












防火墙策略规则的匹配顺序是从上至下的 ,因此要把较为严格、优先级较高的策略规则放在前面。iptables中常用的参数及作用见下图:




[root@linuxprobe /]# iptables -L | wc -l  ## 统计行数
[root@linuxprobe /]# iptables -L | head  ## 查看前十行
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
INPUT_direct  all  --  anywhere             anywhere
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere
INPUT_ZONES  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

[root@linuxprobe /]# iptables -L | tail
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination

Chain IN_public_log (1 references)
target     prot opt source               destination

Chain OUTPUT_direct (1 references)
target     prot opt source               destination



[root@linuxprobe /]# iptables -F  ## 清空已有的防火墙规则链
[root@linuxprobe /]# iptables -L | wc -l  ## 统计行数
[root@linuxprobe /]# iptables -L | head  ##  查看前十行
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD_IN_ZONES (0 references)
[root@linuxprobe /]# iptables -L | tail
target     prot opt source               destination

Chain IN_public_deny (0 references)
target     prot opt source               destination

Chain IN_public_log (0 references)
target     prot opt source               destination

Chain OUTPUT_direct (0 references)
target     prot opt source               destination



[root@linuxprobe /]# iptables -L | head  ## 查看设置前为ACCEPT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD_IN_ZONES (0 references)
[root@linuxprobe /]# iptables -P INPUT DROP  ## 把INPUT规则链的默认策略设置为拒绝,-P表示设置默认策略
[root@linuxprobe ~]# iptables -L | head  ## 查看
Chain INPUT (policy DROP)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD_IN_ZONES (0 references)


另外,规则链默认拒绝动作只能是DROP,而不能是REJ ECT。



[root@linuxprobe ~]# iptables -L | head  ## 查看修改前防火墙规则链
Chain INPUT (policy DROP)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD_IN_ZONES (0 references)
[root@linuxprobe ~]# ifconfig | head  ## 查看本机IP
eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::20c:29ff:feab:7b00  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ab:7b:00  txqueuelen 1000  (Ethernet)
        RX packets 845  bytes 79101 (77.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 576  bytes 81095 (79.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
[root@linuxprobe ~]# ping -c 4  ## 测试连通性
PING ( 56(84) bytes of data.

--- ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms

[root@linuxprobe ~]# iptables -I INPUT -p icmp -j ACCEPT  ## 允许icmp流量进入,-I 表示在规则链头部胶乳新规则,-p表示匹配协议,如TCP、UDP、ICMP等,-j??
[root@linuxprobe ~]# ping -c 4  ## 测试连通性
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.075 ms
64 bytes from icmp_seq=2 ttl=64 time=0.041 ms
64 bytes from icmp_seq=3 ttl=64 time=0.040 ms
64 bytes from icmp_seq=4 ttl=64 time=0.037 ms

--- ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.037/0.048/0.075/0.016 ms
[root@linuxprobe ~]# iptables -L | head  ## 查看修改后防火墙规则链
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         



a、TCP是一种面向连bai接的、可靠的、基于字节流的传输层通信协议,由IETF的RFC 793定义。在简化的计算机网络OSI模型中,它完成第四层传输层所指定的功能。在因特网协议族中,TCP层是位于IP层之上,应用层之下的中间层。不同主机的应用层之间经常需要可靠的、像管道一样的连接,但是IP层不提供这样的流机制,而是提供不可靠的包交换。

b、UDP 是User Datagram Protocol的简称, 中文名是用户数据报协议,是OSI参考模型中一种无连接的传输层协议,提供面向事务的简单不可靠信息传送服务,IETF RFC 768是UDP的正式规范。UDP在IP报文的协议号是17。






[root@linuxprobe ~]# iptables -L | head
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

[root@linuxprobe ~]# iptables -D INPUT 1  ## 删除第一条规则链
[root@linuxprobe ~]# iptables -L | head  ## 查看,红色部分已经删除
Chain INPUT (policy DROP)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD_IN_ZONES (0 references)
[root@linuxprobe ~]# iptables -P INPUT ACCEPT  ## -P表示设置默认策略,设置为接受
[root@linuxprobe ~]# iptables -L | head  ## 查看
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD_IN_ZONES (0 references)




[root@linuxprobe ~]# ifconfig | head  ## 查看当前的IP
eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::20c:29ff:feab:7b00  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ab:7b:00  txqueuelen 1000  (Ethernet)
        RX packets 878  bytes 81887 (79.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 598  bytes 82993 (81.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
[root@linuxprobe ~]# ifconfig | head  ## 登录另一台虚拟机,查看IP
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::d7fe:9dfc:42ec:c255  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ef:86:f2  txqueuelen 1000  (Ethernet)
        RX packets 6387  bytes 689901 (673.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5564  bytes 625924 (611.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
[root@linuxprobe ~]# ssh  ## 远程连接,通过
root@'s password:
Last login: Fri Oct 30 14:31:33 2020
[root@linuxprobe ~]# ifconfig | head  ## 登录另一台虚拟机,查看IP
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet netmask broadcast
inet6 fe80::54f8:bbf7:7760:3745 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:8d:79:f8 txqueuelen 1000 (Ethernet)
RX packets 98 bytes 15531 (15.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 94 bytes 14709 (14.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
[root@linuxprobe ~]# ssh  ## 远程连接,通过
root@'s password:
Last login: Fri Oct 30 15:06:39 2020 from


[root@linuxprobe ~]# iptables -L | head  ## 查看
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD_IN_ZONES (0 references)
[root@linuxprobe ~]# iptables -I INPUT -s -p tcp --dport 22 -j ACCEPT  
[root@linuxprobe ~]# ifconfig | head  ## 登录另外一台主机,查看IP
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::d7fe:9dfc:42ec:c255  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ef:86:f2  txqueuelen 1000  (Ethernet)
        RX packets 164  bytes 21581 (21.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 137  bytes 18893 (18.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
[root@linuxprobe ~]# ssh  ## 测试远程连接,失败
ssh: connect to host port 22: Connection refused
[root@linuxprobe ~]# ifconfig | head  ## 登录另一台主机,查看IP
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::54f8:bbf7:7760:3745  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:8d:79:f8  txqueuelen 1000  (Ethernet)
        RX packets 372  bytes 48040 (46.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 229  bytes 33472 (32.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
[root@linuxprobe ~]# ssh  ## 测试远程连接,失败
ssh: connect to host port 22: Connection refused



[root@linuxprobe ~]# iptables -L | head  ## 查看当前防火墙规则链
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --      anywhere             tcp dpt:ssh
REJECT     tcp  --  anywhere             anywhere             tcp dpt:ssh reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@linuxprobe ~]# iptables -D INPUT 1  ## 删除第一个
[root@linuxprobe ~]# iptables -L | head   ## 查看
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             tcp dpt:ssh reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

[root@linuxprobe ~]# iptables -D INPUT 1  ## 删除第一个
[root@linuxprobe ~]# iptables -L | head  ## 查看,两个都已经删除
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD_IN_ZONES (0 references)



[root@linuxprobe ~]# iptables -L | head  ## 查看当前规则链
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD_IN_ZONES (0 references)
[root@linuxprobe ~]# iptables -I INPUT -s -p tcp --dport 22 -j ACCEPT  ## 设置允许网段
[root@linuxprobe ~]# iptables -L | head  ## 查看
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --       anywhere             tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

[root@linuxprobe ~]# iptables -A INPUT -p tcp --dport 22 -j REJECT  ## 拒绝其他主机流量
[root@linuxprobe ~]# iptables -L | head  ## 查看
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --       anywhere             tcp dpt:ssh
REJECT     tcp  --  anywhere             anywhere             tcp dpt:ssh reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         



[root@linuxprobe ~]# ifconfig | head  ## 登录另一台主句,查看ip
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::d7fe:9dfc:42ec:c255  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ef:86:f2  txqueuelen 1000  (Ethernet)
        RX packets 230  bytes 27797 (27.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 179  bytes 23712 (23.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
[root@linuxprobe ~]# ssh  ## 测试远程连接,成功
root@'s password:
Last login: Fri Oct 30 15:09:27 2020 from
[root@linuxprobe ~]# ifconfig | head  ## 登录另一台主句,查看IP
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::54f8:bbf7:7760:3745  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:8d:79:f8  txqueuelen 1000  (Ethernet)
        RX packets 438  bytes 54337 (53.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 260  bytes 37486 (36.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
[root@linuxprobe ~]# ssh  ## 测试远程连接,成功
root@'s password:
Last login: Fri Oct 30 15:36:17 2020 from



[root@linuxprobe ~]# iptables -L | head  ## 查看当前规则链
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --       anywhere             tcp dpt:ssh
REJECT     tcp  --  anywhere             anywhere             tcp dpt:ssh reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@linuxprobe ~]# iptables -D INPUT 1  ## 删除第一条
[root@linuxprobe ~]# iptables -D INPUT 1  ## 删除第一条
[root@linuxprobe ~]# iptables -L | head   ## 查看规则链
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD_IN_ZONES (0 references)



[root@linuxprobe ~]# iptables -L | head  ## 查看规则链
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD_IN_ZONES (0 references)
[root@linuxprobe ~]# iptables -I INPUT -p tcp --dport 12345 -j REJECT ## 拒绝tcp协议
[root@linuxprobe ~]# iptables -L | head  ## 查看
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             tcp dpt:italk reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

[root@linuxprobe ~]# iptables -I INPUT -p udp --dport 12345 -j REJECT  ## 拒绝udp协议
[root@linuxprobe ~]# iptables -L | head  ## 查看
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     udp  --  anywhere             anywhere             udp dpt:italk reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:italk reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination    



[root@linuxprobe ~]# iptables -L | head  ## 查看
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     udp  --  anywhere             anywhere             udp dpt:italk reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:italk reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@linuxprobe ~]# iptables -D INPUT 1  ## 删除第一个
[root@linuxprobe ~]# iptables -L | head  ## 查看
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             tcp dpt:italk reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

[root@linuxprobe ~]# iptables -D INPUT 1  ## 删除第一个
[root@linuxprobe ~]# iptables -L | head  ## 查看
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD_IN_ZONES (0 references)



[root@linuxprobe ~]# iptables -L | head  ## 查看规则链
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD_IN_ZONES (0 references)
[root@linuxprobe ~]# iptables -I INPUT -p tcp -s --dport 80 -j REJECT  ## 向INPUT规则链中添加拒绝192.168.10.5主机访问本机80端口(web服务)的策略
[root@linuxprobe ~]# iptables -L | head  ## 查看
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  --         anywhere             tcp dpt:http reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

[root@linuxprobe ~]# iptables -D INPUT 1  ## 删除设置
[root@linuxprobe ~]# iptables -L | head  ## 查看
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD_IN_ZONES (0 references)



[root@linuxprobe ~]# iptables -L | head  ## 查看规则链
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD_IN_ZONES (0 references)
[root@linuxprobe ~]# iptables -I INPUT -p tcp --dport 1000:1024 -j REJECT  ## 拒绝tcp
[root@linuxprobe ~]# iptables -L | head ## 查看
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             tcp dpts:cadlock2:1024 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

[root@linuxprobe ~]# iptables -I INPUT -p udp --dport 1000:1024 -j REJECT  ## 拒绝udp
[root@linuxprobe ~]# iptables -L | head  ## 查看
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     udp  --  anywhere             anywhere             udp dpts:cadlock2:1024 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpts:cadlock2:1024 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         



[root@linuxprobe ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]


