iptables中 -A 和 -I 参数的区别

在使用iptables添加规则的过程中，看到-A和-I参数都是添加规则，刚开始容易混淆，然后就专门试了一下，原来差异在这里

我们直接看实验吧

有以下四条规则

iptables -A INPUT -s 1.1.0.0/24 -j ACCEPT
iptables -A INPUT -s 2.2.0.0/24 -j DROP
iptables -A INPUT -s 3.3.0.0/24 -j ACCEPT
iptables -A INPUT -s 4.4.0.0/24 -j DROP

执行完结果

[root@k8s-node2 ~]# iptables -L --line-number
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    KUBE-FIREWALL  all  --  anywhere             anywhere            
2    KUBE-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes service portals */
3    KUBE-EXTERNAL-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes externally-visible service portals */
4    ACCEPT     all  --  1.1.0.0/24           anywhere            
5    DROP       all  --  2.2.0.0/24           anywhere            
6    ACCEPT     all  --  3.3.0.0/24           anywhere            
7    DROP       all  --  4.4.0.0/24           anywhere

删除上述4、5、6、7号规则，然后是-I

iptables -I INPUT -s 1.1.0.0/24 -j ACCEPT
iptables -I INPUT -s 2.2.0.0/24 -j DROP
iptables -I INPUT -s 3.3.0.0/24 -j ACCEPT
iptables -I INPUT -s 4.4.0.0/24 -j DROP

执行完结果

[root@k8s-node2 ~]# iptables -L --line-number
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       all  --  4.4.0.0/24           anywhere            
2    ACCEPT     all  --  3.3.0.0/24           anywhere            
3    DROP       all  --  2.2.0.0/24           anywhere            
4    ACCEPT     all  --  1.1.0.0/24           anywhere            
5    KUBE-FIREWALL  all  --  anywhere             anywhere            
6    KUBE-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes service portals */
7    KUBE-EXTERNAL-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes externally-visible service portals */

结果已经很清楚了