1、查看
iptables -nvL –line-number

-L 查看当前表的所有规则,默认查看的是filter表,如果要查看NAT表,可以加上-t NAT参数
-n 不对ip地址进行反查,加上这个参数显示速度会快很多
-v 输出详细信息,包含通过该规则的数据包数量,总字节数及相应的网络接口
–line-number 显示规则的序列号,这个参数在删除或修改规则时会用到

2、添加
添加规则有两个参数:-A和-I。其中-A是添加到规则的末尾;-I可以插入到指定位置,没有指定位置的话默认插入到规则的首部。

当前规则:

<span class="hljs-selector-attr">[[email protected] ~]# <span class="hljs-selector-tag">iptables <span class="hljs-selector-tag">-nL <span class="hljs-selector-tag">--line-number
<span class="hljs-selector-tag">Chain <span class="hljs-selector-tag">INPUT (policy ACCEPT)
<span class="hljs-selector-tag">num  <span class="hljs-selector-tag">target     <span class="hljs-selector-tag">prot <span class="hljs-selector-tag">opt <span class="hljs-selector-tag">source               <span class="hljs-selector-tag">destination
<span class="hljs-selector-tag">1    <span class="hljs-selector-tag">DROP       <span class="hljs-keyword">all  <span class="hljs-selector-tag">--  <span class="hljs-selector-tag">192<span class="hljs-selector-class">.168<span class="hljs-selector-class">.1<span class="hljs-selector-class">.1          <span class="hljs-selector-tag">0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0/<span class="hljs-selector-tag">0
<span class="hljs-selector-tag">2    <span class="hljs-selector-tag">DROP       <span class="hljs-keyword">all  <span class="hljs-selector-tag">--  <span class="hljs-selector-tag">192<span class="hljs-selector-class">.168<span class="hljs-selector-class">.1<span class="hljs-selector-class">.2          <span class="hljs-selector-tag">0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0/<span class="hljs-selector-tag">0
<span class="hljs-selector-tag">3    <span class="hljs-selector-tag">DROP       <span class="hljs-keyword">all  <span class="hljs-selector-tag">--  <span class="hljs-selector-tag">192<span class="hljs-selector-class">.168<span class="hljs-selector-class">.1<span class="hljs-selector-class">.4          <span class="hljs-selector-tag">0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0/<span class="hljs-selector-tag">0</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>

添加一条规则到尾部:

<span class="hljs-selector-attr">[[email protected] ~]# <span class="hljs-selector-tag">iptables <span class="hljs-selector-tag">-A <span class="hljs-selector-tag">INPUT <span class="hljs-selector-tag">-s 192<span class="hljs-selector-class">.168<span class="hljs-selector-class">.1<span class="hljs-selector-class">.5 <span class="hljs-selector-tag">-j <span class="hljs-selector-tag">DROP</span></span></span></span></span></span></span></span></span></span>

再插入一条规则到第三行,将行数直接写到规则链的后面:

<span class="hljs-selector-attr">[[email protected] ~]# <span class="hljs-selector-tag">iptables <span class="hljs-selector-tag">-I <span class="hljs-selector-tag">INPUT 3 <span class="hljs-selector-tag">-s 192<span class="hljs-selector-class">.168<span class="hljs-selector-class">.1<span class="hljs-selector-class">.3 <span class="hljs-selector-tag">-j <span class="hljs-selector-tag">DROP</span></span></span></span></span></span></span></span></span></span>

查看:

<span class="hljs-selector-attr">[[email protected] ~]# <span class="hljs-selector-tag">iptables <span class="hljs-selector-tag">-nL <span class="hljs-selector-tag">--line-number
<span class="hljs-selector-tag">Chain <span class="hljs-selector-tag">INPUT (policy ACCEPT)
<span class="hljs-selector-tag">num  <span class="hljs-selector-tag">target     <span class="hljs-selector-tag">prot <span class="hljs-selector-tag">opt <span class="hljs-selector-tag">source               <span class="hljs-selector-tag">destination
<span class="hljs-selector-tag">1    <span class="hljs-selector-tag">DROP       <span class="hljs-keyword">all  <span class="hljs-selector-tag">--  <span class="hljs-selector-tag">192<span class="hljs-selector-class">.168<span class="hljs-selector-class">.1<span class="hljs-selector-class">.1          <span class="hljs-selector-tag">0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0/<span class="hljs-selector-tag">0
<span class="hljs-selector-tag">2    <span class="hljs-selector-tag">DROP       <span class="hljs-keyword">all  <span class="hljs-selector-tag">--  <span class="hljs-selector-tag">192<span class="hljs-selector-class">.168<span class="hljs-selector-class">.1<span class="hljs-selector-class">.2          <span class="hljs-selector-tag">0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0/<span class="hljs-selector-tag">0
<span class="hljs-selector-tag">3    <span class="hljs-selector-tag">DROP       <span class="hljs-keyword">all  <span class="hljs-selector-tag">--  <span class="hljs-selector-tag">192<span class="hljs-selector-class">.168<span class="hljs-selector-class">.1<span class="hljs-selector-class">.3          <span class="hljs-selector-tag">0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0/<span class="hljs-selector-tag">0
<span class="hljs-selector-tag">4    <span class="hljs-selector-tag">DROP       <span class="hljs-keyword">all  <span class="hljs-selector-tag">--  <span class="hljs-selector-tag">192<span class="hljs-selector-class">.168<span class="hljs-selector-class">.1<span class="hljs-selector-class">.4          <span class="hljs-selector-tag">0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0/<span class="hljs-selector-tag">0
<span class="hljs-selector-tag">5    <span class="hljs-selector-tag">DROP       <span class="hljs-keyword">all  <span class="hljs-selector-tag">--  <span class="hljs-selector-tag">192<span class="hljs-selector-class">.168<span class="hljs-selector-class">.1<span class="hljs-selector-class">.5          <span class="hljs-selector-tag">0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0/<span class="hljs-selector-tag">0</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>

可以看到192.168.1.3插入到第三行,而原来的第三行192.168.1.4变成了第四行。

3、删除
删除用-D参数

删除之前添加的规则(iptables -A INPUT -s 192.168.1.5 -j DROP):

<span class="hljs-selector-attr">[[email protected] ~]# <span class="hljs-selector-tag">iptables <span class="hljs-selector-tag">-D <span class="hljs-selector-tag">INPUT <span class="hljs-selector-tag">-s 192<span class="hljs-selector-class">.168<span class="hljs-selector-class">.1<span class="hljs-selector-class">.5 <span class="hljs-selector-tag">-j <span class="hljs-selector-tag">DROP</span></span></span></span></span></span></span></span></span></span>

有时候要删除的规则太长,删除时要写一大串,既浪费时间又容易写错,这时我们可以先使用–line-number找出该条规则的行号,再通过行号删除规则。

[[email protected] ~]# iptables -nv <span class="hljs-comment">--line-number
iptables v1<span class="hljs-number">.4<span class="hljs-number">.7: no command specified
Try `iptables -h<span class="hljs-string">' or 'iptables <span class="hljs-comment">--help' for more information.
[[email protected] ~]# iptables -nL <span class="hljs-comment">--line-number
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
<span class="hljs-number">1    DROP       all  <span class="hljs-comment">--  192.168.1.1          0.0.0.0/0
<span class="hljs-number">2    DROP       all  <span class="hljs-comment">--  192.168.1.2          0.0.0.0/0
<span class="hljs-number">3    DROP       all  <span class="hljs-comment">--  192.168.1.3          0.0.0.0/0</span></span></span></span></span></span></span></span></span></span></span></span>

删除第二行规则

[[email protected]<span class="hljs-built_in">test ~]<span class="hljs-comment"># iptables -D INPUT 2</span></span>

4、修改
修改使用-R参数

先看下当前规则:

<span class="hljs-selector-attr">[[email protected] ~]# <span class="hljs-selector-tag">iptables <span class="hljs-selector-tag">-nL <span class="hljs-selector-tag">--line-number
<span class="hljs-selector-tag">Chain <span class="hljs-selector-tag">INPUT (policy ACCEPT)
<span class="hljs-selector-tag">num  <span class="hljs-selector-tag">target     <span class="hljs-selector-tag">prot <span class="hljs-selector-tag">opt <span class="hljs-selector-tag">source               <span class="hljs-selector-tag">destination
<span class="hljs-selector-tag">1    <span class="hljs-selector-tag">DROP       <span class="hljs-keyword">all  <span class="hljs-selector-tag">--  <span class="hljs-selector-tag">192<span class="hljs-selector-class">.168<span class="hljs-selector-class">.1<span class="hljs-selector-class">.1          <span class="hljs-selector-tag">0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0/<span class="hljs-selector-tag">0
<span class="hljs-selector-tag">2    <span class="hljs-selector-tag">DROP       <span class="hljs-keyword">all  <span class="hljs-selector-tag">--  <span class="hljs-selector-tag">192<span class="hljs-selector-class">.168<span class="hljs-selector-class">.1<span class="hljs-selector-class">.2          <span class="hljs-selector-tag">0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0/<span class="hljs-selector-tag">0
<span class="hljs-selector-tag">3    <span class="hljs-selector-tag">DROP       <span class="hljs-keyword">all  <span class="hljs-selector-tag">--  <span class="hljs-selector-tag">192<span class="hljs-selector-class">.168<span class="hljs-selector-class">.1<span class="hljs-selector-class">.5          <span class="hljs-selector-tag">0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0/<span class="hljs-selector-tag">0</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>

将第三条规则改为ACCEPT:

[[email protected]<span class="hljs-built_in">test ~]<span class="hljs-comment"># iptables -R INPUT 3 -j ACCEPT</span></span>

再查看下:

<span class="hljs-selector-attr">[[email protected] ~]# <span class="hljs-selector-tag">iptables <span class="hljs-selector-tag">-nL <span class="hljs-selector-tag">--line-number
<span class="hljs-selector-tag">Chain <span class="hljs-selector-tag">INPUT (policy ACCEPT)
<span class="hljs-selector-tag">num  <span class="hljs-selector-tag">target     <span class="hljs-selector-tag">prot <span class="hljs-selector-tag">opt <span class="hljs-selector-tag">source               <span class="hljs-selector-tag">destination
<span class="hljs-selector-tag">1    <span class="hljs-selector-tag">DROP       <span class="hljs-keyword">all  <span class="hljs-selector-tag">--  <span class="hljs-selector-tag">192<span class="hljs-selector-class">.168<span class="hljs-selector-class">.1<span class="hljs-selector-class">.1          <span class="hljs-selector-tag">0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0/<span class="hljs-selector-tag">0
<span class="hljs-selector-tag">2    <span class="hljs-selector-tag">DROP       <span class="hljs-keyword">all  <span class="hljs-selector-tag">--  <span class="hljs-selector-tag">192<span class="hljs-selector-class">.168<span class="hljs-selector-class">.1<span class="hljs-selector-class">.2          <span class="hljs-selector-tag">0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0/<span class="hljs-selector-tag">0
<span class="hljs-selector-tag">3    <span class="hljs-selector-tag">ACCEPT     <span class="hljs-keyword">all  <span class="hljs-selector-tag">--  <span class="hljs-selector-tag">0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0/<span class="hljs-selector-tag">0            <span class="hljs-selector-tag">0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0<span class="hljs-selector-class">.0/<span class="hljs-selector-tag">0</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>

第三条规则的target已改为ACCEPT。