分类: LINUX
2010-03-09 15:40:58
iptables –L查看防火墙规则不指表的时候默认显示INPUT FORWARD OUTPUT三个链
[root@station1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@station1 ~]#
如果想查看某个表则用-t 指定表名
[root@station1 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@station1 ~]#
让规则编号显示 iptables –t filter –L –line-numbers
[root@station1 ~]# iptables -t filter -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 DROP all -- anywhere anywhere
让目标地址和目的地址用标准格式显示 –n
[root@station1 ~]# iptables -t filter -L --line-numbers -n
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 DROP all --
设置默认规则 –P
[root@station1 ~]# iptables -t filter -P INPUT DROP
[root@station1 ~]# iptables -t filter -L --line-numbers -n
Chain INPUT (policy DROP)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 DROP all --
假设我们本机上有一个web服务器 我们不想让任何人访问怎么办啊
[root@station1 ~]# iptables -t filter -A INPUT -d 192.168.0.61 -p tcp --dport 80 -j DROP
[root@station1 ~]# iptables -t filter -L --line-numbers -nChain INPUT (policy DROP)
num target prot opt source destination
1 DROP tcp --
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
为了安全起见我们把出口也关闭
[root@station1 ~]# iptables -t filter -L --line-numbers -nChain INPUT (policy DROP)
num target prot opt source destination
1 DROP tcp --
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 DROP tcp -- 192.168.0.61
不允许本主机ping 某个主机
[root@station1 ~]# iptables -t filter -A OUTPUT -s 192.168.0.61 -d 192.168.0.65 -p icmp --icmp-type 8 -j DROP
[root@station1 ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- station61.example.com station65.example.com icmp echo-request
不允许某个主机ping本机
[root@station1 ~]# iptables -t filter -A INPUT -s 192.168.0.65 -d 192.168.0.61 -p icmp --icmp-type 8 -j DROP
[root@station1 ~]# iptables -t filter -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 192.168.0.65 192.168.0.61 icmp type 8
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 192.168.0.61 192.168.0.65 icmp type 8
别人可以ping本机但是不响应
[root@station1 ~]# iptables -t filter -A OUTPUT -s 192.168.0.61 -d 192.168.0.65 -p icmp --icmp-type 0 -j DROP
[root@station1 ~]# iptables -t filter -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 192.168.0.61 192.168.0.65 icmp type 0
