iptables [-t table] -I chain [rulenum] rule-specification
rule-specification = [matches…] [target]
match = -m matchname [per-match-options]
target = -j targetname [per-target-options]
使用-j
或者--jump
指定目标。目标可以是用户定义的链,也可以是一个特殊的内置目标ACCEPT、DROP、QUEUE、RETURN,或者是目标扩展,如REJECT和LOG。
iptables [-t table] [-L] [-nv]
-t
:table ,如 nat 或 filter ,若省略则默认的filter
-L
:列出当前table的规则
-n
:不进行 IP 与 HOSTNAME 的反查
-v
:列出更多的信息,包括封包总位数、网络接口等
## 删除已有规则
iptables [-t table] -F [chain];
iptables [-t talbe] --flush [chain];
iptables [-t table] -X [chain];
iptables [-t table] --delete-chain [chain];
## -X 和 -F 的区别
#-F是清空选定的链。如果没有给定链,则为表中的所有链(内置链和自定义链)。
#-F是清空链中的规则而不是删除链。注意“清空链”的表述,不要误解“删除链”。
#-X是删除指定的链(用户定义的链)。如果没有给定链,将尝试删除表中的每个非内置链。
#-X是-N的反操作,即 --delete-chain 是 --new-chain 的反操作,仅限于用户定义的链。
#-X删除链要确保链没被引用,否则iptables: Too many links.
#-X删除链要确保链内没有规则,否则iptables: Directory not empty.
## 设置链的默认策略
iptables -P INPUT ACCEPT;
iptables -P FORWARD ACCEPT;
iptables -P OUTPUT ACCEPT;
iptables --policy INPUT ACCEPT;
iptables --policy FORWARD ACCEPT;
iptables --policy OUTPUT ACCEPT;
## 丢弃来自IP地址192.168.10.18的包
iptables -A INPUT -s 192.168.10.18 -j DROP
## 黑名单
iptables -t filter -A INPUT -s 192.168.75.129 -j DROP
## 阻止来自IP地址192.168.10.18的tcp协议的包
iptables -A INPUT -p tcp -s 192.168.10.18 -j DROP
## 开放22端口
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
## 仅允许来自指定网络的22端口请求
iptables -A INPUT -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW -j ACCEPT
## 使用multiport将多个规则结合在一起
iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -m state --state NEW -j ACCEPT
## 允许外部主机ping内部主机
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
## 允许内部主机ping外部主机
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
## 在服务器上允许127.0.0.1回环访问
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
## 将来自422端口的流量全部转到22端口
iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22
iptables -t nat --append PREROUTING --protocol tcp --dport 8002 --jump DNAT --to-destination 192.168.1.107:80;
## DNAT/SNAT/masquerade
iptables -t nat -A PREROUTING -p tcp -d 192.168.75.128 --dport 22 -s 192.168.75.129 -j dnat --to-dest 192.168.75.131:22
iptables -t nat -A POSTROUTING -p tcp -d 192.168.75.131 -s 192.168.75.129 --dport 22 -j snat --to-source 192.168.75.128
iptables -t nat -A POSTROUTING -p tcp -d 192.168.75.131 -s 192.168.75.129 --dport 22 -j masquerade
# Get current iptables list with line numbers
iptables --line-numbers -L;
# Add a rule to the INPUT chain, append it to the end
iptables -A INPUT -p tcp --dport 12345 -j ACCEPT;
# Insert a rule to the INPUT chain, before the line number 7
iptables -I INPUT 7 -p tcp --dport 12345 -j ACCEPT;
# Delete the rule at line number 13, in the INPUT chain
iptables -D INPUT 13;
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 12 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 114.114.114.114/32 -j DROP
iptables -A INPUT -s 8.8.8.8/32 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 12227 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 10:65535 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -j DROP
##
iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
iptables -A INPUT -i docker0 -j ACCEPT
## Debug iptables by inserting a log rule
iptables -I FORWARD 4 -j LOG --log-prefix "RULE4:" --log-level 7
## delete rule at position 4
iptables -D FORWARD 4
## verify rule is gone
iptables -L -v -n --line-number | grep FORWARD -A30
## Log rule for NAT table
## insert rule at position 3
iptables -t nat -I POSTROUTING 3 -j LOG --log-prefix "NAT3:" --log-level 7
## verify log rule was created
iptables -t nat -L -n -v --line-number
## delete rule at position 3
iptables -t nat -D POSTROUTING 3
## PREROUTING与POSTROUTING
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -j SNAT 61.129.66.5
iptables -t nat -A POSTROUTING -d 202.96.129.5 -j DNAT 192.168.1.2
ref
- https://ipset.netfilter.org/iptables.man.html
- https://linux.die.net/man/8/iptables
- https://man7.org/linux/man-pages/man8/iptables.8.html
- https://man7.org/linux/man-pages/man8/iptables-extensions.8.html
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/ch-iptables
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-Security_Guide-IPTables
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using_firewalls
- https://www.frozentux.net/iptables-tutorial/chunkyhtml/index.html