Linux iptables防火墙

1.显示已经配置的防火墙规则：

iptables -L -n --line-numbers

2.删除防火墙规则：

iptables -D INPUT number

上条命令显示的规则条目序号 INPUT可以替换成OUTPUT、FORWARD，对应不同的防火墙规则表

3.保存和重新加载防火墙规则：

sudo netfilter-persistent save 配置的防火墙规则永久生效，重启不丢失
sudo netfilter-persistent reload

Table Chains

The iptables rules are broken down into groups called chains. Each table contains default chains that are built into the table.

You can also create your own chains on each table to hold additional rules

The built-in chains in the filter table are FORWARD, INPUT, and OUTPUT.

If a packet is coming to the host, then it needs to be evaluated by the rules in the INPUT chain.

If the packet is generated by the host itself and going out, then it needs to be evaluated by the rules in the OUTPUT chain.

The FORWARD chain is used for packets that have entered the host but are destined for some other host.

Chain policy

Each chain in the filter table has a policy. A policy is the default action taken.

The policies you can use for packets are DROP, REJECT, and ACCEPT.

The ACCEPT policy accepts the traffic and allows it to pass through the firewall. The DROP policy discards a packet without notifying the sender. The REJECT policy also discards the packet, but it sends an ICMP packet to the sender to tell him about the rejection.

From a security perspective, you should deny all traffic by default and open the host to only the traffic to which you have explicitly granted access.

DROP for the INPUT and OUTPUT chains means incoming and outgoing traffic are not allowed unless you explicitly add rules to allow the traffic.

增加防火墙规则：

$ iptables -A INPUT -i eth0 -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT

Let’s break this command into pieces so we can understand everything about it

The –A means we are adding a new rule. By default, all new rules are added to filter table unless you specify another table.

The -i flag specifies which device the traffic will use to enter the host. If you do not specify a device then iptables assumes the rule applies to all incoming network traffic from all devices.

The –p flag specifies the protocol of the packets you are filtering which is TCP in our case.

The –dport flag tells iptables to select only packets destined for port 80.

The -d selects only those packets destined for the specified IP address, 192.168.1.2. If you do not specify a destination IP address, then iptables would apply this rule to all incoming traffic on eth0 regardless of IP address.

The last flag in the rule, -j, specifies the action or the JUMP action to do, here we are accepting the packets using accept policy.

The above rule allows incoming HTTP traffic which is on port 80. We can add another rule to allow HTTPS traffic which is on port 443

$ iptables -A INPUT -i eth0 -p tcp --dport 443 -d 192.168.1.2 -j ACCEPT

Iptables Rules Order

When you use the -A flag to add a rule, it is appended to the end of the current rules in a chain.

You can also add rules using the -I flag, which adds rules to the top of the chain of current rules

The sequence of the rules matters. The rules are checked in the order they are added

With the -I flag you can also add a rule into a chain using a line number, so we can specify where exactly our rules placed.

Look at the following rules to understand how rules ordering matters

$ iptables -I INPUT 1 -i eth0 -p tcp -j ACCEPT

$ iptables -I INPUT 2 -i eth0 -p tcp --dport 80 -j DROP

参考文档：https://likegeeks.com/linux-iptables-firewall-examples/