1. History of Iptabels
In the 2.0 kernel, the firewall operation tool is called: ipfwadm In the 2.2 kernel, the firewall operation tool is called: ipchains In the kernel after 2.4, the firewall operation tool is called: iptables ipfwadm and ipchains are relatively old and have become historical versions. This chapter mainly introduces Iptables
2. Detailed explanation of Iptables operation command parameters
-A APPEND, append a rule (put it at the end) E.g: iptables -A INPUT -j ACCEPT Allow all packets to the local IP to pass through -I INSERT, insert a rule E.g: iptables -I INPUT -j DROP Insert a rule into the INPUT chain of the filter table (insert as the first item) -D DELETE, delete a rule iptables -D INPUT 3 (match by number) Remove the third rule in the filter table INPUT chain (whatever its contents) -R REPLACE, replace a rule E.g: iptables -R INPUT 9 -j ACCEPT Replace the content of the original rule number 9 with "-j ACCEPT" -P POLICY, set the default rule for a chain E.g: iptables -P INPUT DROP The default rule for setting the filter table INPUT chain is DROP -F FLUSH, clear the rules E.g iptables -F Clear all rules in filter table -p protocol Compare the communication protocol E.g iptables -A INPUT -p tcp Check whether the communication protocol types match -s src, source E.g iptables -I INPUT -s 172.16.0.201 -j DROP It is used to compare the source IP of the packet. It can be compared with a single machine or a network. Please use a number to indicate the shield when comparing the network. For example, shield: 172.16.0.201 IP access, all data will be discarded --tcp-flags compare TCP E.g iptables -p tcp --tcp-flags SYN,FIN,ACK SYN TCP status flags include: SYN (synchronization), ACK (reply), FIN (end), RST (reset), URG (urgent), PSH (forced push) etc. can be used in the parameters, in addition, the keywords ALL and NONE can also be used for comparison --icmp-type E.g: iptables -A INPUT -p icmp --icmp-type 8 Type number used to compare ICMP, can use code or number number for comparison. The case ICMP type is: 8 -m limit --limit E.g iptables -A INPUT -m limit --limit 3/sec It is used to compare the average flow of packets within a certain period of time. The above example is used to compare whether the average flow per second exceeds 3 packets at a time. Configuration file location: /etc/sysconfig/iptables iptables management service commands open service iptables start close service iptables stop Restart service iptables restart