http://linux.vbird.org/linux_server/0250simple_firewall.php#netfilter
iptables 是利用封包过滤机制, 分析封包的表头资料,根据表头资料定义的规则来决定是否可以进入主机或者被丢弃.
刚才在服务器上练习的时候把自己给屏蔽了,提醒大家拿其他同学的ip做练习,哈哈.
$iptables [-t tables] [-L] [-nv]
-t: 后面接table, 例如nat 或者filter,如果省略此项目,则使用预设的filter
-L:列出目前的table的规则
-n: 不进行IP与HOSTNAME的反查
-v: 列出更多的信息,包括通过该规则的封包总位元数等
tty:[0] jobs:[0] cwd:[/opt/app/] 14:50 [root@a]$ iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- 10.103.55.165 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
15:08 [root@a]$ iptables -h iptables v1.3.5 Usage: iptables -[AD] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LFZ] [chain] [options] iptables -[NX] chain iptables -E old-chain-name new-chain-name iptables -P chain target [options] iptables -h (print this help information) Commands: Either long or short options are allowed. --append -A chain Append to chain --delete -D chain Delete matching rule from chain --delete -D chain rulenum Delete rule rulenum (1 = first) from chain --insert -I chain [rulenum] Insert in chain as rulenum (default 1=first) --replace -R chain rulenum Replace rule rulenum (1 = first) in chain --list -L [chain] List the rules in a chain or all chains --flush -F [chain] Delete all rules in chain or all chains --zero -Z [chain] Zero counters in chain or all chains --new -N chain Create a new user-defined chain --delete-chain -X [chain] Delete a user-defined chain --policy -P chain target Change policy on chain to target --rename-chain -E old-chain new-chain Change chain name, (moving any references) Options: --proto -p [!] proto protocol: by number or name, eg. `tcp' --source -s [!] address[/mask] source specification --destination -d [!] address[/mask] destination specification --in-interface -i [!] input name[+] network interface name ([+] for wildcard) --jump -j target target for rule (may load target extension) --goto -g chain jump to chain with no return --match -m match extended match (may load extension) --numeric -n numeric output of addresses and ports --out-interface -o [!] output name[+] network interface name ([+] for wildcard) --table -t table table to manipulate (default: `filter') --verbose -v verbose mode --line-numbers print line numbers when listing --exact -x expand numbers (display exact values) [!] --fragment -f match second or further fragments only --modprobe=<command> try to insert modules using this command --set-counters PKTS BYTES set the counter during insert/append [!] --version -V print package version.
接下来新建一条
15:10 [root@a]$ iptables -A INPUT -s 16.16.136.66 -j DROP
由于写的是自己的ip地址,回车后已不能继续在服务器上继续操作...只能找同学帮忙删了服务器上的配置
查看一下
15:12 [root@a]$ iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- 16.16.56.166 0.0.0.0/0 DROP all -- 16.16.136.66 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
删除刚才新建的那条
15:12 [root@a]$ iptables -D INPUT 2