關(guān)于iptables-m選項(xiàng)以及規(guī)則的理解-創(chuàng)新互聯(lián)
關(guān)于iptables的詳細(xì)狀態(tài)可以查看http://os.51cto.com/art/201108/285209.htm
時(shí)常在服務(wù)器的防火墻上看到有這些規(guī)則,
2 106K 8294K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED,我覺(jué)得有必要搞下這個(gè)iptables了
下面就來(lái)談?wù)刬ptables
一.首先iptables有四種狀態(tài)
NEW,ESTABLISHED,RELATED,INVALID。
NEW狀態(tài):主機(jī)連接目標(biāo)主機(jī),在目標(biāo)主機(jī)上看到的第一個(gè)想要連接的包
ESTABLISHED狀態(tài):主機(jī)已與目標(biāo)主機(jī)進(jìn)行通信,判斷標(biāo)準(zhǔn)只要目標(biāo)主機(jī)回應(yīng)了第一個(gè)包,就進(jìn)入該狀態(tài)。
RELATED狀態(tài):主機(jī)已與目標(biāo)主機(jī)進(jìn)行通信,目標(biāo)主機(jī)發(fā)起新的鏈接方式,例如ftp
INVALID狀態(tài):無(wú)效的封包,例如數(shù)據(jù)破損的封包狀態(tài)
二.其次再來(lái)談?wù)勆鲜鲆?guī)則的作用
你會(huì)發(fā)現(xiàn)有這條
2 106K 8294K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
經(jīng)常又會(huì)看見(jiàn)這條規(guī)則
3 0 0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited #其他主機(jī)不滿(mǎn)足RELATED的情況,會(huì)給它返回host-prohibited
添加方式:iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
第二條規(guī)則的含義其實(shí)是:調(diào)用狀態(tài)模塊,匹配當(dāng)狀態(tài)為RELATED和ESTABLISHED的所有數(shù)據(jù)包通過(guò),換句話說(shuō)就是允許所有已經(jīng)建立的連接,表現(xiàn)為本機(jī)可以ping其他主機(jī),但是其他主機(jī)無(wú)法ping本機(jī),只接受自己發(fā)出去的響應(yīng)包,這是萬(wàn)能的一句話,允許所有自己發(fā)出去的包進(jìn)來(lái)。后面跟具體規(guī)則
第三條規(guī)則的含義其實(shí)是:依據(jù)第二條來(lái)的,所有不滿(mǎn)足第二條規(guī)則的,都會(huì)被拒絕,而且會(huì)給主機(jī)返回一個(gè)host-prohibited的消息。需要注意的則是,所有位于第三條規(guī)則之下的規(guī)則都無(wú)法生效,位于該規(guī)則之上的都會(huì)生效
三.口說(shuō)無(wú)憑,下面我們來(lái)做個(gè)實(shí)驗(yàn)看看
只添加iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT,完全沒(méi)有任何作用
[root@iZuf62ds2bbsfbvox5ivxdZ ~]# iptables -t filter -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 14 892 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1212
2 106K 8294K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2.添加兩條規(guī)則,防火墻規(guī)則如圖,會(huì)產(chǎn)生自己能ping其他主機(jī),但是其他主機(jī)ping不通自己的情況
[root@iZuf62ds2bbsfbvox5ivxdZ ~]# iptables -t filter -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 14 892 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1212
2 106K 8294K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited #其他主機(jī)不滿(mǎn)足RELATED的情況,會(huì)給它返回host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 37 packets, 10438 bytes)
num pkts bytes target prot opt in out source destination
效果圖:
[root@iZuf62ds2bbsfbvox5ivxdZ ~]# ping 123.56.16.77
PING 123.56.16.77 (123.56.16.77) 56(84) bytes of data.
64 bytes from 123.56.16.77: icmp_seq=1 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=2 ttl=55 time=24.6 ms
64 bytes from 123.56.16.77: icmp_seq=3 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=4 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=5 ttl=55 time=24.6 ms
64 bytes from 123.56.16.77: icmp_seq=6 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=7 ttl=55 time=24.6 ms
64 bytes from 123.56.16.77: icmp_seq=8 ttl=55 time=24.6 ms
64 bytes from 123.56.16.77: icmp_seq=9 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=10 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=11 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=12 ttl=55 time=24.7 ms
^C
--- 123.56.16.77 ping statistics ---
13 packets transmitted, 12 received, 7% packet loss, time 12039ms
rtt min/avg/max/mdev = 24.660/24.720/24.788/0.149 ms
[root@iZuf62ds2bbsfbvox5ivxdZ ~]# exit
logout
Connection to 101.132.109.227 closed.
Welcome to aliyun Elastic Compute Service!
[root@xz-server1 ~]# ping 101.132.109.227
PING 101.132.109.227 (101.132.109.227) 56(84) bytes of data.
From 101.132.109.227 icmp_seq=1 Destination Host Prohibited
From 101.132.109.227 icmp_seq=2 Destination Host Prohibited
From 101.132.109.227 icmp_seq=3 Destination Host Prohibited
From 101.132.109.227 icmp_seq=4 Destination Host Prohibited
From 101.132.109.227 icmp_seq=5 Destination Host Prohibited
From 101.132.109.227 icmp_seq=6 Destination Host Prohibited
From 101.132.109.227 icmp_seq=7 Destination Host Prohibited
From 101.132.109.227 icmp_seq=8 Destination Host Prohibited
From 101.132.109.227 icmp_seq=9 Destination Host Prohibited
From 101.132.109.227 icmp_seq=10 Destination Host Prohibited
From 101.132.109.227 icmp_seq=11 Destination Host Prohibited
From 101.132.109.227 icmp_seq=12 Destination Host Prohibited
From 101.132.109.227 icmp_seq=13 Destination Host Prohibited
From 101.132.109.227 icmp_seq=14 Destination Host Prohibited
^C
--- 101.132.109.227 ping statistics ---
14 packets transmitted, 0 received, +14 errors, 100% packet loss, time 13480ms
結(jié)論:下面兩條規(guī)則必須連用(filter表INPUT鏈規(guī)則是ACCEPT的時(shí)候),其他主機(jī)ping包過(guò)來(lái)的時(shí)候直接拒絕,并且返回給它host-prohibited信息。
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
那么下面還需要說(shuō)明一點(diǎn)的是,當(dāng)filter表INPUT鏈默認(rèn)規(guī)則是DROP的時(shí)候,命中iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited該規(guī)則,依舊會(huì)返回host-prohibited信息。沒(méi)有命中規(guī)則的,不會(huì)返回任何信息,直接被drop掉
修改INPUT默認(rèn)規(guī)則:
iptables -P INPUT DROP
[root@iZuf62ds2bbsfbvox5ivxdZ ~]# service iptables status
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1212
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 192.168.0.0/16 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@xz-server1 ~]# ping 101.132.109.227
PING 101.132.109.227 (101.132.109.227) 56(84) bytes of data.
From 101.132.109.227 icmp_seq=1 Destination Host Prohibited
From 101.132.109.227 icmp_seq=2 Destination Host Prohibited
From 101.132.109.227 icmp_seq=3 Destination Host Prohibited
From 101.132.109.227 icmp_seq=4 Destination Host Prohibited
From 101.132.109.227 icmp_seq=5 Destination Host Prohibited
From 101.132.109.227 icmp_seq=6 Destination Host Prohibited
From 101.132.109.227 icmp_seq=7 Destination Host Prohibited
From 101.132.109.227 icmp_seq=8 Destination Host Prohibited
From 101.132.109.227 icmp_seq=9 Destination Host Prohibited
From 101.132.109.227 icmp_seq=10 Destination Host Prohibited
From 101.132.109.227 icmp_seq=11 Destination Host Prohibited
From 101.132.109.227 icmp_seq=12 Destination Host Prohibited
From 101.132.109.227 icmp_seq=13 Destination Host Prohibited
^C
--- 101.132.109.227 ping statistics ---
13 packets transmitted, 0 received, +13 errors, 100% packet loss, time 12441ms
另外有需要云服務(wù)器可以了解下創(chuàng)新互聯(lián)scvps.cn,海內(nèi)外云服務(wù)器15元起步,三天無(wú)理由+7*72小時(shí)售后在線,公司持有idc許可證,提供“云服務(wù)器、裸金屬服務(wù)器、高防服務(wù)器、香港服務(wù)器、美國(guó)服務(wù)器、虛擬主機(jī)、免備案服務(wù)器”等云主機(jī)租用服務(wù)以及企業(yè)上云的綜合解決方案,具有“安全穩(wěn)定、簡(jiǎn)單易用、服務(wù)可用性高、性?xún)r(jià)比高”等特點(diǎn)與優(yōu)勢(shì),專(zhuān)為企業(yè)上云打造定制,能夠滿(mǎn)足用戶(hù)豐富、多元化的應(yīng)用場(chǎng)景需求。
本文題目:關(guān)于iptables-m選項(xiàng)以及規(guī)則的理解-創(chuàng)新互聯(lián)
文章網(wǎng)址:http://www.chinadenli.net/article18/djdddp.html
成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供全網(wǎng)營(yíng)銷(xiāo)推廣、自適應(yīng)網(wǎng)站、軟件開(kāi)發(fā)、虛擬主機(jī)、網(wǎng)站導(dǎo)航、靜態(tài)網(wǎng)站
聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶(hù)投稿、用戶(hù)轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請(qǐng)盡快告知,我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如需處理請(qǐng)聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時(shí)需注明來(lái)源: 創(chuàng)新互聯(lián)
猜你還喜歡下面的內(nèi)容
- 怎樣解決美國(guó)服務(wù)器上傳文件慢的問(wèn)題-創(chuàng)新互聯(lián)
- 如何使用MySQL周期任務(wù)來(lái)定時(shí)清理在線用戶(hù)列表-創(chuàng)新互聯(lián)
- 結(jié)構(gòu)體中函數(shù)指針與typedef關(guān)鍵用途(*函數(shù)指針)-創(chuàng)新互聯(lián)
- tr命令怎么在Linux系統(tǒng)中使用-創(chuàng)新互聯(lián)
- dropna()和notnull()函數(shù)怎么在python中使用-創(chuàng)新互聯(lián)
- 從混亂到有序——AppsFlyer如何通過(guò)唯一可信源改進(jìn)制品管理-創(chuàng)新互聯(lián)
- 使用Reactor怎么實(shí)現(xiàn)一個(gè)Flink操作功能-創(chuàng)新互聯(lián)
- APP設(shè)計(jì)時(shí)必須要注意6大要點(diǎn) 2022-08-06
- APP設(shè)計(jì)怎樣才能符合人體工程學(xué)? 2016-08-09
- APP設(shè)計(jì)的五大特性! 2022-11-15
- 淺析電商APP設(shè)計(jì)應(yīng)該注意的問(wèn)題? 2016-10-11
- 毀掉APP設(shè)計(jì)的5個(gè)致命錯(cuò)誤 2022-05-14
- 網(wǎng)站設(shè)計(jì)APP設(shè)計(jì)如何傳達(dá)品牌感 2021-05-20
- APP設(shè)計(jì)中,圖標(biāo)設(shè)計(jì)的這些點(diǎn)你get到了嗎? 2016-08-12
- 如何建立愉悅APP設(shè)計(jì)引導(dǎo)體驗(yàn)? 2022-06-28
- 優(yōu)秀app設(shè)計(jì)應(yīng)具備的四點(diǎn) 2022-06-14
- 移動(dòng)APP設(shè)計(jì)中的壞主意 2022-10-30
- 移動(dòng)應(yīng)用APP設(shè)計(jì)的關(guān)鍵:原型設(shè)計(jì) 2016-08-24
- app設(shè)計(jì)技巧:三招解除用戶(hù)等待焦慮 2022-06-26