Home>Article>Operation and Maintenance> Software firewall iptables under Linux - view and clear rules, define default policy
A firewall is a way for users to restrict access to certain IPs or users to their hosts. Firewalls are divided into two categories: hardware firewalls and software firewalls. Software firewalls are mainly used to filter data packets, while hardware firewalls are mainly used to protect against malicious attacks and filter data packets, such as DDOS attacks. Here, we will explain the software firewall under Linux-iptables.
iptables and firewalld
Under centOS6, the default software firewall is iptables, and in centos7, it is firewalld. What is the connection between them? In fact, firewalld is a newly packaged software on the original iptables.
When learning iptables, it is recommended to close firewalld first and enable iptables
yum install iptables-services systemctl stop firewalld systemctl start iptables
iptables tables and chains
iptables Different tables represent different functions. There are 4 tables by default
filter (filter) nat (address translation) mangle raw
Under different tables, there are their own rule chains:
Rule viewing and clearing of iptables
Rule View
Usage example: iptables [-t tables] -L [-nv] Options and parameters:# 查看filter表的规则 # iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 67 4444 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 2 286 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 38 packets, 4664 bytes) pkts bytes target prot opt in out source destination # 查看nat表的规则 iptables -t nat -L -nvThe meaning of the rule options under the chain is as follows:
Clear the rules of iptables
After centOS7 is installed by default, the system already has many iptables rules. Here we will teach you how to clear these rules. Usage example: iptables [-t tables] [-FXZ] Options and parameters:# iptables -F # iptables -X # iptables -Z
View specific rules
Use iptables-save to view specific rules Usage: iptables-save [-t tables ]# iptables-save -t filter # Generated by iptables-save v1.4.21 on Sat Nov 14 21:51:56 2020 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [56:7196] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited # Completed on Sat Nov 14 21:51:56 2020
Define the default strategy
After we clear the rules, only the default strategy is left. What is the default policy is that when any of our rules are not met, the default rule is used. The default policies are ACCEPT (accept packets) and DROP (drop packets) Usage: iptables [-t tables] -P [INPUT|OUTPUT|FORWARD……] [ACCEPT|DROP] Now, we try to change the default INPUT chain of the filter to DROP, OUTPUT and FORWARD chain to ACCETPiptables -t filter -P INPUT DROP # 注意,该命令敲完后,你的终端就可能会断开连接了 iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPTRelated recommendations: "
linux course"
The above is the detailed content of Software firewall iptables under Linux - view and clear rules, define default policy. For more information, please follow other related articles on the PHP Chinese website!