#启动防火墙
service iptables start
#停止防火墙
service iptables stop
#重启防火墙
service iptables restart
#查询防火墙运行等状态信息
service iptables status
#永久关闭防火墙
chkconfig iptables off
#永久关闭防火墙之后要启用
chkconfig iptables on
#保存对防火墙的设置
serivce iptables save
二、往防火墙添加规则
1)、直接编辑/etc/sysconfig/iptables
2)、通过命令进行添加
开放8080端口
#入栈规则
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
#出栈规则
iptables -A OUTPUT -p tcp --sport 8080 -j ACCEPT
禁止某个IP访问
iptables -A INPUT -p tcp -s 192.168.1.2 -j DROP
删除规则
iptables -D INPUT 2 #删除INPUT链编号为2的规则
参数讲解:
-A 添加一条规则
-p 指定协议,我们常用的tcp 协议,当然也有udp,例如53端口的DNS
--dport 进入端口,当数据从外部进入服务器为目标端口
--sport 出入端口,数据从服务器出去,则为数据源端口使用
-j 就是指定是 ACCEPT 接收,或者 DROP 不接收
-s 指定来源IP等(如192.168.1.2)
具体看iptables --help
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum] Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]] List the rules in a chain or all chains
--list-rules -S [chain [rulenum]] Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]] Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete -chain -X [chain] Delete a user-defined chain
--policy -P chain target Change policy on chain to target
--rename-chain
-E old-chain new-chain Change chain name, (moving any references)
Options:
[!] --proto -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...] source specification
[!] --destination -d address[/mask][...] destination specification
[!] --in-interface -i input name[+] network interface name ([+] for wildcard)
--jump -j target target for rule (may load target extension)
--goto -g chain jump to chain with no return
--match -m match extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+] network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.