FILTER表:
[root@server01 ~]# iptables -t filter -nvL ##查看filter表,主要用于过滤包 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 116 8692 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 4 478 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 68 packets, 9944 bytes) pkts bytes target prot opt in out source destination [root@server01 ~]# iptables -Z ##清零计数器 [root@server01 ~]# iptables -nvL --line-numbers ##显示行号 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 6 432 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ...... [root@server01 ~]# iptables -F ##清空规则 [root@server01 ~]# iptables -nvL ##查看iptables规则 Chain INPUT (policy ACCEPT 6 packets, 432 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 448 bytes) pkts bytes target prot opt in out source destination [root@server01 ~]# service iptables save ##保存规则 iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ] ##三种动作:DROP、REJECT、ACCEPT,链默认规则是ACCEPT。 [root@server01 ~]# iptables -A INPUT -s 192.168.111.1 -p tcp --sport 1234 -d 192.168.137.100 --dport 80 -j DROP ##在下面增加 [root@server01 ~]# iptables -I INPUT -s 192.168.111.2 -p tcp --sport 1234 -d 192.168.137.100 --dport 80 -j DROP ##在上面增加 [root@server01 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 192.168.111.2 192.168.137.100 tcp spt:1234 dpt:80 ...... 0 0 DROP tcp -- * * 192.168.111.1 192.168.137.100 tcp spt:1234 dpt:80 [root@server01 ~]# iptables -D INPUT 1 ##删除INPUT第一行 [root@server01 ~]# iptables -nvL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 353 28859 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ...... [root@server01 ~]# iptables -I INPUT -s 100.100.100.0/24 -i ens33 -j ACCEPT [root@server01 ~]# iptables -nvL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- ens33 * 100.100.100.0/24 0.0.0.0/0 ....... [root@server01 ~]# iptables -D INPUT -s 100.100.100.0/24 -i ens33 -j ACCEPT [root@server01 ~]# iptables -nvL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 626 50787 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ...... [root@server01 ~]# iptables-save > 1.ipt ##将规则重定向到文件中,备份用 [root@server01 ~]# iptables-restore < 1.ipt ##恢复规则 [root@server01 ~]# service iptables restart ##重启iptables服务 Redirecting to /bin/systemctl restart iptables.service
在虚拟机网络模式为NAT的情况下,也可以实现物理机和虚机的单向访问:
iptables -I INPUT -p icmp --icmp-type 0 -j DROP // 只有物理机可以ping通虚机
iptables -I INPUT -p icmp --icmp-type 8 -j DROP // 只有虚机可以ping通物理机
iptables -P INPUT DROP 将filter表INPUT链的默认规则改成DROP(不要随意更改,会导致无法管理)