This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Other Technologies Windows/Linux CentOS iptables running logic and parsing the -I -A parameter
View: 12043|Reply: 0

[linux] CentOS iptables running logic and parsing the -I -A parameter

[Copy link]
Posted on 12/7/2015 4:16:36 PM | | |

When I first came into contact with Iptables, I was confused about the -I and -A parameters, -I inserted one or more rules, and -A was an additional rule.
It's all about adding a rule, what is the difference between the two?
Experiment:
I took two machines, one sent a PING package and the other was PING.
Both machines look at it with iptables -nvL INPUT, and iptables is empty
Then add iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -j DROP to the machine being PINGED
Then use iptables -nvL INPUT to check as follows:
Chain INPUT (policy ACCEPT 592 packets, 55783 bytes)
pkts bytes target     prot opt in     out     source               destination
    8   672 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
At this point, the PING packet displayed by the machine that sent the PING packet stopped.
At this time, add iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -j ACCEPT to the machine being PINGED
Then use iptables -nvL INPUT to check as follows:
Chain INPUT (policy ACCEPT 678 packets, 62701 bytes)
pkts bytes target     prot opt in     out     source               destination
   21  1764 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
A rule has been added to the iptables display, but the PING packets displayed by the machine that sent the PING packet are still stopped, proving that the newly added rule cannot release the PING packet
Add iptables -I INPUT -p icmp --icmp-type 8 -s 0/0 -j ACCEPT to the PINGED machine
Then use iptables -nvL INPUT to check as follows:
Chain INPUT (policy ACCEPT 770 packets, 70223 bytes)
pkts bytes target     prot opt in     out     source               destination
    2   168 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
   31  2604 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
Display iptables A new rule is added, and the PING packet displayed by the machine that sent the PING packet will jump again, proving that the newly added rule can release the PING packet
The only difference between the two rules is that -A and -I add the rule after the DROP rule, and the -I add rule before the DROP rule.
iptables are rule matched from the top down, and release rules must take effect before the ban rules.
iptables is executed from top to bottom - a is appended to the back - i is added to the front.




Previous:530 Please log with USER and PASS error resolution
Next:Understand input, output, forward, and prohibiting pings

Related Posts
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com