Application of iptables commands
1, basic operation of the chain
(1) Clear all rules
1) Clear rules in all rule chains in the preset table Filter
# iptables -f
2) Clear the rules in the user's custom chain in the preset table Filter
# iptables -x
3) Clear zero the package byte counter in the specified chain
# Iptables -z
(2) Set the default policy of the chain
1) Allow, then prohibit
Initialize with the following command
# iptables -p input accept accept
# iptables -p output accept accept
# iptables -p forward accept
2) Prohibition first, then allow
Initialize with the following command
# iptables -p input drop
# iptables -p output drop
# iptables -p forward Drop DROP
(3) List all rules in the table / chain
# iptables -l -n
(4) Add rules to the chain. The following statement is used to open the network interface
# Iptables -a input -i lo -j accept
# Iptables -a output -o lo -j accept
# Iptables -a input -i eth0 -j acceptpt
# Iptables -a output -o eth0 -j acceptpt
# Iptables -a forward -i eth0 -j acceptpt
# Iptables -a forward -o eth0 -j acceptpt
(5) Use the user custom chain
# Iptables -n custom
# Iptables -a custom -s 0/0 -d 0/0 -P ICMP -J DROP
# Iptables -a input -s 0/0 -d 0/0 -j Custom
2. Set basic rules match (ignore the target action)
(1) Specify the protocol match
1) Match the designated protocol
# Iptables -a input -p tcp
2) Match all protocols other than the designated protocol
# Iptables -a input -p! Tcp
(2) Specify address matching
1) Specify the matching host
# Iptables -ainput -s 192.168.0.1
2) Specify the matching network
# Iptables -ainput -s 192.168.0.0.0/24
3) Match the address other than the specified host
# Iptables -ainput -s! 192.168.0.1
4) Match the network outside the designated network
# Iptables -ainput -s! 192.168.0.1/24
(3) Specify network interface matching
1) Specify a single network interface match
# Iptables -a input -i eth0
# Iptables -a forward -o eth0
2) Specify the same type of network interface match
# Iptables -a forward -o ppp
(4) Specify port matching
1) Specify a single port match
# Iptables -a input -p tcp -sport wwww
# Iptables -a input -p tcp -sport 80
# Iptables -a input -p udp -sport 53
# Iptables -a input -p udp -dport 53
2) Match port other than the specified port
# Iptables -a input -p tcp -dport! 22
3) Match the specified port range
# Ipbables -a input -p tcp -sport 22:80
4) Match ICMP port and ICMP type
# Iptables -a input -p ICMP-TYPE 8
(5) Specify IP fragmentation
# Iptables -a forward -p tcp -s 192.168.0.0/24 -d 192.168.2.100 -dport 80 -f accept
# Iptables -a forward -f -s 192.168.0.0/24 -d 192.168.2.100 -j ACCEPT
3, set the rule matching of the extended (ignore the target action)
(1) Multi-port matching extension
1) Match multiple source ports
# Iptables -a input -p tcp -m multiport -source-port 22, 53, 80, 110
2) Match multiple destination ports
# Iptables -a input -p tcp -m multiport -destination-port 22, 53, 80, 110
3) Match multiple ports
# Iptables -a input -p tcp -m multiport -prot 22, 53, 80, 110
(2) Specify TCP matching extensions
By using the -TCP-Flags option, it can be filtered according to the flag of the TCP package. The first parameter is the flag to check; the second parameter is the flag of the flag bit 1
# Iptables -a input -p TCP - TCP-FLAGS SYN, FIN, ACK SYN
# Iptables -p tcp --syn
Indicates that SYN, ACK, and FIN have to check, but only match SYN is set.
# iptables -a input -p tcp --TCP-Flags All Syn, ACK
Indicates that the flags of all (SYN, ACK, FIN, RST, USG, PSH) are checked, but only SYN and ACK are matched.
(3) LIMIT speed matching extension
1) Number of data packets allowed within the specified unit time
# iptables -a INPUT -M LIMIT --LIMIT 300 / HOUR
Indicates the limitations to allow 300 packets per hour
2) Specify the threshold of the trigger event (the default is 5)
# iptables -a input -m limited --Limit-Burst 10
Indicates that the poured package is more than 10 will be discarded directly.
3) At the same time, specify rate limits and trigger valve values
# iptables -a INPUT -P ICMP -M LIMIT -LIMIT 3 / M -LIMIT-BURST 3
