시스템 관리자를 위한 20개의 Iptables 예제
- 정광섭
방화벽 상태 표시
Type the following command as root:
# iptables -L -n -v
Sample outputs:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Above output indicates that the firewall is not active. The following sample shows an active firewall:
# iptables -L -n -v
Sample outputs
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
56 3706 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
1 58 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
30 3398 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 78 packets, 15600 bytes)
pkts bytes target prot opt in out source destination
- -L : List rules.
- -v : Display detailed information. This option makes the list command show the interface name, the rule options, and the TOS masks. The packet and byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.
- -n : Display IP address and port in numeric format. Do not use DNS to resolve names. This will speed up listing.
To inspect firewall with line numbers, enter:
iptables -n -L -v --line-numbers
To display INPUT or OUTPUT chain rules, enter:
iptables -L INPUT -n -v iptables -L OUTPUT -n -v --line-numbers
Stop / Start / Restart the Firewall
If you are using CentOS / RHEL / Fedora Linux, enter:
service iptables stop service iptables start service iptables restart
You can use the iptables command itself to stop the firewall and delete all rules:
iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT
Where,
- -F : Deleting (flushing) all the rules.
- -X : Delete chain.
- -t table_name : Select table (called nat or mangle) and delete/flush rules.
- -P : Set the default policy (such as DROP, REJECT, or ACCEPT).
Delete Firewall Rules
To display line number along with other information for existing rules, enter:
# iptables -L INPUT -n --line-numbers # iptables -L OUTPUT -n --line-numbers # iptables -L OUTPUT -n --line-numbers | less # iptables -L OUTPUT -n --line-numbers | grep 202.54.1.1
You will get the list of IP. Look at the number on the left, then use number to delete it. For example delete line number 4, enter:
iptables -D INPUT 4
Insert Firewall Rules
iptables -L INPUT -n --line-numbers