public_allow (1 references)
target prot opt source destination
Chain PRE_public_deny (1 references)
target prot opt source destination
Chain PRE_public_log (1 references)
target prot opt source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t nat -L
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t nat -vnL --line-numbers
Chain PREROUTING (policy ACCEPT 1 packets, 92 bytes)
num pkts bytes target prot opt in out source destination
1 1 92 PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
2 1 92 PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
3 1 92 PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 1 packets, 92 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 834 packets, 44111 bytes)
num pkts bytes target prot opt in out source destination
1 834 44111 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 834 packets, 44111 bytes)
num pkts bytes target prot opt in out source destination
1 834 44111 POSTROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
2 834 44111 POSTROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
3 834 44111 POSTROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 834 44111 POST_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain POSTROUTING_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain POST_public (1 references)
num pkts bytes target prot opt in out source destination
1 834 44111 POST_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 834 44111 POST_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 834 44111 POST_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POST_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain POST_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain POST_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain PREROUTING_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 1 92 PRE_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain PREROUTING_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain PRE_public (1 references)
num pkts bytes target prot opt in out source destination
1 1 92 PRE_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 1 92 PRE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 1 92 PRE_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PRE_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain PRE_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain PRE_public_log (1 references)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t nat -vnL --line-numbers
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t nat -vnL PREROUTING --line-numbers
Chain PREROUTING (policy ACCEPT 1 packets, 92 bytes)
num pkts bytes target prot opt in out source destination
1 1 92 PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
2 1 92 PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
3 1 92 PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t nat -vnL PREROUTING --line-numbers
4>.查看raw表中的规则
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t raw -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PREROUTING_direct all -- anywhere anywhere
PREROUTING_ZONES_SOURCE all -- anywhere anywhere
PREROUTING_ZONES all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain OUTPUT_direct (1 references)
target prot opt source destination
Chain PREROUTING_ZONES (1 references)
target prot opt source destination
PRE_public all -- anywhere anywhere [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
target prot opt source destination
Chain PREROUTING_direct (1 references)
target prot opt source destination
Chain PRE_public (1 references)
target prot opt source destination
PRE_public_log all -- anywhere anywhere
PRE_public_deny all -- anywhere anywhere
PRE_public_allow all -- anywhere anywhere
Chain PRE_public_allow (1 references)
target prot opt source destination
Chain PRE_public_deny (1 references)
target prot opt source destination
Chain PRE_public_log (1 references)
target prot opt source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t raw -L
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t raw -vnL --line-numbers
Chain PREROUTING (policy ACCEPT 43083 packets, 5881K bytes)
num pkts bytes target prot opt in out source destination
1 43083 5881K PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
2 43083 5881K PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
3 43083 5881K PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 42826 packets, 6174K bytes)
num pkts bytes target prot opt in out source destination
1 42826 6174K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain PREROUTING_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 43083 5881K PRE_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain PREROUTING_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain PRE_public (1 references)
num pkts bytes target prot opt in out source destination
1 43083 5881K PRE_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 43083 5881K PRE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 43083 5881K PRE_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PRE_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain PRE_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain PRE_public_log (1 references)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t raw -vnL --line-numbers
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t raw -vnL PREROUTING --line-numbers
Chain PREROUTING (policy ACCEPT 43471 packets, 5932K bytes)
num pkts bytes target prot opt in out source destination
1 43471 5932K PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
2 43471 5932K PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
3 43471 5932K PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t raw -vnL PREROUTING --line-numbers
5>.查看security表中的规则
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t security -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
INPUT_direct all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
FORWARD_direct all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t security -L
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t security -vnL --line-numbers
Chain INPUT (policy ACCEPT 44201 packets, 6030K bytes)
num pkts bytes target prot opt in out source destination
1 44201 6030K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 43906 packets, 6326K bytes)
num pkts bytes target prot opt in out source destination
1 43906 6326K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t security -vnL --line-numbers
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t security -vnL FORWARD --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t security -vnL FORWARD --line-numbers
三.使用iptables进行链(chain)管理操作
1>.创建一个自定义链
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# systemctl stop firewalld
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 3493 packets, 475K bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3466 packets, 475K bytes)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -N in_myweb_rules
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 35 packets, 4480 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 32 packets, 4620 bytes)
num pkts bytes target prot opt in out source destination
Chain in_myweb_rules (0 references)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -N in_myweb_rules
2>.删除自定义链(只能删除自定义的链,还必须符合两个条件,即该链的引用计数为0且该链中没有规则。内置的链是无法删除的哟)
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 71 packets, 8948 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 66 packets, 9864 bytes)
num pkts bytes target prot opt in out source destination
Chain in_myweb_rules (0 references)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -X in_myweb_rules
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 36 packets, 4520 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 33 packets, 4660 bytes)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -X in_myweb_rules
3>.设置默认策略
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 10434 packets, 1479K bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 10449 packets, 1480K bytes)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -P FORWARD DROP
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 24 packets, 2604 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 21 packets, 2744 bytes)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -P FORWARD DROP #将filter表中FROWARD链的默认规则设置为DROP
4>.重命名自定义链
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 108 packets, 11956 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 102 packets, 12688 bytes)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -N in_myweb
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 40 packets, 4680 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 37 packets, 4820 bytes)
num pkts bytes target prot opt in out source destination
Chain in_myweb (0 references)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -E in_myweb in_myweb_rules
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 40 packets, 4978 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 38 packets, 5202 bytes)
num pkts bytes target prot opt in out source destination
Chain in_myweb_rules (0 references)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -E in_myweb in_myweb_rules
四.使用iptables对链(chain)的规则管理操作
1>.将规则的计数器清零
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 64 7232 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
7 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 11 packets, 8048 bytes)
num pkts bytes target prot opt in out source destination
1 48 6228 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2 11 8048 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -Z
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 41 4772 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
7 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 6 packets, 728 bytes)
num pkts bytes target prot opt in out source destination
1 32 4152 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2 6 728 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -Z #将filter表中所有的链中的规则计数清零
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL INPUT --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 3957 565K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 70 3664 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -Z INPUT
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL INPUT --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 52 6894 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -Z INPUT #只清除filter表中INPUT链中的所有规则计数清零
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL INPUT --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 1457 210K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 24 1248 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -Z INPUT 2
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL INPUT --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 1606 230K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -Z INPUT 2 #至清初filter表中INPUT链中的第二条规则计数清零
2>.清空规则
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 2227 packets, 282K bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
7 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 71 packets, 15232 bytes)
num pkts bytes target prot opt in out source destination
1 14208 1983K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2 337 71020 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (0 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_direct (0 references)
num pkts bytes target prot opt in out source destination
Chain IN_public (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -F
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 22 packets, 2524 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 19 packets, 2632 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD_IN_ZONES (0 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_IN_ZONES_SOURCE (0 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (0 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES_SOURCE (0 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_direct (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_allow (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_log (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_allow (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (0 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_log (0 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (0 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ZONES_SOURCE (0 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_direct (0 references)
num pkts bytes target prot opt in out source destination
Chain IN_public (0 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_allow (0 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_deny (0 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_log (0 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (0 references)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -F #将filter表中所有的链中的所有规则都清空
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL INPUT --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 7512 1049K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 105 5484 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -F INPUT
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL INPUT --line-numbers
Chain INPUT (policy ACCEPT 92 packets, 6596 bytes)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -F INPUT #将filter表中的INPUT链中所有的规则都清空
3>.删除规则
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL FORWARD --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
7 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -D FORWARD 9
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL FORWARD --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
7 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -D FORWARD 9 #删除filter表中的FROWARD链中的第9条规则
4>.使用追加的方式添加规则
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 978 packets, 158K bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 962 packets, 159K bytes)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# hostname -i
172.200.1.101
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t filter -A INPUT -s 172.200.0.0/21 -d 172.200.1.101 -p tcp -j ACCEPT
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 58 6888 ACCEPT tcp -- * * 172.200.0.0/21 172.200.1.101
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 54 packets, 7164 bytes)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t filter -A INPUT -s 172.200.0.0/21 -d 172.200.1.101 -p tcp -j ACCEPT #在filter表中的INPUT链追加一条规则,源地址是172.200.0.0/21的地址访问172.200.1.101目录地址的所有TCP协议都允许(ACCEPT)
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 7 packets, 552 bytes)
num pkts bytes target prot opt in out source destination
1 4107 535K ACCEPT tcp -- * * 172.200.0.0/21 172.200.1.101
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4066 packets, 537K bytes)
num pkts bytes target prot opt in out source destination
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# hostname -i
172.200.1.101
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t filter -A OUTPUT -s 172.200.1.101 -d 172.200.0.0/21 -p tcp -j ACCEPT
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 4890 678K ACCEPT tcp -- * * 172.200.0.0/21 172.200.1.101
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 132 16938 ACCEPT tcp -- * * 172.200.1.101 172.200.0.0/21
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -t filter -A OUTPUT -s 172.200.1.101 -d 172.200.0.0/21 -p tcp -j ACCEPT #在filter表中的OUTPUT链追加一条规则,源地址是172.200.1.101的地址访问172.200.0.0/21的目的第十所有的TPC协议都允许(ACCEPT)
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
45325 6269K ACCEPT tcp -- * * 172.200.0.0/21 172.200.1.101
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
40437 5867K ACCEPT tcp -- * * 172.200.1.101 172.200.0.0/21
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# hostname -i
172.200.1.101
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -A INPUT -d 172.200.1.101 -p icmp -j ACCEPT
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
52599 6957K ACCEPT tcp -- * * 172.200.0.0/21 172.200.1.101
3 252 ACCEPT icmp -- * * 0.0.0.0/0 172.200.1.101
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 3 packets, 252 bytes)
pkts bytes target prot opt in out source destination
51595 8407K ACCEPT tcp -- * * 172.200.1.101 172.200.0.0/21
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -A INPUT -d 172.200.1.101 -p icmp -j ACCEPT #在filter表中的INPUT链中添加一条规则,去往目的目的是本机的172.200.1.101的ICMP协议都允许(ACCEPT)
[root@hdp101.yinzhengjie.org.cn ~]# tcpdump -i bond0 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:11:26.214130 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 64, length 64
21:11:27.214353 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 65, length 64
21:11:28.214509 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 66, length 64
21:11:29.213624 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 67, length 64
21:11:30.213814 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 68, length 64
21:11:31.214005 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 69, length 64
21:11:32.213895 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 70, length 64
21:11:33.214398 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 71, length 64
21:11:34.213683 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 72, length 64
21:11:35.214754 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 73, length 64
21:11:36.214345 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 74, length 64
21:11:37.214123 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 75, length 64
21:11:38.214719 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 76, length 64
21:11:39.213834 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 77, length 64
21:11:40.214129 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 78, length 64
21:11:41.214279 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 79, length 64
21:11:42.214275 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 80, length 64
21:11:43.214430 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 81, length 64
21:11:44.214727 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 82, length 64
21:11:45.216510 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 83, length 64
21:11:46.216987 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 84, length 64
21:11:47.216764 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 85, length 64
21:11:48.217472 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 86, length 64
21:11:49.217079 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 87, length 64
21:11:50.216659 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 88, length 64
21:11:51.217251 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 89, length 64
21:11:52.217264 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 90, length 64
21:11:53.217378 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 91, length 64
21:11:54.216939 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 92, length 64
21:11:55.216957 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 93, length 64
21:11:56.217391 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 94, length 64
21:11:57.217054 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 95, length 64
21:11:58.217050 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 96, length 64
^C
33 packets captured
33 packets received by filter
0 packets dropped by kernel
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# tcpdump -i bond0 -nn icmp #如果只添加上面那条规则,我们使用172.200.1.102去ping 172.200.1.101是ping不通的哟(戳我可以查看抓包结果)
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL
Chain INPUT (policy DROP 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
56892 7571K ACCEPT tcp -- * * 172.200.0.0/21 172.200.1.101
217 18228 ACCEPT icmp -- * * 0.0.0.0/0 172.200.1.101
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 227 packets, 19024 bytes)
pkts bytes target prot opt in out source destination
55870 9021K ACCEPT tcp -- * * 172.200.1.101 172.200.0.0/21
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -A OUTPUT -s 172.200.1.101 -p icmp -j ACCEPT
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
58615 7791K ACCEPT tcp -- * * 172.200.0.0/21 172.200.1.101
299 25116 ACCEPT icmp -- * * 0.0.0.0/0 172.200.1.101
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
57536 9242K ACCEPT tcp -- * * 172.200.1.101 172.200.0.0/21
10 840 ACCEPT icmp -- * * 172.200.1.101 0.0.0.0/0
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -A OUTPUT -s 172.200.1.101 -p icmp -j ACCEPT #在filter表中的OUTPUT链中添加一条规则,源地址是172.200.1.101的ICMP协议都允许(ACCEPT)
[root@hdp101.yinzhengjie.org.cn ~]# tcpdump -i bond0 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:17:05.259185 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 403, length 64
21:17:05.259210 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 403, length 64
21:17:06.260314 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 404, length 64
21:17:06.260345 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 404, length 64
21:17:07.260832 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 405, length 64
21:17:07.260875 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 405, length 64
21:17:08.262111 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 406, length 64
21:17:08.262252 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 406, length 64
21:17:09.263647 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 407, length 64
21:17:09.263677 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 407, length 64
21:17:10.263923 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 408, length 64
21:17:10.263943 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 408, length 64
21:17:11.264841 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 409, length 64
21:17:11.264881 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 409, length 64
21:17:12.265289 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 410, length 64
21:17:12.265311 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 410, length 64
21:17:13.265793 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 411, length 64
21:17:13.265813 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 411, length 64
21:17:14.266599 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 412, length 64
21:17:14.266624 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 412, length 64
21:17:15.266876 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 413, length 64
21:17:15.266898 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 413, length 64
21:17:16.268890 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 414, length 64
21:17:16.268924 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 414, length 64
21:17:17.270586 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 415, length 64
21:17:17.270618 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 415, length 64
21:17:18.271096 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 416, length 64
21:17:18.271132 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 416, length 64
21:17:19.271688 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 417, length 64
21:17:19.271722 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 417, length 64
21:17:20.271945 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 418, length 64
21:17:20.272018 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 418, length 64
21:17:21.272795 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 419, length 64
21:17:21.272827 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 419, length 64
21:17:22.272480 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 420, length 64
21:17:22.272512 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 420, length 64
21:17:23.272638 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 421, length 64
21:17:23.272672 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 421, length 64
21:17:24.273863 IP 172.200.1.102 > 172.200.1.101: ICMP echo request, id 5881, seq 422, length 64
21:17:24.273894 IP 172.200.1.101 > 172.200.1.102: ICMP echo reply, id 5881, seq 422, length 64
^C
40 packets captured
40 packets received by filter
0 packets dropped by kernel
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# tcpdump -i bond0 -nn icmp #如果再添加上面两条规则后,我们使用172.200.1.102去ping 172.200.1.101是可以ping通的哟~(戳我可以查看抓包结果)
5>.设置默认策略
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 6 packets, 472 bytes)
num pkts bytes target prot opt in out source destination
1 8535 1169K ACCEPT tcp -- * * 172.200.0.0/21 172.200.1.101
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6 packets, 472 bytes)
num pkts bytes target prot opt in out source destination
1 3780 509K ACCEPT tcp -- * * 172.200.1.101 172.200.0.0/21
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -P INPUT DROP
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 9678 1315K ACCEPT tcp -- * * 172.200.0.0/21 172.200.1.101
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 4892 655K ACCEPT tcp -- * * 172.200.1.101 172.200.0.0/21
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -P INPUT DROP #将filter表中的INPUT链的默认规则设置为DROP
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy DROP 3 packets, 240 bytes)
num pkts bytes target prot opt in out source destination
1 10556 1463K ACCEPT tcp -- * * 172.200.0.0/21 172.200.1.101
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 240 bytes)
num pkts bytes target prot opt in out source destination
1 5770 804K ACCEPT tcp -- * * 172.200.1.101 172.200.0.0/21
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -P FORWARD DROP
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 10751 1487K ACCEPT tcp -- * * 172.200.0.0/21 172.200.1.101
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 5955 829K ACCEPT tcp -- * * 172.200.1.101 172.200.0.0/21
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -P FORWARD DROP #将filter表中的FORWARD链的默认规则设置为DROP
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy DROP 3 packets, 236 bytes)
num pkts bytes target prot opt in out source destination
1 11517 1592K ACCEPT tcp -- * * 172.200.0.0/21 172.200.1.101
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 236 bytes)
num pkts bytes target prot opt in out source destination
1 6720 934K ACCEPT tcp -- * * 172.200.1.101 172.200.0.0/21
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -P OUTPUT DROP
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -vnL --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 11833 1627K ACCEPT tcp -- * * 172.200.0.0/21 172.200.1.101
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 7024 971K ACCEPT tcp -- * * 172.200.1.101 172.200.0.0/21
[root@hdp101.yinzhengjie.org.cn ~]#
[root@hdp101.yinzhengjie.org.cn ~]# iptables -P OUTPUT DROP #将filter表中的OUTPUT链的默认规则设置为DROP
6>.
7>.
