自定义链存在的意义:对链进行分类
target可能是一个“动作“也可能是一个”自定义链”
1.新增自定义链。
root@ubuntu:~# iptables -t filter -N IN_WEB
#结果 root@ubuntu:~# iptables -nvL Chain INPUT (policy ACCEPT 23 packets, 1448 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 16 packets, 1212 bytes) pkts bytes target prot opt in out source destination Chain IN_WEB (0 references) pkts bytes target prot opt in out source destination
2.引用自定义链。
root@ubuntu:~# iptables -t filter -I INPUT -p tcp --dport 80 -j IN_WEB
#结果 root@ubuntu:~# iptables -nvL Chain INPUT (policy ACCEPT 11 packets, 770 bytes) pkts bytes target prot opt in out source destination 0 0 IN_WEB tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 480 bytes) pkts bytes target prot opt in out source destination Chain IN_WEB (1 references) pkts bytes target prot opt in out source destination
3.重命名自定义链。
root@ubuntu:~# iptables -E IN_WEB WEB
root@ubuntu:~# iptables -nvL
Chain INPUT (policy ACCEPT 53 packets, 3639 bytes)
pkts bytes target prot opt in out source destination
0 0 WEB tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 36 packets, 2840 bytes)
pkts bytes target prot opt in out source destination
Chain WEB (1 references)
pkts bytes target prot opt in out source destination
4.删除自定义链。
root@ubuntu:~# iptables -X WEB iptables: Too many links.
#被引用了无法删除 root@ubuntu:~# iptables --line -nvL Chain INPUT (policy ACCEPT 366 packets, 32141 bytes) num pkts bytes target prot opt in out source destination 1 0 0 WEB tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 137 packets, 11248 bytes) num pkts bytes target prot opt in out source destination Chain WEB (1 references) num pkts bytes target prot opt in out source destination #删除引用自定义链的条目 root@ubuntu:~# iptables -D INPUT 1 root@ubuntu:~# root@ubuntu:~# iptables -nvL Chain INPUT (policy ACCEPT 70 packets, 4797 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 35 packets, 2848 bytes) pkts bytes target prot opt in out source destination Chain WEB (0 references) pkts bytes target prot opt in out source destination
#可正常删除 root@ubuntu:~# iptables -X WEB root@ubuntu:~# root@ubuntu:~# iptables -nvL Chain INPUT (policy ACCEPT 33 packets, 2104 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 23 packets, 1860 bytes) pkts bytes target prot opt in out source destination
删除的条件:
1.自定义链中无规则
2.自定义链没有被其他的链所引用