(1) Set the boot to start iptables
# sysv-rc-conf --level 2345 iptables on
(2) Basic commands of iptables
1. List the current iptables policies and rules
# iptables -L -n
-n: display in numerical form
# iptables -L -v
-v: print verbose information
2. Allow established connections to receive data
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
3. Open port 22 (the default port for SSH), you need to tell iptables to allow all received TCP packets with destination port 22 to pass through
iptables -A INPUT -p tcp -i eth0 --dport ssh -j ACCEPT
Note: ssh stands for 22, and the services that can be found in /etc/services can be used in this way.
4. Add a policy. A policy is also a rule, when none of the rules match, the "policy" of the chain is used
链:INPUT, PREROUTING, FORWARD, POSTROUTING, OUTPUT
The default value of the chain strategy is: ACCEPT.
Tables: filter (default), nat, mangle.
#iptables -P INPUT DROP
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD DROP
----------------------------------------------------
root@patrick:~# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22
----------------------------------------------------
5. Enable packet forwarding
Forwards FTP requests from the intranet to a host on the extranet.
iptables -t nat -A PREROUTING -p tcp -dport 21 -j DNAT --to-dest 10.25.1.7:21
Check:
# iptables -L -t nat
To implement packet forwarding, you also need to edit kernel parameters.
# cat /proc/sys/net/ipv4/ip_forward
0
By default packet forwarding is disabled. So it needs to be opened. Edit /etc/sysctl.conf, then execute sysctl -p.
(3) Rules for saving iptables
step 1) Save the current iptables rules to a file.
# iptables-save > /etc/iptables.up.rules
step 2) Restore the rules of iptables on boot. Do this by adding the following line to the end of the file '/etc/network/interfaces/'.
pre-up iptables-restore < /etc/iptables.up.rules
(4) Disable the firewall
iptables -F
It seems that there is no command like service iptables stop in Ubuntu to stop iptables. Only use this method to disable iptables (firewall).
Before using, please ensure that the rules have been backed up in the file.
Forward: http://blog.sina.com.cn/s/blog_7a9af9b10101cj6s.html