Shulou(Shulou.com)06/01 Report--

Recently, I have been working on the configuration of a V*P*N middleware. When configuring iptables, when the user wants to delete the EIP (that is, release the current connection), he will find that the relevant commands using iptables will prompt an error. Iptables: Bad rule (does a matching rule exist in that chain?)

I wondered, how could this problem happen? according to the official documents, there is also a mistake. Here is my solution to the iptables delete command. Solution: 1. Delete by row

If you delete according to the line number, there will not be this article, of course, if you know the line number before you delete it, then you can use the command

Iptables-t $table-D POSTROUTING 2

-t: followed by the table to be manipulated. The table consists of four. Note that the default may not be your table. See the official document address for details.

-D: for deletion

POSTROUTING: for source address translation (SNAT), you need to fill in your regular connection here.

Then followed by the line number.

Iptables-t $table-L-n-- line-numbers2. Delete according to matching rules

The exact match deletion used in the official document. So you can't just set a filter. You have to give every detail of the rule, as you did when you added the rule, except that you have to change-A to-D. The success of this exact match deletion depends on all the match fields provided by the user, and the target field must be exactly the same as the one saved in the kernel, accurate to the byte level. If even one byte does not match, it will be ambiguous and the deletion will fail.

3. Delete the whole table and chain

This is too extreme. Use it carefully.

Iptables-t $table-F4. Use Python-iptables to operate

Originally, I wrote this interface in python, so I naturally thought of using python-iptables to delete rules. So you don't have to make an exact match. But the problem is that it can't be used in the blocking state.

= but you can restart a separate script to run = =

The official documentation of python-iptables

Import iptctable = iptc.Table (iptc.Table.NAT) table.autocommit = False # can be submitted automatically. Here, manual chain = iptc.Chain (table, "POSTROUTING") for rule in chain.rules: if rule.src = f "{network_segment} / 255.255.255.0": chain.delete_rule (rule) table.commit () table.autocommit = True

Original address: https://www.linuxprobe.com/iptables-post-table.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.