linux防火墙iptables规则的查看、添加、删除和修改方法总结

栖霞客 發表於 2023-6-22 00:00:00

linux防火墙iptables规则的查看、添加、删除和修改方法总结

<p>
<span><strong>1、查看</strong></span></p>
<p>
iptables -nvL --line-number</p>
<p>
-L 查看当前表的所有规则，默认查看的是filter表，如果要查看NAT表，可以加上-t NAT参数<br>
-n 不对ip地址进行反查，加上这个参数显示速度会快很多<br>
-v 输出详细信息，包含通过该规则的数据包数量，总字节数及相应的网络接口<br>
–-line-number 显示规则的序列号，这个参数在删除或修改规则时会用到</p>
<p>
<span><strong>2、添加</strong></span></p>
<p>
添加规则有两个参数：-A和-I。其中-A是添加到规则的末尾；-I可以插入到指定位置，没有指定位置的话默认插入到规则的首部。</p>
<p>
当前规则：</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_66392">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain"></code><code class="bash comments"># iptables -nL --line-number</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">Chain INPUT (policy ACCEPT)</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash plain">num target   prot opt </code><code class="bash functions">source</code>        <code class="bash plain">destination</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">1 DROP    all -- 192.168.1.1     0.0.0.0</code><code class="bash plain">/0</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash plain">2 DROP    all -- 192.168.1.2     0.0.0.0</code><code class="bash plain">/0</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash plain">3 DROP    all -- 192.168.1.4     0.0.0.0</code><code class="bash plain">/0</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<br>
添加一条规则到尾部：</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_591336">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain"></code><code class="bash comments"># iptables -A INPUT -s 192.168.1.5 -j DROP</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
再插入一条规则到第三行，将行数直接写到规则链的后面：</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_939711">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain"></code><code class="bash comments"># iptables -I INPUT 3 -s 192.168.1.3 -j DROP</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
查看：</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_696654">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain"></code><code class="bash comments"># iptables -nL --line-number</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">Chain INPUT (policy ACCEPT)</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash plain">num target   prot opt </code><code class="bash functions">source</code>        <code class="bash plain">destination</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">1 DROP    all -- 192.168.1.1     0.0.0.0</code><code class="bash plain">/0</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash plain">2 DROP    all -- 192.168.1.2     0.0.0.0</code><code class="bash plain">/0</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash plain">3 DROP    all -- 192.168.1.3     0.0.0.0</code><code class="bash plain">/0</code>
</div>
<div class="line number7 index6 alt2">
<code class="bash plain">4 DROP    all -- 192.168.1.4     0.0.0.0</code><code class="bash plain">/0</code>
</div>
<div class="line number8 index7 alt1">
<code class="bash plain">5 DROP    all -- 192.168.1.5     0.0.0.0</code><code class="bash plain">/0</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
可以看到192.168.1.3插入到第三行，而原来的第三行192.168.1.4变成了第四行。</p>
<p>
<span><strong>3、删除</strong></span></p>
<p>
删除用-D参数</p>
<p>
删除之前添加的规则（iptables -A INPUT -s 192.168.1.5 -j DROP）：</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_470476">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain"></code><code class="bash comments"># iptables -D INPUT -s 192.168.1.5 -j DROP</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
有时候要删除的规则太长，删除时要写一大串，既浪费时间又容易写错，这时我们可以先使用–line-number找出该条规则的行号，再通过行号删除规则。</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_872697">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain"></code><code class="bash comments"># iptables -nv --line-number</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">iptables v1.4.7: no </code><code class="bash functions">command</code> <code class="bash plain">specified</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash plain">Try `iptables -h</code><code class="bash string">' or '</code><code class="bash plain">iptables --help' </code><code class="bash keyword">for</code> <code class="bash functions">more</code> <code class="bash plain">information.</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash plain"></code><code class="bash comments"># iptables -nL --line-number</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash plain">Chain INPUT (policy ACCEPT)</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash plain">num target   prot opt </code><code class="bash functions">source</code>        <code class="bash plain">destination</code>
</div>
<div class="line number7 index6 alt2">
<code class="bash plain">1 DROP    all -- 192.168.1.1     0.0.0.0</code><code class="bash plain">/0</code>
</div>
<div class="line number8 index7 alt1">
<code class="bash plain">2 DROP    all -- 192.168.1.2     0.0.0.0</code><code class="bash plain">/0</code>
</div>
<div class="line number9 index8 alt2">
<code class="bash plain">3 DROP    all -- 192.168.1.3     0.0.0.0</code><code class="bash plain">/0</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
删除第二行规则</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_222130">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain"></code><code class="bash comments"># iptables -D INPUT 2</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>4、修改</strong></span></p>
<p>
修改使用-R参数</p>
<p>
先看下当前规则：</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_859037">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain"></code><code class="bash comments"># iptables -nL --line-number</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">Chain INPUT (policy ACCEPT)</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash plain">num target   prot opt </code><code class="bash functions">source</code>        <code class="bash plain">destination</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">1 DROP    all -- 192.168.1.1     0.0.0.0</code><code class="bash plain">/0</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash plain">2 DROP    all -- 192.168.1.2     0.0.0.0</code><code class="bash plain">/0</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash plain">3 DROP    all -- 192.168.1.5     0.0.0.0</code><code class="bash plain">/0</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
将第三条规则改为ACCEPT：</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_14906">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain"></code><code class="bash comments"># iptables -R INPUT 3 -j ACCEPT</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
再查看下：</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_511628">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain"></code><code class="bash comments"># iptables -nL --line-number</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">Chain INPUT (policy ACCEPT)</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash plain">num target   prot opt </code><code class="bash functions">source</code>        <code class="bash plain">destination</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">1 DROP    all -- 192.168.1.1     0.0.0.0</code><code class="bash plain">/0</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash plain">2 DROP    all -- 192.168.1.2     0.0.0.0</code><code class="bash plain">/0</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash plain">3 ACCEPT   all -- 0.0.0.0</code><code class="bash plain">/0</code>      <code class="bash plain">0.0.0.0</code><code class="bash plain">/0</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
第三条规则的target已改为ACCEPT。</p>
<p>
<span><strong>5、永久生效</strong></span></p>
<p>
service iptables save</p>
<p>
service iptables restart</p>
<p>
以上就是本文介绍的对linux防火墙iptables规则进行查看、添加、删除和修改的操作</p>
<p>
原文链接：http://blog.csdn.net/whatday/article/details/50721777</p>

頁: [1]

琼殿技术论坛's Archiver

linux防火墙iptables规则的查看、添加、删除和修改方法总结