Netfilter / iptables For more detailed documentation, please see http://linux.dalouis.com/doc/iptables/iptables -t filter -l input -nv
View the rules of the INPUT chain of the table Filter
iptables -n userchain Add User Custom Chain
iptables -x userchain
Delete user custom chains
iptables -t filter -f
Delete the rules of all chains of the table Filter
iptables -t filter -d input 5
Delete rule
iptables -t filter -z counters clear
iptables -t filter -p input accept (drop)
Setting the default rules for the chain
iptables -t filter -a input -p! tcp -s! 192.168.0.2 -d 192.168.0.1 -i! Eth0 -o! Eth1 --sport 123 --dport 234 -j Drop
Input chain of Filter table
Finally, add a rule, non-TCP protocol, source IP address is 192.168.0.2, the destination IP address is 192.168.0.1, the source port is 123, the destination port is 234, the entry interface is not Eth0, the interface is not Eth1 package, DROP Fall out
iptables -t filter -i INPUT 5 -M Mac --Mac-Soure xx: xx: xx: xx: xx: xx -m limited --LIMIT 10 / Minute -j log --log-level 6 --Log-prefix "Mac matching:"
The Filter Table's INPUT Locity Add a rule, match the MAC source address to xx: xx: xx: xx: xx: XX package, do 10 / minute log record, and record grade 6, record The first logo is "mac matching"
iptables -t filter -r INPUT 5 -P UDP -M MultiPort - Sport 12,123,1234,12345 - Dport 21, 321, 4321, 54321 --reject-with icmp-port-unreachable
The fifth line of the INPUT chain of the FILTER table is replaced with the following rules. When the package matching protocol is 12, 123, 1234, 12345, the destination port group is 1,321, 4321, 54321, returns an error message for ICMP-port-unreachable
iptables -t nat -a postrouting -o $ {ppp_if} -j masqueradeiptables -t nat -a postrouting -o $ {wan_if} -j snat --to $ {nat_ip}
Start NAT function in PPPoE and LAN
iptables -t nat -a preording -d $ ip_addr} -p tcp --dport 80 -i $ {ppp_if} -j dnat --to $ {dmz_web_ip}: 80 port mapping
