91超碰碰碰碰久久久久久综合_超碰av人澡人澡人澡人澡人掠_国产黄大片在线观看画质优化_txt小说免费全本

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

關于iptables -m選項以及規則的理解

發布時間:2020-03-04 14:44:56 來源:網絡 閱讀:40896 作者:ziwenzhou 欄目:建站服務器

關于iptables的詳細狀態可以查看http://os.51cto.com/art/201108/285209.htm

時常在服務器的防火墻上看到有這些規則,
2 106K 8294K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED,我覺得有必要搞下這個iptables了
下面就來談談iptables
一.首先iptables有四種狀態
NEW,ESTABLISHED,RELATED,INVALID。
NEW狀態:主機連接目標主機,在目標主機上看到的第一個想要連接的包
ESTABLISHED狀態:主機已與目標主機進行通信,判斷標準只要目標主機回應了第一個包,就進入該狀態。
RELATED狀態:主機已與目標主機進行通信,目標主機發起新的鏈接方式,例如ftp
INVALID狀態:無效的封包,例如數據破損的封包狀態

二.其次再來談談上述規則的作用
你會發現有這條
2 106K 8294K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
經常又會看見這條規則
3 0 0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited #其他主機不滿足RELATED的情況,會給它返回host-prohibited

添加方式:iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
第二條規則的含義其實是:調用狀態模塊,匹配當狀態為RELATED和ESTABLISHED的所有數據包通過,換句話說就是允許所有已經建立的連接,表現為本機可以ping其他主機,但是其他主機無法ping本機,只接受自己發出去的響應包,這是萬能的一句話,允許所有自己發出去的包進來。后面跟具體規則
第三條規則的含義其實是:依據第二條來的,所有不滿足第二條規則的,都會被拒絕,而且會給主機返回一個host-prohibited的消息。需要注意的則是,所有位于第三條規則之下的規則都無法生效,位于該規則之上的都會生效

三.口說無憑,下面我們來做個實驗看看
只添加iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT,完全沒有任何作用
[root@iZuf62ds2bbsfbvox5ivxdZ ~]# iptables -t filter -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 14 892 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1212
2 106K 8294K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

2.添加兩條規則,防火墻規則如圖,會產生自己能ping其他主機,但是其他主機ping不通自己的情況
[root@iZuf62ds2bbsfbvox5ivxdZ ~]# iptables -t filter -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 14 892 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1212
2 106K 8294K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited #其他主機不滿足RELATED的情況,會給它返回host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 37 packets, 10438 bytes)
num pkts bytes target prot opt in out source destination
效果圖:
[root@iZuf62ds2bbsfbvox5ivxdZ ~]# ping 123.56.16.77
PING 123.56.16.77 (123.56.16.77) 56(84) bytes of data.
64 bytes from 123.56.16.77: icmp_seq=1 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=2 ttl=55 time=24.6 ms
64 bytes from 123.56.16.77: icmp_seq=3 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=4 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=5 ttl=55 time=24.6 ms
64 bytes from 123.56.16.77: icmp_seq=6 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=7 ttl=55 time=24.6 ms
64 bytes from 123.56.16.77: icmp_seq=8 ttl=55 time=24.6 ms
64 bytes from 123.56.16.77: icmp_seq=9 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=10 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=11 ttl=55 time=24.7 ms
64 bytes from 123.56.16.77: icmp_seq=12 ttl=55 time=24.7 ms
^C
--- 123.56.16.77 ping statistics ---
13 packets transmitted, 12 received, 7% packet loss, time 12039ms
rtt min/avg/max/mdev = 24.660/24.720/24.788/0.149 ms
[root@iZuf62ds2bbsfbvox5ivxdZ ~]# exit
logout
Connection to 101.132.109.227 closed.

Welcome to aliyun Elastic Compute Service!

[root@xz-server1 ~]# ping 101.132.109.227
PING 101.132.109.227 (101.132.109.227) 56(84) bytes of data.
From 101.132.109.227 icmp_seq=1 Destination Host Prohibited
From 101.132.109.227 icmp_seq=2 Destination Host Prohibited
From 101.132.109.227 icmp_seq=3 Destination Host Prohibited
From 101.132.109.227 icmp_seq=4 Destination Host Prohibited
From 101.132.109.227 icmp_seq=5 Destination Host Prohibited
From 101.132.109.227 icmp_seq=6 Destination Host Prohibited
From 101.132.109.227 icmp_seq=7 Destination Host Prohibited
From 101.132.109.227 icmp_seq=8 Destination Host Prohibited
From 101.132.109.227 icmp_seq=9 Destination Host Prohibited
From 101.132.109.227 icmp_seq=10 Destination Host Prohibited
From 101.132.109.227 icmp_seq=11 Destination Host Prohibited
From 101.132.109.227 icmp_seq=12 Destination Host Prohibited
From 101.132.109.227 icmp_seq=13 Destination Host Prohibited
From 101.132.109.227 icmp_seq=14 Destination Host Prohibited
^C
--- 101.132.109.227 ping statistics ---
14 packets transmitted, 0 received, +14 errors, 100% packet loss, time 13480ms
結論:下面兩條規則必須連用(filter表INPUT鏈規則是ACCEPT的時候),其他主機ping包過來的時候直接拒絕,并且返回給它host-prohibited信息。
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

那么下面還需要說明一點的是,當filter表INPUT鏈默認規則是DROP的時候,命中iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited該規則,依舊會返回host-prohibited信息。沒有命中規則的,不會返回任何信息,直接被drop掉
修改INPUT默認規則:
iptables -P INPUT DROP
[root@iZuf62ds2bbsfbvox5ivxdZ ~]# service iptables status
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1212
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 192.168.0.0/16 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

[root@xz-server1 ~]# ping 101.132.109.227
PING 101.132.109.227 (101.132.109.227) 56(84) bytes of data.
From 101.132.109.227 icmp_seq=1 Destination Host Prohibited
From 101.132.109.227 icmp_seq=2 Destination Host Prohibited
From 101.132.109.227 icmp_seq=3 Destination Host Prohibited
From 101.132.109.227 icmp_seq=4 Destination Host Prohibited
From 101.132.109.227 icmp_seq=5 Destination Host Prohibited
From 101.132.109.227 icmp_seq=6 Destination Host Prohibited
From 101.132.109.227 icmp_seq=7 Destination Host Prohibited
From 101.132.109.227 icmp_seq=8 Destination Host Prohibited
From 101.132.109.227 icmp_seq=9 Destination Host Prohibited
From 101.132.109.227 icmp_seq=10 Destination Host Prohibited
From 101.132.109.227 icmp_seq=11 Destination Host Prohibited
From 101.132.109.227 icmp_seq=12 Destination Host Prohibited
From 101.132.109.227 icmp_seq=13 Destination Host Prohibited
^C
--- 101.132.109.227 ping statistics ---
13 packets transmitted, 0 received, +13 errors, 100% packet loss, time 12441ms

向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

从江县| 沈阳市| 达尔| 永定县| 长顺县| 太仆寺旗| 杭锦后旗| 巴里| 河西区| 临泽县| 炉霍县| 枣庄市| 武邑县| 大足县| 兴和县| 兴宁市| 巴林左旗| 乃东县| 阜宁县| 竹北市| 高州市| 资兴市| 教育| 孝义市| 卢氏县| 垫江县| 宣威市| 陇川县| 鹤壁市| 益阳市| 登封市| 汝州市| 富裕县| 行唐县| 宕昌县| 西安市| 延川县| 兖州市| 定远县| 屏东市| 竹山县|