王筝的博客
ruby学习

http://linux.vbird.org/linux_server/0250simple_firewall.php#netfilter

iptables 是利用封包过滤机制, 分析封包的表头资料,根据表头资料定义的规则来决定是否可以进入主机或者被丢弃.刚才在服务器上练习的时候把自己给屏蔽了,提醒大家拿其他同学的ip做练习,哈哈.

$iptables [-t tables] [-L] [-nv]

-t: 后面接table,  例如nat 或者filter,如果省略此项目,则使用预设的filter

-L:列出目前的table的规则

-n: 不进行IP与HOSTNAME的反查

-v: 列出更多的信息,包括通过该规则的封包总位元数等

tty:[0] jobs:[0] cwd:[/opt/app]
14:50 [root@a]$ iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all — 10.103.55.165 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

————————————————

15:08 [root@a]$ iptables -h
iptables v1.3.5

Usage: iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands:
Either long or short options are allowed.
–append -A chain Append to chain
–delete -D chain Delete matching rule from chain
–delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
–insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
–replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
–list -L [chain] List the rules in a chain or all chains
–flush -F [chain] Delete all rules in chain or all chains
–zero -Z [chain] Zero counters in chain or all chains
–new -N chain Create a new user-defined chain
–delete-chain
-X [chain] Delete a user-defined chain
–policy -P chain target
Change policy on chain to target
–rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
–proto -p [!] proto protocol: by number or name, eg. `tcp’
–source -s [!] address[/mask]
source specification
–destination -d [!] address[/mask]
destination specification
–in-interface -i [!] input name[+]
network interface name ([+] for wildcard)
–jump -j target
target for rule (may load target extension)
–goto -g chain
jump to chain with no return
–match -m match
extended match (may load extension)
–numeric -n numeric output of addresses and ports
–out-interface -o [!] output name[+]
network interface name ([+] for wildcard)
–table -t table table to manipulate (default: `filter’)
–verbose -v verbose mode
–line-numbers print line numbers when listing
–exact -x expand numbers (display exact values)
[!] –fragment -f match second or further fragments only
–modprobe=<command> try to insert modules using this command
–set-counters PKTS BYTES set the counter during insert/append
[!] –version -V print package version.

接下来新建一条

15:10 [root@a]$ iptables -A INPUT -s 16.16.136.66 -j DROP

由于写的是自己的ip地址,回车后已不能继续在服务器上继续操作…只能找同学帮忙删了服务器上的配置

接下来查看一下

15:12 [root@a]$ iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all — 10.166.55.11 0.0.0.0/0
DROP all — 12.16.136.66 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

删除刚才新建的那条

15:12 [root@a]$ iptables -D INPUT 2