FILTER表:
[root@server01~]#iptables-tfilter-nvL##查看filter表,主要用于过滤包 ChainINPUT(policyACCEPT0packets,0bytes) pktsbytestargetprotoptinoutsourcedestination 1168692ACCEPTall--**0.0.0.0/00.0.0.0/0stateRELATED,ESTABLISHED 00ACCEPTicmp--**0.0.0.0/00.0.0.0/0 00ACCEPTall--lo*0.0.0.0/00.0.0.0/0 00ACCEPTtcp--**0.0.0.0/00.0.0.0/0stateNEWtcpdpt:22 4478REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited ChainFORWARD(policyACCEPT0packets,0bytes) pktsbytestargetprotoptinoutsourcedestination 00REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited ChainOUTPUT(policyACCEPT68packets,9944bytes) pktsbytestargetprotoptinoutsourcedestination [root@server01~]#iptables-Z##清零计数器 [root@server01~]#iptables-nvL--line-numbers##显示行号 ChainINPUT(policyACCEPT0packets,0bytes) numpktsbytestargetprotoptinoutsourcedestination 16432ACCEPTall--**0.0.0.0/00.0.0.0/0stateRELATED,ESTABLISHED 200ACCEPTicmp--**0.0.0.0/00.0.0.0/0 ...... [root@server01~]#iptables-F##清空规则 [root@server01~]#iptables-nvL##查看iptables规则 ChainINPUT(policyACCEPT6packets,432bytes) pktsbytestargetprotoptinoutsourcedestination ChainFORWARD(policyACCEPT0packets,0bytes) pktsbytestargetprotoptinoutsourcedestination ChainOUTPUT(policyACCEPT4packets,448bytes) pktsbytestargetprotoptinoutsourcedestination [root@server01~]#serviceiptablessave##保存规则 iptables:Savingfirewallrulesto/etc/sysconfig/iptables:[确定] ##三种动作:DROP、REJECT、ACCEPT,链默认规则是ACCEPT。 [root@server01~]#iptables-AINPUT-s192.168.111.1-ptcp--sport1234-d192.168.137.100--dport80-jDROP##在下面增加 [root@server01~]#iptables-IINPUT-s192.168.111.2-ptcp--sport1234-d192.168.137.100--dport80-jDROP##在上面增加 [root@server01~]#iptables-nvL ChainINPUT(policyACCEPT0packets,0bytes) pktsbytestargetprotoptinoutsourcedestination 00DROPtcp--**192.168.111.2192.168.137.100tcpspt:1234dpt:80 ...... 00DROPtcp--**192.168.111.1192.168.137.100tcpspt:1234dpt:80 [root@server01~]#iptables-DINPUT1##删除INPUT第一行 [root@server01~]#iptables-nvL--line-numbers ChainINPUT(policyACCEPT0packets,0bytes) numpktsbytestargetprotoptinoutsourcedestination 135328859ACCEPTall--**0.0.0.0/00.0.0.0/0stateRELATED,ESTABLISHED ...... [root@server01~]#iptables-IINPUT-s100.100.100.0/24-iens33-jACCEPT [root@server01~]#iptables-nvL--line-numbers ChainINPUT(policyACCEPT0packets,0bytes) numpktsbytestargetprotoptinoutsourcedestination 100ACCEPTall--ens33*100.100.100.0/240.0.0.0/0 ....... [root@server01~]#iptables-DINPUT-s100.100.100.0/24-iens33-jACCEPT [root@server01~]#iptables-nvL--line-numbers ChainINPUT(policyACCEPT0packets,0bytes) numpktsbytestargetprotoptinoutsourcedestination 162650787ACCEPTall--**0.0.0.0/00.0.0.0/0stateRELATED,ESTABLISHED ...... [root@server01~]#iptables-save>1.ipt##将规则重定向到文件中,备份用 [root@server01~]#iptables-restore<1.ipt##恢复规则 [root@server01~]#serviceiptablesrestart##重启iptables服务 Redirectingto/bin/systemctlrestartiptables.service
在虚拟机网络模式为NAT的情况下,也可以实现物理机和虚机的单向访问:
iptables -I INPUT -p icmp --icmp-type 0 -j DROP // 只有物理机可以ping通虚机
iptables -I INPUT -p icmp --icmp-type 8 -j DROP // 只有虚机可以ping通物理机
iptables -P INPUT DROP 将filter表INPUT链的默认规则改成DROP(不要随意更改,会导致无法管理)
原文链接:https://www.f2er.com/centos/376804.html