我热衷于addrtype在-src我的过滤器链之一中结合使用,就像这样删除一些 bogon ip:
-A INPUT -p tcp --dport 80 -m addrtype --src-type UNICAST ! -s 127.0.0.0/8 -j WEB
手册页说如下
addrtype
此模块根据数据包的地址类型匹配数据包。地址类型在内核网络堆栈中使用,并将地址分为不同的组。该组的确切定义取决于特定的第三层协议。以下地址类型是可能的:
- UNSPEC 未指定地址(即 0.0.0.0)
- UNICAST 一个单播地址
- LOCAL 本地地址
- BROADCAST 广播地址
- ANYCAST 一个任播数据包
- MULTICAST 一个多播地址
- BLACKHOLE 黑洞地址
- UNREACHABLE 无法访问的地址
- PROHIBIT 禁止地址
- 投掷固定器
- NAT修复
- 解决方案
目前尚不清楚确切的定义是什么,并说这取决于特定的第 3 层协议。这就是我的想法:
127.0.0.0/8)*.*.*.255)*.*.*.*)224.0.0.0/4)有没有人清楚这意味着什么以及它是如何由 iptables 实现的(例如,它如何知道 BLACKHOLE 到底在哪里)?
我认为这取决于你让内核知道哪个是黑洞地址类型。
\n\n从iptables源码中的xt_addrtype.h文件可以看到:
\n\n/* rtn_type enum values from rtnetlink.h, but shifted */ \nenum { \n XT_ADDRTYPE_UNSPEC = 1 << 0, \n XT_ADDRTYPE_UNICAST = 1 << 1, /* 1 << RTN_UNICAST */ \n XT_ADDRTYPE_LOCAL = 1 << 2, /* 1 << RTN_LOCAL, etc */ \n XT_ADDRTYPE_BROADCAST = 1 << 3, \n XT_ADDRTYPE_ANYCAST = 1 << 4, \n XT_ADDRTYPE_MULTICAST = 1 << 5, \n XT_ADDRTYPE_BLACKHOLE = 1 << 6, \n XT_ADDRTYPE_UNREACHABLE = 1 << 7, \n XT_ADDRTYPE_PROHIBIT = 1 << 8, \n XT_ADDRTYPE_THROW = 1 << 9, \n XT_ADDRTYPE_NAT = 1 << 10, \n XT_ADDRTYPE_XRESOLVE = 1 << 11, \n};\n在 中rtnetlink.h,您将看到相同的定义:
enum { \n RTN_UNSPEC, \n RTN_UNICAST, /* Gateway or direct route */ \n RTN_LOCAL, /* Accept locally */ \n RTN_BROADCAST, /* Accept locally as broadcast, \n send as broadcast */ \n RTN_ANYCAST, /* Accept locally as broadcast, \n but send as unicast */ \n RTN_MULTICAST, /* Multicast route */ \n RTN_BLACKHOLE, /* Drop */ \n RTN_UNREACHABLE, /* Destination is unreachable */ \n RTN_PROHIBIT, /* Administratively prohibited */ \n RTN_THROW, /* Not in this table */ \n RTN_NAT, /* Translate this address */ \n RTN_XRESOLVE, /* Use external resolver */ \n __RTN_MAX \n};\n您可以看到iptables与内核 tcp 网络堆栈使用相同的地址类型定义。
然后从man ip:
Route types:\n\n unicast - the route entry describes real paths to the destinations covered by the route prefix.\n\n unreachable - these destinations are unreachable. Packets are discarded and the ICMP message host unreachable is generated.\n The local senders get an EHOSTUNREACH error.\n\n blackhole - these destinations are unreachable. Packets are discarded silently. The local senders get an EINVAL error.\n\n prohibit - these destinations are unreachable. Packets are discarded and the ICMP message communication administratively\n prohibited is generated. The local senders get an EACCES error.\n\n local - the destinations are assigned to this host. The packets are looped back and delivered locally.\n\n broadcast - the destinations are broadcast addresses. The packets are sent as link broadcasts.\n\n throw - a special control route used together with policy rules. If such a route is selected, lookup in this table is termi\xe2\x80\x90\n nated pretending that no route was found. Without policy routing it is equivalent to the absence of the route in the routing\n table. The packets are dropped and the ICMP message net unreachable is generated. The local senders get an ENETUNREACH\n error.\n\n nat - a special NAT route. Destinations covered by the prefix are considered to be dummy (or external) addresses which\n require translation to real (or internal) ones before forwarding. The addresses to translate to are selected with the\n attribute Warning: Route NAT is no longer supported in Linux 2.6.\n\n via.\n\n anycast - not implemented the destinations are anycast addresses assigned to this host. They are mainly equivalent to local\n with one difference: such addresses are invalid when used as the source address of any packet.\n\n multicast - a special type used for multicast routing. It is not present in normal routing tables.\n因此,当您通过命令定义到网络的路由ip并将其标记为黑洞路由时,内核现在将此网络地址设为黑洞类型:
ip route add blackhole X.X.X.X/24\n| 归档时间: |
|
| 查看次数: |
8615 次 |
| 最近记录: |