tables:
==================
1)a table is something that allows you to process packets in specific ways
2)default table is the "filter" table,these "tables" have "chains" attached to them
|
|+filter table: default table, decide whether packet should allowed to its dest.
|
|+mangle table: alter packet headers in various ways,such as changing TTL values.
|
|+nat table: allows you to route packets to different hosts on NAT (Network Address | Translation) networks by changing the source and destination addresses of | packet
|
|+ raw table:allows you to work with packets before the kernel starts tracking its state
chains:
=============
1)chains allow you to "inspect traffic at various points",
such as when they just arrive on the network interface
or just before they’re handed over to a process.
2)You can add rules to them match specific packets,
such as TCP packets going to port 80 — and associate it with a target.
A target decides the fate of a packet, such as "allowing" or "rejecting" it.
|
|
|+PREROUTING chain:Rules in this chain apply to packets as they just arrive,present in the nat, | mangle and raw tables.
|
|+INPUT chain:Rules in this chain apply to packets just before they’re given to "local" process.
|
|
|
|+OUTPUT chain:rules in this chain just "after they’ve been produced" by a process.
| present in the raw, mangle, nat and filter tables.
|
|+FORWARD chain:rules in this chain for any packets that are routed through the current host | present in the "mangle" and "filter" tables.
|
|
|POSTROUTING chain:rules in this chain apply to packets as they just "leave the network" interface,present in the nat and mangle tables.
targets:
==============
A target decides the fate of a packet, such as "allowing" or "rejecting" it.
|
|+ACCEPT:iptables to accept the packet.
|
|+DROP: iptables drops the packet.
|
|+REJECT:iptables “rejects” the packet.
|
Example
Add rules
============
1) blocking source ip 59.45.175.62
~#iptables -A INPUT -s 59.45.175.62 -j REJECT
2)If you want to block all IPs ranging from 59.145.175.0 to 59.145.175.255, you can do so with:
~# iptables -A INPUT -s 59.45.175.0/24 -j REJECT
3)If you want to block output traffic to an IP, you should use the OUTPUT chain and the -d flag to specify the destination IP:
~#iptables -A OUTPUT -d 31.13.78.35 -j DROP
Delete rules
==============
1)you’ve blocked the IP range 221.194.47.0/24 by mistake. Removing it with -D, which deletes a rule:
~#iptables -D INPUT -s 221.194.47.0/24 -j REJECT
2)delete rules through their line numbers
~#iptables -D INPUT 2
3)remove all rules in a particular chain. Deleting them one by one isn’t practical,-F "flash"
~#iptables -F INPUT
Insert/replace rules
======================
1)have already blacked a range ips like this 59.45.175.0/24,
but need to accept one ip in this range to pass, need use insert a rule
since iptables "evaluates" rules in the chains "one-by-one"
~#iptables -I INPUT 1 -s 59.45.175.10 -j ACCEPT
2) replace the existing rules by
~#iptables -R INPUT 1 -s 59.45.175.10 -j ACCEPT
Protocols and modules
=====================
1)block all incoming TCP traffic, specify the protocol with "-p"
~#iptables -A INPUT -p tcp -j DROP #such as "udp" or "icmp"
2
iptables-save
iptables-restore
留言列表
