• iptables4张表5条链


    4张表:filter nat mangle raw

    filter:协议过滤;

    nat:地址转换,端口映射等;

    mangle:协议修改 TTL等;

    raw:This  table  is  used mainly for configuring exemptions from connection tracking in combination with the NOTRACK  target.
            It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP  tables.
            It  provides  the following built-in chains: PREROUTING (for packets arriving via  any  network  interface)  OUTPUT  (for packets generated by local processes)

    5条链:PREROUTING INPUT OUTPUT FORWARD POSTROUTING

    PREROUTING:数据包进入路由表之前

    INPUT:通过路由表后目的地为本机

    FORWARDING:通过路由表后,目的地不为本机

    OUTPUT:由本机产生,向外转发

    POSTROUTIONG:发送到网卡接口之前。

    数据包访问控制:ACCEPT DROP REJECT

    数据包改写:SNAT DNAT

    信息记录:LOG

          COMMAND:
    -A, --append chain rule-specification Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination. -D, --delete chain rule-specification -D, --delete chain rulenum Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match. -I, --insert chain [rulenum] rule-specification Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified. -R, --replace chain rulenum rule-specification Replace a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail. Rules are numbered starting at 1. -L, --list [chain] List all rules in the selected chain. If no chain is selected, all chains are listed. Like every other iptables command, it applies to the specified table (filter is the default), so NAT rules get listed by iptables -t nat -n -L Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups. It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given. The exact rules are suppressed until you use iptables -L -v -S, --list-rules [chain] Print all rules in the selected chain. If no chain is selected, all chains are printed like iptables-save. Like every other iptables command, it applies to the specified table (filter is the default). -F, --flush [chain] Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one. -Z, --zero [chain [rulenum]] Zero the packet and byte counters in all chains, or only the given chain, or only the given rule in a chain. It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared. (See above.) -N, --new-chain chain Create a new user-defined chain by the given name. There must be no target of that name already. -X, --delete-chain [chain] Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. The chain must be empty, i.e. not contain any rules. If no argument is given, it will attempt to delete every non-builtin chain in the table. -P, --policy chain target Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets. -E, --rename-chain old-chain new-chain Rename the user specified chain to the user supplied name. This is cosmetic, and has no effect on the structure of the table.

      

    PARAMETERS
           The following parameters make up a rule specification (as used in the add, delete, insert, replace and append commands).
    
           [!] -p, --protocol protocol
                  The protocol of the rule or of the packet to check.  The specified protocol can be one of tcp, udp, udplite, icmp, esp, ah, sctp or all, or it  can  be  a  numeric
                  value,  representing  one  of these protocols or a different one.  A protocol name from /etc/protocols is also allowed.  A "!" argument before the protocol inverts
                  the test.  The number zero is equivalent to all.  Protocol all will match with all protocols and is taken as default when this option is omitted.
    
           [!] -s, --source address[/mask][,...]
                  Source specification. Address can be either a network name, a hostname, a network IP address (with /mask), or a plain IP address. Hostnames will be  resolved  once
                  only,  before  the rule is submitted to the kernel.  Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea.  The
                  mask can be either a network mask or a plain number, specifying the number of 1’s at the left side of the network mask.  Thus,  a  mask  of  24  is  equivalent  to
                  255.255.255.0.   A  "!" argument before the address specification inverts the sense of the address. The flag --src is an alias for this option.  Multiple addresses
                  can be specified, but this will expand to multiple rules (when adding with -A), or will cause multiple rules to be deleted (with -D).
    
           [!] -d, --destination address[/mask][,...]
                  Destination specification.  See the description of the -s (source) flag for a detailed description of the syntax.  The flag --dst is an alias for this option.
    
           -j, --jump target
                  This specifies the target of the rule; i.e., what to do if the packet matches it.  The target can be a user-defined chain (other than the one this rule is in), one
                  of  the  special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below).  If this option is omitted in a rule (and
                  -g is not used), then matching the rule will have no effect on the packet’s fate, but the counters on the rule will be incremented.
    
           -g, --goto chain
                  This specifies that the processing should continue in a user specified chain. Unlike the --jump option return will  not  continue  processing  in  this  chain  but
                  instead in the chain that called us via --jump.
    
           [!] -i, --in-interface name
                  Name  of  an  interface via which a packet was received (only for packets entering the INPUT, FORWARD and PREROUTING chains).  When the "!" argument is used before
                  the interface name, the sense is inverted.  If the interface name ends in a "+", then any interface which begins with this name will  match.   If  this  option  is
                  omitted, any interface name will match.
    
           [!] -o, --out-interface name
                  Name  of  an  interface  via  which  a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains).  When the "!" argument is used
                  before the interface name, the sense is inverted.  If the interface name ends in a "+", then any interface which begins with this name will match.  If this  option
                  is omitted, any interface name will match.
    
           [!] -f, --fragment
                  This  means that the rule only refers to second and further fragments of fragmented packets.  Since there is no way to tell the source or destination ports of such
                  a packet (or ICMP type), such a packet will not match any rules which specify them.  When the "!" argument precedes the "-f" flag, the rule will  only  match  head
                  fragments, or unfragmented packets.
    
           -c, --set-counters packets bytes
                  This enables the administrator to initialize the packet and byte counters of a rule (during INSERT, APPEND, REPLACE operations).
    
    分类 功能 作用链
    SNAT 源地址转换

    出口

    POSTROUTING

    DNAT 目标地址转换

    入口

    PREROUTING

    Limit模块
    作用:限速,控制流量
    如:iptables -A INPUT-m limit --limit 4/hour
    --limit-burst(初始的缓存区的大小)默认值为5

    connlimit模块
    作用:用于现在每一个客户端IP的并发连接数。
    参数:--connlimit-above n #限制并发个数
    例:iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j REJECT

    参考:

    http://www.imooc.com/video/7604/0

    http://blog.itpub.net/312079/viewspace-245368/

    http://linux.chinaunix.net/techdoc/net/2007/06/02/959143.shtml

  • 相关阅读:
    博客园创业点子摘录
    DNN性能优化方案系列(2)Page State Persistence
    以页面模块(模块定义)为添加单位的DNN控制窗格(ControlPanel)
    在SQL Server中安全的创建,使用,和删除一个临时表
    IDataErrorInfo and Business rule validation
    转:通过避免下列 10 个常见 ASP.NET 缺陷使网站平稳运行
    iis6启动HTTP压缩的方法
    TcpSocket编程与Event编写学习的好例子
    转:IIS aspnet HTTP 压缩 与Ajax
    070508_设置上次考试_考生管理_成绩批量录入
  • 原文地址:https://www.cnblogs.com/voipman/p/5091862.html
Copyright © 2020-2023  润新知