我只是在阅读 iptables,最后。我有点困惑,因为来自过滤器表的输入链(已安装,fedora 17)如下所示:
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 state NEW udp dpt:mdns
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
根据我一直在阅读的内容,第三条规则应该接受任何内容,但事实并非如此(我必须禁用 iptables 以允许访问 sshd 或 https 服务器)。所有其他表的所有其他链都是策略 ACCEPT,没有规则,除了过滤器 FORWARD 拒绝所有内容。
那么 ACCEPT 到底有什么作用呢?
iptables -v -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
36625 38M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
1 60 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT udp -- any any anywhere 224.0.0.251 state NEW udp dpt:mdns
534 73926 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 31484 packets, 3973K bytes)
pkts bytes target prot opt in out source destination
所以这对我来说意味着第三条规则实际上只适用于环回接口?[是的]
该ACCEPT目标是终止目标,允许数据包通过Netfilter的获得。这REJECT是一个终止目标,它有效地禁止数据包通过并导致 ICMP 响应被发送到数据包发起者。如果您使用 'iptables -v -L' 命令列出表,则示例中的第三条规则很可能如下所示:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
639 304K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
101 7798 ACCEPT all -- lo any anywhere anywhere
在列中in有一个规则匹配的接口。对于第三条规则,它是lo接口,因此该规则允许loopback接口上的任何流量,这是正确的,否则您将无法通过地址TCP或UDP在localhost地址上访问主机服务的任何本地服务。
| 归档时间: |
|
| 查看次数: |
1003 次 |
| 最近记录: |