overview using iptables -ADC to specify the chain rules, -A add -D delete -C modify iptables – [RI] chain rule num rule-specification[option] with iptables – RI The order of the rules specifies iptables -D chain rule num[option] delete the specified rule iptables -[LFZ] [chain][option] with iptables -LFZ chain name [options]iptables -[NX] chain with -NX specify chain iptables -P Chain target[options] specifies the default destination of the chain iptables -E old-chain-name new-chain-name-E old chain name new chain name replaces the old chain name with a new chain name Description Iptalbes is used to set, Maintain and check the IP packet filtering rules of the Linux kernel. Different tables can be defined, each containing several internal chains, and can also contain user-defined chains. Each chain is a list of rules that match the corresponding packages: each rule specifies how the package should be matched. This is called & rsquo;target& rsquo; (target), and can also jump to a user-defined chain in the same table. The rules of the TARGETS firewall specify the characteristics of the package being checked, and the target. If the package does not match, it will be sent to the next rule check in the chain; if it matches, the next rule is determined by the target value. The target value can be a user-defined chain name, or a special value, such as ACCEPT [pass ], DROP[Delete], QUEUE[Queue], or RETURN[Return]. ACCEPT means to let this package pass. DROP means to discard this packet. QUEUE means to pass this package to user space. RETURN means to stop the matching of this chain, and the rule to the previous chain restarts. If the end of a built-in chain is reached, or if the rule for the built-in chain is RETURN, the fate of the package will be determined by the target specified by the chaining criteria. TABLES currently has three tables (which table is the current table depends on the kernel configuration options and the current module). -t table This option specifies the table of matching packages to be manipulated by the command. If the kernel is configured to automatically load the module, then if the module is not loaded, (system) will try to load the appropriate module (for the table). These tables are as follows: filter, which is the default table, contains the built-in chain INPUT (processing incoming packets), FORWORD (processing passed packets), and OUTPUT (processing locally generated packages). Nat, this table is queried when it encounters a packet that generates a new connection. It consists of three built-in chains: PREROUTING (modification of incoming packets), OUTPUT (local package before modification of routes), POSTROUTING (modification ready) package). Mangle This table is used to modify the specified package. It has two built-in rules: PREROUTING (the package that was entered before the route was modified) and OUTPUT (the package that was localized before the route was modified). OPTIONS These options that can be recognized by iptables can distinguish between different categories. COMMANDS These options specify to perform explicit actions: if there are no other rules under the command line, the line can only specify one option. For long format commands and option names, the length of the letter used is as long as iptables can distinguish the command from other options. It is. -A -append adds one or more rules at the end of the selected chain. When the source (address) or /and destination (address) are converted to multiple addresses, this rule is added after all possible addresses (combinations). -D -delete removes one or more rules from the selected chain. There are two ways to do this command: you can specify the deleted rule as the sequence number in the chain (the first sequence number is 1), or specify the rule to match. -R -replace replaces a rule from the selected chain. If the source (address) or /and destination (address) are converted to multiple addresses, the command will fail. The rule number starts from 1. -I -insert Inserts one or more rules into the selected chain based on the given rule number. Therefore, if the rule number is 1, the rule will be inserted into the head of the chain. This is also the default method when no rule number is specified. -L -list displays all rules for the selected chain. If no chain is selected, all chains will be displayed. It can also be used with the z option, when the chain is automatically listed and zeroed. The exact output is affected by other parameters given. -F -flush clears the selected chain. This is equivalent to deleting all the rules one by one. –Z -zero clears the counters of all chains and bytes. It can be used with -L to see the counter before emptying, see above. -N -new-chain creates a new user-defined chain based on the given name. This must ensure that there is no chain with the same name. -X -delete-chain Deletes the specified user-defined chain. This chain must not be referenced. If it is referenced, you must remove or replace the rules associated with it before deleting it. If no arguments are given, this command will try to remove each non-built-in chain. -P -policy sets the target rule for the chain. -E -rename-chain renames the specified chain based on the name given by the user. This is just a modification and has no effect on the structure of the entire table. The TARGETS parameter gives a legal target. Only non-user-defined chains can use rules, and both built-in chains and user-defined chains cannot be the target of the rule. -h Help. Help. Give a very brief description of the current command syntax. PARAMETERS parameters The following parameters form a detailed description of the rules, such as the add, delete, replace, append, and check commands. -p -protocal [!]protocol rules or protocols for packet inspection (to be checked). The specified protocol can be one or all of tcp, udp, icmp, or a numeric value, representing one of these protocols. Of course, you can also use the protocol name defined in /etc/protocols. Add ”!” in front of the agreement name to indicate the opposite rule. The number 0 is equivalent to all all. Protocol all matches all protocols, and this is the default option. When combined with the check command, all can be used. -s -source [!] address[/mask] specifies the source address, which can be the host name, network name, and clear IP address. The mask description can be a netmask or a clear number. On the left side of the netmask, specify the number of the left side of the netmask “1″, therefore, the mask value is 24 equal to 255.255.255.0. Adding ”!” to the specified address specifies the opposite address segment. The flag –src is short for this option. -d –destination [!] address[/mask] specifies the target address. For details, see the description of the -s flag. The flag –dst is short for this option. -j –jump target-j The target jump specifies the target of the rule; that is, what should be done if the package matches. The target can be a user-defined chain (not the one in which the rule is located), a dedicated built-in target that immediately determines the fate of the package, or an extension (see EXTENSIONS below). If this option of the rule is ignored, the matching process will not affect the package, but the counter of the rule will increase.