Shulou(Shulou.com)06/02 Report--

Filter explained in detail by iptables

Iptables causes a lot of headaches, so let's talk about how to use iptables.

1. Iptables format 1.1, iptables help

Check the usage of iptables through iptables-- help

[root@note1 ~] # iptables-- helpiptables v1.4.21Usage: iptables-[ACD] chain rule-specification [options] iptables-I chain [rulenum] rule-specification [options] iptables-R chain rulenum rule-specification [options] iptables-D chain rulenum [options] iptables-[LS] [chain [rulenum]] [options] iptables-[FZ] [chain] [options] iptables-[NX] chain iptables-E Old-chain-name new-chain-name iptables-P chain target [options] iptables-h (print this help information) 1.2, Iptables format

Iptables [- t table] COMMAND chain [- m matchname [per-match-options]]-j targetname [per-target-options]

Iptables command consists of table + command + chain + matching condition + processing action.

II. Iptables table

Iptables consists of four tables and five chains. Each table implements different functions, each table has a different chain, and the chain represents the location of the rule implementation.

The four tables are:

Filter: filtering, firewall; nat: for source or destination address translation; mangle: disassembling messages, making modifications, and re-encapsulating; raw: turning off the connection tracking mechanism enabled on the nat table

The five chains are: PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING.

Chains supported by different tables:

Filter: INPUT,FORWARD,OUTPUTnat: PREROUTING,INPUT,OUTPUT,POSTROUTINGmangle: PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTINGraw: OUTPUT,PREROUTING

Considerations when adding rules:

Which function to achieve: determine which table to add to; the path through which messages flow: determine which chain to add to

Chain: the order of rules on the chain, that is, the order of inspection; therefore, it implies certain rules of application:

Similar rules (access to the same application), the matching range is small on top; different kinds of rules (access to different applications), match to more frequent messages on top; merge multiple rules that can be described by one rule; set the default policy

If you do not use-t to indicate which table to operate on when using the iptables command, the filter table is operated by default.

3. Iptables command

There are three categories of iptables commands: view, chain management, and rule management.

3.1.View iptables rules

-t: table viewed

-n: no inverse solution of IP and HOSTNAME

-v: list more information, including the total number of packets passed by the rule, related network interfaces, etc.

-L: list the current table rules.

-S: view rule definition

-- line-number is used to view the rule number.

# use iptables to view rules [root@note1 ~] # iptables-vnL-- line-numberChain INPUT (policy ACCEPT 0 packets 0 bytes) num pkts bytes target prot opt in out source destination 1 467 29128 ACCEPT tcp-- * * 0.0.0.0 ACCEPT tcp 0 0.0.0.0 ACCEPT tcp 0 tcp dpt:222 0 0.0.0.0 tcp dpt:80Chain FORWARD 0 tcp dpt:80Chain FORWARD (policy ACCEPT 0 packets) 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 41 packets, 4276 bytes) num pkts bytes target prot opt in out source destination [root@note1 ~] # [root@note1 ~] # iptables-vnL INPUT-line-numberChain INPUT (policy ACCEPT 0 packets 0 bytes) num pkts bytes target prot opt in out source destination 1 502 31476 ACCEPT tcp-- * * 0.0.0.0 ACCEPT tcp 0 0.0.0.0 ACCEPT tcp 0 tcp dpt:222 0 0.0.0.0dport 0 tcp dpt:80 [root@note1 ~] # # use the-S option to view the rule definition of iptables [root@note1] # iptables-S iptables P INPUT ACCEPT-P FORWARD ACCEPT-P OUTPUT ACCEPT-An INPUT-p tcp-m tcp-- dport 22-j ACCEPT-An INPUT-p tcp-m tcp-- dport 80-j ACCEPT3.2, Chain Management 3.2.1,-N New chain

-N:new, customize a new rule chain

Iptables-N test3.2.2,-X delete chain

-X:delete, delete the custom rule chain

​ Note: only empty chains with a user-defined reference count of 0 can be deleted.

Iptables-X test3.2.3,-E rename

-E: rename custom chains; custom chains whose reference count is not 0 cannot be renamed or deleted

Iptables-N testrniptables-E testrn testrename3.2.4,-P default policy

-P:Policy to set the default policy; for chains in the filter table, the default policies are:

ACCEPT: accept DROP: discard REJECT: reject

Use with caution, because I didn't add a rule to release ssh first when I tested, so after I changed the default policy of INPUT chain of filter to DROP, I can no longer link to the virtual machine through Xshell, so I need to enter VMware to release ssh.

Iptables-P INPUT DROP

With the addition of release rules, we have successfully reconnected to the host using Xshell

Iptables-An INPUT-p tcp-- dport 22-j ACCEPT

Use the command to add a default policy

# release ssh,INPUT chain and OUTPUT chain first. Iptables-An INPUT-d 176.16.128.1-p tcp-- dport 22-j ACCEPTiptables-An OUTPUT-s 176.16.128.1-p tcp-- sport 22-j ACCEPT# is inserted before the default reject rule when adding new rules, all but these rules will be rejected. The default policy on the iptables-An INPUT-d 176.16.128.1-j REJECTiptables-An OUTPUT-s 176.16.128.1-j REJECT# setting chain is allowed. Iptables-P INPUT ACCEPTiptables-P OUTPUT ACCEPT3.3, Rule Management 3.3.1,-An additional rules

-A:append, append rules to existing rules

# add a rule to deny port 80 in the note1 node [root@note1 local] # iptables-An INPUT-p tcp-- dport 80-j REJECT# We can see the rule that is appended using the append command The position of this rule is 2 [root@note1 local] # iptables-vnL-- line-numbersChain INPUT (policy ACCEPT 0 packets 0 bytes) num pkts bytes target prot opt in out source destination 1 4208 225K ACCEPT tcp-- * * 0.0.0.0swap 0 0.0.0.0REJECT tcp 0 tcp dpt:222 2120 REJECT tcp-- * 0.0.0.0lem0 0.0.0.0 tcp dpt:80 reject-with icmp-port-unreachable# accesses port 80 of the note1 node at host point [root@master ~] # curl note1:80curl: (7) Failed connect to note1:80 Refuse to connect [root@master ~] # 3.3.2,-R replacement rule

-R:replace, replacing the specified rule on the specified chain

# use the-R command to modify the rule of rejecting port 80 to accept access [root@note1 local] # iptables-R INPUT 2-p tcp-- dport 80-j ACCEPT# View iptables [root @ note1 local] # iptables-vnL-- line-numbersChain INPUT (policy ACCEPT 0 packets 0 bytes) num pkts bytes target prot opt in out source destination 1 4881 271K ACCEPT tcp-- * * 0.0.0.0 ACCEPT tcp 0 0.0.0.0 ACCEPT tcp 0 tcp dpt:222 0-- * 0.0.0.0max 0 0.0.0.0swap 0 tcp dpt:80# accesses port 80 at master node You can see the contents of the web page. [root@master ~] # curl note1:80I'm Note1 [root@master ~] # 3.3.3,-I insertion rule

-I:insert, insert, indicate the location, and indicate the first item when omitted

# use iptables-I to insert a rule without specifying a location. [root@note1 ~] # iptables-I INPUT-p tcp-- dport 3306-j ACCEPT# looks at the iptables and shows that the newly added rule is the first. [root@note1] # iptables-vnL INPUT-- line-numberChain INPUT (policy ACCEPT 0 packets 0 bytes) num pkts bytes target prot opt in out source destination 1 00 ACCEPT tcp-- * * 0.0.0.0 ACCEPT tcp 0 0.0.0.0 ACCEPT tcp 0 tcp dpt:33062 616 38140 ACCEPT tcp-- * 0.0.0.0 Universe 0 0.0.0.0iptables 0 tcp dpt:223 0 0 ACCEPT tcp-- * * 0.0.0.0 0 0.0.0.0Universe 0 tcp dpt:80 [root@note1 ~] # # use iptables-I to specify the second insertion rule. [root@note1] # iptables-I INPUT 2-p tcp-- dport 443-j ACCEPT [root@note1] # iptables-vnL INPUT-- line-numberChain INPUT (policy ACCEPT 0 packets 0 bytes) num pkts bytes target prot opt in out source destination 1 00 ACCEPT tcp-- * * 0.0.0.0 ACCEPT tcp 0 0.0.0.0 ACCEPT tcp-- * 0.0.0.0 ACCEPT tcp 0 0. 0. 0. 0 tcp dpt:4433 0 0 10 50540 ACCEPT tcp-- * * 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 ACCEPT tcp 0 tcp dpt:224 0 0. 0. 0. 0. 0 Tcp dpt:80 [root@note1 ~] # 3.3.4, -D Delete Rul

-D:delete, delete the rule according to the rule serial number or the rule itself

3.3.4.1. Specify the rule serial number [root@note1 ~] # iptables-vnL INPUT-- line-numberChain INPUT (policy ACCEPT 0 packets 0 bytes) num pkts bytes target prot opt in out source destination 1 00 ACCEPT tcp-- * * 0.0.0.0 ACCEPT tcp 0 0.0.0.0 ACCEPT tcp-- * 0.0.0.0 ACCEPT tcp 0 0. 0. 0. 0 tcp dpt:4433 52340 ACCEPT tcp-- * * 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 ACCEPT tcp 0 tcp dpt:224 0 0. 0. 0. 0. 0 Tcp dpt:80 [root@note1] # iptables-D INPUT 2 [root@note1] # iptables-vnL INPUT-- line-numberChain INPUT (policy ACCEPT 0 packets 0 bytes) num pkts bytes target prot opt in out source destination 100 ACCEPT tcp-- * * 0.0.0.0 ACCEPT tcp 0 0.0.0.0 ACCEPT tcp 0 tcp dpt:33062 882 100 ACCEPT tcp-- * 0.0.0.0 Universe 0 0. 0. 0. 0 tcp dpt:223 0 0 ACCEPT tcp-- * * 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 tcp dpt:80 [root@note1 ~] # 3.3.4.2, Specify the rule itself [root@note1 ~] # iptables-vnL INPUT-- line-numberChain INPUT (policy ACCEPT 0 packets 0 bytes) num pkts bytes target prot opt in out source destination 100 ACCEPT tcp-- * * 0.0.0.0 ACCEPT tcp 0 0.0.0.0 ACCEPT tcp 0 tcp dpt:33062 882 100 ACCEPT tcp-- * 0.0.0.0 Universe 0 0.0.0.0line-numberChain INPUT 0 tcp dpt:223 0 0 ACCEPT tcp-- * * 0.0.0.0root@note1 0 0.0.0.0Accord 0 tcp dpt:80 [root@note1 ~] # iptables-D INPUT-p tcp-- dport 3306-j ACCEPT [root@note1 ~] # iptables-vnL INPUT-- line-numberChain INPUT (policy ACCEPT 0 packets 0 bytes) num pkts bytes target prot opt in out source destination 1 1016 62940 ACCEPT tcp-- * 0.0.0.0 ACCEPT tcp 0 0.0.0.0 ACCEPT tcp 0 tcp dpt:222 0 0 0.0.0.0 tcp dpt:80 0 [root@note1 ~] # 3.3.5, -Z set zero

Each rule of iptables has two counters:

(1) the number of matched messages; the sum of the sizes of all messages matched by pkts (2) Bytes [root@note1 ~] # iptables-vnL INPUT-- line-numberChain INPUT (policy ACCEPT 11 packets 774 bytes) num pkts bytes target prot opt in out source destination 1 1028 63752 ACCEPT tcp-- * * 0.0.0.0 ACCEPT tcp 0 0.0.0.0 ACCEPT tcp 0 tcp dpt:222 0-- * 0.0.0.0It 0 0.0.0.0 vnL INPUT 0 tcp dpt:80 [root@note1 ~] # iptables-Z INPUT [root@note1 ~] # iptables-vnL INPUT-line-numberChain INPUT (policy ACCEPT 0 packets 0 bytes) num pkts bytes target prot opt in out source destination 1 6 364 ACCEPT tcp-- * * 0.0.0.0 ACCEPT tcp 0 0.0.0.0 ACCEPT tcp 0 tcp dpt:222 0 0.0.0.0 tcp dpt:80 0 [root@note1 ~] # 3.3.6, -F clear rule chain [root@note1 ~] # iptables-vnL INPUT-- line-numberChain INPUT (policy ACCEPT 5 packets 180 bytes) num pkts bytes target prot opt in out source destination 1 46 2728 ACCEPT tcp-- * 0.0.0.0 ACCEPT tcp 0 0.0.0.0 ACCEPT tcp 0 tcp dpt:222 0 0 0.0.0.0 vnL INPUT 0 tcp dpt:80 [root@note1 ~] # iptables-F INPUT [root@note1 ~] # iptables-vnL INPUT-line-numberChain INPUT (policy ACCEPT 6 packets 364 bytes) num pkts bytes target prot opt in out source destination [root@note1 ~] # IV. Iptables matching conditions 4.1, basic matching conditions

No need to load any modules, provided by iptables/netfilter itself

[!]-s,-- source address [/ mask] [,...]: check whether the source IP address in the message matches the address or range specified here; [!]-d,-destination address [/ mask] [,...]: check whether the destination IP address in the message matches the address or range specified here All addresses: 0.0.0.0amp 0 [!]-p,-- protocol protocol: tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or "all" the most commonly used protocols tcp, udp, icmp; [!]-I,-- in-interface data packet inflow interface; can only be applied to Datagram inflow links, can only be applied to PREROUTING,INPUT and FORWARD chains [!]-o,-- the API for out-interface Datagram outflow. It can only be applied to Datagram outflow, but only to FORWARD, OUTPUT and POSTROUTING chains.

[!] The exclamation mark in indicates a rebellion.

4.2. Extended matching condition 4.2.1, implicit extension

Implicit extension: extension modules do not need to be loaded manually; because they are extensions to the protocol, when the-p option is used to indicate a specific protocol, the module to be extended is indicated. There is no need to use the-m option to indicate the extension mechanism of the extension module at the same time.

4.2.1.1, tcp [!]-- source-port,-- sport port [: port]: source port of matching message; can be port range; [!]-- destination-port,-- dport port [: port]: destination port of matching message; can be port range [!]-- tcp-flags mask compmask is the flag we should check, separated by commas. For example, SYN,ACK,FIN,RSTcomp is a flag that must be set. For example, SYN: "--tcp-flags SYN,ACK,FIN,RST SYN" means that the four flag bits to be checked are SYN,ACK,FIN,RST, of which SYN must be 1 and the rest must be 0. [!]-- syn: used to match the first handshake, equivalent to "--tcp-flags SYN,ACK,FIN,RST SYN"

[!] An exclamation mark indicates a rebellion.

4.2.1.2, udp [!]-- source-port,-- sport port [: port]: source port of matching message; can be port range; [!]-- destination-port,-- dport port [: port]: destination port of matching message; can be port range

[!] An exclamation mark indicates a rebellion.

4.2.1.3, icmp [!]-- icmp-type {type [/ code] | typename}

[!] An exclamation mark indicates a rebellion.

Icmp type

Type 8: request echo echo-request (Ping request)

Type 0: echo reply echo-reply (Ping reply)

We set INPUT to release messages with icmp-type type 0 and OUTPUT to release messages with icmp-type type 8. The default rule is set to reject, so that we can only ping other hosts and not allow other hosts to ping us.

# because the default reject rule is to be added So first release ssh [root@note1] # iptables-An INPUT-d 176.16.128.1-p tcp-- dport 22-j ACCEPT [root@note1] # iptables-An OUTPUT-s 176.16.128.1-p tcp-- sport 22-j ACCEPT# add the default rejection rule [root@note1 ~] # iptables-An INPUT-d 176.16.128.1-j REJECT [root@note1 ~] # iptables-An OUTPUT-s 176.16.128.1-j REJECT [root@note1 ~] # iptables-vnLChain INPUT (policy ACCEPT 0 packets 0 bytes) pkts bytes target prot opt in out source destination 299 19206 ACCEPT tcp-- * * 0.0.0.0 tcp dpt:22 0 176.16.128.1 tcp dpt:22 0 0 REJECT all-- * * 0.0.0.0 Universe 0 176.16.128.1 Reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT 0 packets 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets 0 bytes) pkts bytes target prot opt in out source destination 15559 ACCEPT tcp-- * * 176.16.128.1 0.0.0.0 REJECT all-- * * 176.16.128.1 0.0.0.0 REJECT all Reject-with icmp-port-unreachable#, now let's try ping. The ping request cannot be sent because ping is not set in iptables. [root@note1 ~] # ping 176.16.128.8PING 176.16.128.8 (176.16.128.8) 56 (84) bytes of data.ping: sendmsg: disallowed operations ^ Cmuri-176.16.128.8 ping statistics-- 3 packets transmitted, 0 received, 100% packet loss Time 1999ms# now let's add a rule to the OUTPUT chain that allows ping requests to be sent [root@note1] # iptables-I OUTPUT 2-s 176.16.128.1-p icmp--icmp-type 8-j ACCEPT# try ping It is found that the request can be sent, but there is no response [root@note1 ~] # ping 176.16.128.8PING 176.16.128.8 (176.16.128.8) 56 (84) bytes of data.# We grabbed the packet using tcpdump and found that the ping request came back with a response. It is the INPUT chain that is not released. [root@note1 ~] # tcpdump-I eno16777736 icmptcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on eno16777736, link-type EN10MB (Ethernet), capture size 262144 bytes20:45:00.605683 IP note1 > master: ICMP echo request, id 4276, seq 64, length 6420 seq 65 IP master > note1: ICMP echo reply, id 4276, seq 64, length 6420 45 purge 01.606935 IP note1 > master: ICMP echo request, id 4276, seq 65, length 6420 seq 45 IP master > note1: ICMP echo reply, id 4276, seq 65 IP master > note1 Length 64 ^ C8 packets captured8 packets received by filter0 packets dropped by kernel [root@note1 ~] # # We release the response to the ping request in the INPUT chain of iptables. [root@note1] # iptables-I INPUT 2-d 176.16.128.1-p icmp--icmp-type 0-j ACCEPT# so far we have ping other hosts. [root@note1] # ping 176.16.128.8PING 176.16.128.8 (176.16.128.8) 56 (84) bytes of data.64 bytes from 176.16.128.8: icmp_seq=228 ttl=64 time=0.687 ms64 bytes from 176.16.128.8: icmp_seq=229 ttl=64 time=0.432 Ms ^ C-176.16.128.8 ping statistics-231 packets transmitted, 4 received, 98% packet loss Time 230101msrtt min/avg/max/mdev = 0.432 + 0.804 + 1.443 + 0.382 ms [root@note1 ~] #

If you want to allow other hosts to ping us. Append a message of type 8 of icmp-type to the INPUT chain, and OUTPUT release a message of type 0 of icmp-type, so that all of them can ping.

4.2.2, explicit extension

Explicit extension: you must use the-m option to indicate the extension mechanism of the extension module to be invoked

Use man iptables-extensions to see the usage of the display extension.

4.2.2.1 、 multiport

Define multi-port matching conditions in a discrete or continuous manner, up to 15

[!]-- source-ports,-- sports port [, port |, port:port]...: specify multiple source ports; [!]-- destination-ports,-- dports port [, port |, port:port]...: specify multiple destination ports

[!] An exclamation mark indicates a rebellion.

We have said that iptables should try to combine multiple rules that can be described by one rule, which can not only be more concise, but also improve the efficiency of message passing.

# use iptables to release port 21, 22, 23, 80, 139, 443, 445, 3306, etc. Iptables-An INPUT-p tcp-m multiport-- dports 21 tcp 23 80 ACCEPT4.2.2.2, 3306-j ACCEPT4.2.2.2, iprange

Indicate multiple IP address matching conditions in the form of contiguous address blocks

[!]-- src-range from [- to] # Source address range [!]-- dst-range from [- to] # destination address range

[!] An exclamation mark indicates a rebellion.

IP that sets the release range of 176.16.128.5-176.16.128.10 can access the host.

[root@note1 init.d] # iptables-I INPUT 2-p icmp--icmp-type 8-m iprange-- src-range 176.16.128.5-176.16.128.10-j ACCEPT [root@note1 init.d] # iptables-I OUTPUT 2-p icmp--icmp-type 0-s 176.16.128.1-j ACCEPT# uses 176.16.128.2 Ping host and there is no response. [root@note2 ~] # ping 176.16.128.1PING 176.16.128.1 (176.16.128.1) 56 (84) bytes of data ^ C-- 176.16.128.1 ping statistics-- 11 packets transmitted, 0 received, 100% packet loss, time 10076ms [root@note2 ~] # # using 176.16.128.8 Ping hosts, replies can be received within the ip range. [root@master ~] # ping 176.16.128.1PING 176.16.128.1 (176.16.128.1) 56 (84) bytes of data.64 bytes from 176.16.128.1: icmp_seq=1 ttl=64 time=0.539 ms64 bytes from 176.16.128.1: icmp_seq=2 ttl=64 time=0.922 Ms ^ C-176.16.128.1 ping statistics-2 packets transmitted, 2 received, 0 packet loss Time 1020msrtt min/avg/max/mdev = 0.539max 0.730max 0.922max 0.193 ms [root@master] # 4.2.2.3, time

Specifies the matching criteria for the packet arrival time / date range.

-- timestart hh:mm [: ss]-- timestop hh:mm [: ss] [!]-- weekdays day [, day...] [!]-- monthdays day [, day...]-- datestart YYYY [- MM [- DD [: mm [: ss]-datestop YYYY [- MM [- DD [Thh [: mm [: ss]-- kerneltz: use the kernel-configured time zone instead of the default UTC

[!] An exclamation mark indicates a rebellion.

The time is usually used in conjunction with the day of the week, or the time is used with the day of the month. Dates are not commonly used.

Hosts in the # INPUT chain release work area 176.16.128.5-176.16.128.10 can access the telnet service from 9: 00 a.m. to 5: 00 p.m. Monday to Friday. Iptables-I INPUT 2-d 176.16.128.1-p tcp-- dport 23-m iprange-- src-range 176.16.128.5-176.16.128.10-m time-- timestart 9:00:00-- timestop 17:00:00-- weekdays 1meme 3Ling 4Ling 5-- kerneltz-j ACCEPT#OUTPUT chain releases telnet service. Iptables-I OUTPUT 2-s 176.16.128.1-p tcp-- sport 23-j ACCEPT4.2.2.4, string

This module uses a pattern matching strategy to match a given string.

-- algo {bm | kmp} # matching algorithm [!]-- string pattern # string to be filtered [!]-- the hexadecimal encoding of the string to be checked by hex-string pattern #-- where does from offset # start the check-- to offset # ends the check from which position in the message

[!] An exclamation mark denotes rebellion.

The agreement shall take effect only for plaintext coding.

# out-of-stack message contains the string gay access denied. Iptables-I OUTPUT-m string-- algo bm-- string "gay"-j REJECT4.2.2.5, connlimit

Allows you to limit the number of parallel connections between each client address and the server.

-- connlimit-upto n # upper limit less than or equal to-- connlimit-above n # lower limit greater than or equal to

Depending on what the default rule is, the default rule is reject, using upto, setting below is allowed, and no less than is matched by the default rule.

# set no more than 2 connections to each client ssh. Iptables-I INPUT-p tcp-d 176.16.128.1-- dport 22-m connlimit--connlimit-upto 2-j ACCEPT4.2.2.6, limit

This module uses token buckets to limit the rate of requests.

-- limit second [/ minute | / hour | / day] # per second, per minute, per hour, per day. -- limit-burst number # maximum number of batches, peak value (barrel size)

Limit the rate at which a native tcp service can receive new requests:-- syn,-m limit

# limit host Ping requests to 20 requests per minute, with a peak of three requests. [root@note1 sysconfig] # iptables-I INPUT 2-p icmp--icmp-type 8-m limit--limit 20/minute-- limit-burst 3-j ACCEPT [root@note1 sysconfig] # iptables-I OUTPUT 2-p icmp--icmp-type 0-j ACCEPT [root@note1 sysconfig] # iptables-vnLChain INPUT (policy ACCEPT 0 packets 0 bytes) pkts bytes target prot opt in out source destination 893 57538 ACCEPT tcp-- * 0.0.0.0 tcp dpt:22 0 176.16.128.1 tcp dpt:22 # conn src/32 / PATH/TO/SOME_RULE_FILE

Overload: iptabls-restore < / PATH/FROM/SOME_RULE_FILE

-n,-- noflush: do not clear the original rule

-t,-- test: only analyze and generate rule sets, but do not submit

CentOS6

Save the rule:

Service iptables save

Save rules in / etc/sysconfig/iptables file, overwrite save

Overload rules:

Service iptables restart

Rules in / etc/sysconfig/iptables file are overloaded by default

Configuration file: / etc/sysconfig/iptables-config

CentOS7

(1) Custom Unit File for iptables-restore

(2) firewalld service

(3) Custom script

Seventh, rule optimization uses custom chain to manage application-specific rules and modular management rules; priority is given to messages with bidirectional status of ESTABLISHED; rules serving different types of functions are more likely to match to the front of the message; rules serving the same category of functions are strictly placed in front of matching conditions; set default policy: whitelist mechanism

Iptables-P, not recommended

It is recommended to define the rule at the end of the rule as the default policy.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.