service iptables status #查看狀態 service iptables save #保存規則 service iptables stop #關閉 service iptables start #開啓 service iptables restart #重啓
配置文件目錄vim
bash> vim /etc/sysconfig/iptables
WEB服務器,開啓80端口.bash
bash> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
郵件服務器,開啓一組端口.服務器
bash> iptables -A INPUT -m state --state NEW -m multiport -p tcp --dports 110,25 -j ACCEPT
FTP服務器,開啓21端口app
bash> iptables -A INPUT -m state --state NEW -m multiport -p tcp --dports 21,20 -j ACCEPT
DNS服務器,開啓53端口tcp
bash> iptables -A INPUT -p tcp --dport 53 -j ACCEPT
容許icmp包經過,也就是容許ping,ide
-A OUTPUT -p icmp -j ACCEPT (OUTPUT設置成DROP的話 -A INPUT -p icmp -j ACCEPT (INPUT設置成DROP的話)
將本機的8080端口轉發至其餘主機,主機IP:192.168.1.12,目標主機IP和端口:192.168.1.13:8088,規則以下;spa
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.13:8088 iptables -t nat -A POSTROUTING -p tcp -m tcp --dport 8088 -j SNAT --to-source 192.168.1.12 echo 1 > /proc/sys/net/ipv4/ip_forward
同時開啓iptables forward轉發功能。 經常使用配置rest
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -s 192.168.10.0/24 -j ACCEPT-A INPUT -s 192.168.10.[100-200] -j ACCEPT-A INPUT -m state --state NEW -m multiport -p tcp --dports 22,80,8080,10050 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibited
常見故障 啓動或保存配置規則報錯,配置文件不存在orm
故障: bash> service iptables save iptables: Nothing to save. bash> service iptables start iptables: No config file. 執行: bash> iptables -P OUTPUT ACCEPT 而後從新保存配置便可 bash> service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] 啓動防火牆 bash> service iptables start iptables: Applying firewall rules: [ OK ]