iptables DROP policy

 input and output drop

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

raw>mangle>nat>filter

[root@n3 ~]# ip ru add from 172.16.16.2 lookup 9800 [ pref or prio ] 9800
[root@n3 ~]# ip rule show
0: from all lookup local
9800: from 172.16.16.2 lookup 9800
32766: from all lookup main
32767: from all lookup default

https://www.jianshu.com/p/5c70b536816b

【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/eiguleo/p/11406696.html