FILTER表:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
[root@server01 ~]
# iptables -t filter -nvL ##查看filter表,主要用于过滤包
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt
in
out
source
destination
116 8692 ACCEPT all -- * * 0.0.0.0
/0
0.0.0.0
/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0
/0
0.0.0.0
/0
0 0 ACCEPT all -- lo * 0.0.0.0
/0
0.0.0.0
/0
0 0 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
state NEW tcp dpt:22
4 478 REJECT all -- * * 0.0.0.0
/0
0.0.0.0
/0
reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt
in
out
source
destination
0 0 REJECT all -- * * 0.0.0.0
/0
0.0.0.0
/0
reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 68 packets, 9944 bytes)
pkts bytes target prot opt
in
out
source
destination
[root@server01 ~]
# iptables -Z ##清零计数器
[root@server01 ~]
# iptables -nvL --line-numbers ##显示行号
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt
in
out
source
destination
1 6 432 ACCEPT all -- * * 0.0.0.0
/0
0.0.0.0
/0
state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0
/0
0.0.0.0
/0
......
[root@server01 ~]
# iptables -F ##清空规则
[root@server01 ~]
# iptables -nvL ##查看iptables规则
Chain INPUT (policy ACCEPT 6 packets, 432 bytes)
pkts bytes target prot opt
in
out
source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt
in
out
source
destination
Chain OUTPUT (policy ACCEPT 4 packets, 448 bytes)
pkts bytes target prot opt
in
out
source
destination
[root@server01 ~]
# service iptables save ##保存规则
iptables: Saving firewall rules to
/etc/sysconfig/iptables
:[ 确定 ]
##三种动作:DROP、REJECT、ACCEPT,链默认规则是ACCEPT。
[root@server01 ~]
# iptables -A INPUT -s 192.168.111.1 -p tcp --sport 1234 -d 192.168.137.100 --dport 80 -j DROP ##在下面增加
[root@server01 ~]
# iptables -I INPUT -s 192.168.111.2 -p tcp --sport 1234 -d 192.168.137.100 --dport 80 -j DROP ##在上面增加
[root@server01 ~]
# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt
in
out
source
destination
0 0 DROP tcp -- * * 192.168.111.2 192.168.137.100 tcp spt:1234 dpt:80
......
0 0 DROP tcp -- * * 192.168.111.1 192.168.137.100 tcp spt:1234 dpt:80
[root@server01 ~]
# iptables -D INPUT 1 ##删除INPUT第一行
[root@server01 ~]
# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt
in
out
source
destination
1 353 28859 ACCEPT all -- * * 0.0.0.0
/0
0.0.0.0
/0
state RELATED,ESTABLISHED
......
[root@server01 ~]
# iptables -I INPUT -s 100.100.100.0/24 -i ens33 -j ACCEPT
[root@server01 ~]
# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt
in
out
source
destination
1 0 0 ACCEPT all -- ens33 * 100.100.100.0
/24
0.0.0.0
/0
.......
[root@server01 ~]
# iptables -D INPUT -s 100.100.100.0/24 -i ens33 -j ACCEPT
[root@server01 ~]
# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt
in
out
source
destination
1 626 50787 ACCEPT all -- * * 0.0.0.0
/0
0.0.0.0
/0
state RELATED,ESTABLISHED
......
[root@server01 ~]
# iptables-save > 1.ipt ##将规则重定向到文件中,备份用
[root@server01 ~]
# iptables-restore < 1.ipt ##恢复规则
[root@server01 ~]
# service iptables restart ##重启iptables服务
Redirecting to
/bin/systemctl
restart iptables.service
|
在虚拟机网络模式为NAT的情况下,也可以实现物理机和虚机的单向访问:
iptables -I INPUT -p icmp --icmp-type 0 -j DROP // 只有物理机可以ping通虚机
iptables -I INPUT -p icmp --icmp-type 8 -j DROP // 只有虚机可以ping通物理机
iptables -P INPUT DROP 将filter表INPUT链的默认规则改成DROP(不要随意更改,会导致无法管理)
本文转自Grodd51CTO博客,原文链接:http://blog.51cto.com/juispan/1946913,如需转载请自行联系原作者