Shulou(Shulou.com)06/01 Report--

[root@www ~] # iptables [- t nat]-P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP] options and parameters:

-P: define policy (Policy). Note that this P is uppercase!

ACCEPT: this packet is acceptable

DROP: the packet is discarded directly and will not let the client know why it was discarded.

[root@www ~] # iptables [- AI chain name] [- io network interface] [- p protocol]\ > [- s source IP/ domain] [- d destination IP/ domain]-j [ACCEPT | DROP | REJECT | LOG] options and parameters:

-AI chain name: regular "insert" or "accumulate" for a chain

-A: add a new rule, which is added at the end of the original rule. For example, there are already four rules.

Use-A to add the fifth rule!

-I: insert a rule. If the order of this rule is not specified, the default is to insert to become the first rule.

For example, there were four rules originally. If you use-I, the rule becomes the first rule, and the original four rules become number two and five.

Chain: there are INPUT, OUTPUT, FORWARD, etc., the name of this chain is related to-io, please see below.

-io network interface: set the interface specification for packet entry and exit

-I: the network interface into which the packet enters, such as eth0, lo, etc. Need to cooperate with INPUT chain

-o: the network interface that comes out of the packet needs to cooperate with the OUTPUT chain

-p protocol: sets which packet format this rule applies to

The main packet formats are: tcp, udp, icmp and all.

-s source IP/ domain: set the source item of the packet for this rule. You can specify a simple IP or include a domain, for example:

IP: 192.168.0.100

Domain: 192.168.0.0amp 24, 192.168.0.0According to 255.255.255.0.

If the specification is "not allowed", then add! You can, for example:

-s! 192.168.100.0swap 24 indicates that the packet source of 192.168.100.0swap 24 is not allowed.

-d Target IP/ domain: same as-s, except that it refers to the target IP or domain.

-j: followed by actions, the main actions are ACCEPT, DROP, REJECT and LOG

# iptables [- AI chain] [- io Network Interface] [- p tcp,udp]

\ > [- s source IP/ domain] [--sport port range]

\ > [- d destination IP/ domain] [--dport port range]-j [ACCEPT | DROP | REJECT]

[root@www ~] # iptables-An INPUT [- m state] [--state status] options and parameters:

-m: some plug-in modules of iptables, the main common ones are:

State: status module

Mac: network card hardware address (hardware address)

-- state: the status of some packets, mainly including:

INVALID: invalid packet, such as packet status of data corruption

ESTABLISHED: online status that has been online successfully

NEW: want to create a new packet status online

RELATED: this is the most commonly used! It means that this packet is related to the packet sent by our host.

Iptables-F

# kill all users'"custom" chain

Iptables-X

# return all chain counts and traffic to zero

Iptables-Z

# set default rules for the three chain of the filter table

Iptables-P INPUT DROP

Iptables-P OUTPUT ACCEPT

Iptables-P FORWARD ACCEPT

# basic rules

Iptables-I lo-j ACCEPT

Iptables-An INPUT-m state-- state RELATED,ESTABLISHED-j ACCEPT

Iptables-An INPUT-m state-- state INVALID-j DROP

Iptables-An INPUT-m mac--mac-source 94:de:80:89:41:93-j DROP

# release as long as it comes from the lo interface or goes out through the lo interface

Iptables-An INPUT-icmp-j ACCEPT

# Custom rules

# for INPUT chain of filter, ip from 192.168.200.158, the target host interface is

Eth0, the target port is discarded at 22, and the tcp connection is discarded, ssh

Iptables-An INPUT-p tcp-s 192.168.200.158-I eth0-- dport 22-j DROP

Iptables-An INPUT-p udp-s 192.168.200.158-I eth0-- dport 22-j DROP

# for the INPUT chain of filter, from the port number 1024 65000, through the ip of 192.168.200.158 to through the host interface

If you make a tcp connection from # eth0 to port number 21, it will be discarded. Note: here-p must be in front of-- sport.

Iptables-An INPUT-p tcp-- sport 1024 tcp 65000-s 192.168.200.158-I eth0-- dport 21-j DROP

# Note syn: active connection flag

Iptables-An INPUT-p tcp-- sport 1024 eth0 65000-I eth0-- dport 22-- syn-j DROP

Iptables-An INPUT-s 192.168.200.156-I eth0-j DROP

# for INPUT chain, the ip from 192.168.200.0 is released through the host's eth0 network interface

Iptables-An INPUT-s 192.168.200.0 eth0 24-I eth0-j ACCEPT

# icmp

Icmp_type= "0 3 4 8 11 12 14 16 18"

For typeicmp in $icmp_type

Do

Iptables-An INPUT-p icmp--icmp-type $typeicmp-s 192.168.200.156-j ACCEPT

Iptables-An INPUT-p icmp--icmp-type $typeicmp-s 192.168.200.158-j ACCEPT

Done

Iptables-An INPUT-s 192.168.200.157-j ACCEPT # enables 192.168.200.157 to ping 192.168.200.157

Iptables-An INPUT-s 127.0.0.1-j ACCEPT # enables 192.168.200.157 to ping 127.0.0.1 (localhost)

Service iptables save

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.