基本的操作可以參考鳥哥的文章
http://linux.vbird.org/linux_server/0250simple_firewall.php
列出某一個 Table 的 Rule
root@ubuntu:~$ iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE tcp -- 192.168.228.0/22 !192.168.228.0/22 masq ports: 1024-65535 MASQUERADE udp -- 192.168.228.0/22 !192.168.228.0/22 masq ports: 1024-65535 MASQUERADE all -- 192.168.228.0/22 !192.168.228.0/22 SNAT all -- 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.229.1-192.168.231.254 destination IP range 172.18.203.1-172.18.203.250 to:172.18.203.254 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth2 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth3 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap0 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap2 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap3 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap4 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap5 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap6 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap7 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap8 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap9 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet1
列出某一個 Table 的 Rule 並且加上編號, 這個編號在刪除 rule 時會用到
root@ubuntu:~$ iptables -t nat -nL --line-numbers Chain PREROUTING (policy ACCEPT) num target prot opt source destination Chain INPUT (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 MASQUERADE tcp -- 192.168.228.0/22 !192.168.228.0/22 masq ports: 1024-65535 2 MASQUERADE udp -- 192.168.228.0/22 !192.168.228.0/22 masq ports: 1024-65535 3 MASQUERADE all -- 192.168.228.0/22 !192.168.228.0/22 4 SNAT all -- 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.229.1-192.168.231.254 destina tion IP range 172.18.203.1-172.18.203.250 to:172.18.203.254 5 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth1 6 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth2 7 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth3 8 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap0 9 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap1 10 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap2 11 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap3 12 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap4 13 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap5 14 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap6 15 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap7 16 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap8 17 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap9 18 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 19 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet1
列出某一個 table 的 rule 指令
root@ubuntu:~$ iptables-save -t nat # Generated by iptables-save v1.4.12 on Mon Feb 18 14:43:37 2013 *nat :PREROUTING ACCEPT [17013:1897631] :INPUT ACCEPT [12931:1479517] :OUTPUT ACCEPT [7294:518260] :POSTROUTING ACCEPT [7677:530072] -A POSTROUTING -s 192.168.228.0/22 ! -d 192.168.228.0/22 -o eth2 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.228.0/22 ! -d 192.168.228.0/22 -o eth2 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.228.0/22 ! -d 192.168.228.0/22 -o eth2 -j MASQUERADE -A POSTROUTING -m iprange --src-range 192.168.229.1-192.168.231.254 --dst-range 172.18.203.1-172.18.203.250 -j SNAT --to-source 172.18.203.254 -A POSTROUTING -o eth0 -m physdev --physdev-in eth1 -j MASQUERADE -A POSTROUTING -o eth0 -m physdev --physdev-in eth2 -j MASQUERADE -A POSTROUTING -o eth0 -m physdev --physdev-in eth3 -j MASQUERADE -A POSTROUTING -o eth0 -m physdev --physdev-in tap0 -j MASQUERADE -A POSTROUTING -o eth0 -m physdev --physdev-in tap1 -j MASQUERADE -A POSTROUTING -o eth0 -m physdev --physdev-in tap2 -j MASQUERADE -A POSTROUTING -o eth0 -m physdev --physdev-in tap3 -j MASQUERADE -A POSTROUTING -o eth0 -m physdev --physdev-in tap4 -j MASQUERADE -A POSTROUTING -o eth0 -m physdev --physdev-in tap5 -j MASQUERADE -A POSTROUTING -o eth0 -m physdev --physdev-in tap6 -j MASQUERADE -A POSTROUTING -o eth0 -m physdev --physdev-in tap7 -j MASQUERADE -A POSTROUTING -o eth0 -m physdev --physdev-in tap8 -j MASQUERADE -A POSTROUTING -o eth0 -m physdev --physdev-in tap9 -j MASQUERADE -A POSTROUTING -o eth0 -m physdev --physdev-in vnet0 -j MASQUERADE -A POSTROUTING -o eth0 -m physdev --physdev-in vnet1 -j MASQUERADE COMMIT # Completed on Mon Feb 18 14:43:37 2013
刪除某個 chain 的第 n 條 rule
root@ubuntu:~$ iptables -t nat -D POSTROUTING 4
沒有留言:
張貼留言