
平臺(tái) 論壇博客文庫(kù)

› 論壇 › 操作系統(tǒng) › Linux系統(tǒng)管理 › iptables無(wú)法過(guò)濾

最近訪問(wèn)板塊

查看: 3111 | 回復(fù): 6

[系統(tǒng)安全] iptables無(wú)法過(guò)濾 [復(fù)制鏈接]

阿鸞44

白手起家

論壇徽章:: 0

電梯直達(dá)

1樓 [收藏(0)] [報(bào)告]

發(fā)表于 2014-10-23 17:17 |只看該作者 |倒序?yàn)g覽

以下規(guī)則是openWrt（也是linux）默認(rèn)規(guī)則，

配置大概是這樣：這是一個(gè)寬帶路由器（NAT設(shè)備），WAN網(wǎng)口使用DHCP獲取ip，LAN口也作為DHCP服務(wù)器。配置了SNAT（MASQUERADE）。正常情況下，通過(guò)WAN口上行的數(shù)據(jù)的源ip被改成路由器WAN口ip，下行數(shù)據(jù)通過(guò)connect track自動(dòng)把目的地址替換成內(nèi)網(wǎng)IP。

那么，問(wèn)題來(lái)了，(假設(shè)內(nèi)網(wǎng)某主機(jī)ip是192.168.1.128，測(cè)試過(guò)程中這臺(tái)主機(jī)不間斷高速下載)
現(xiàn)象是：
1、通過(guò)SNAT上網(wǎng)正常
2、通過(guò) iptables -I FORWARD -d 192.168.1.128 -j DROP 想達(dá)到禁止下載，不生效，電腦正常下載
3、針對(duì)2的現(xiàn)象作調(diào)試：通過(guò)iptables -L FORWARD -nv查看統(tǒng)計(jì)，發(fā)現(xiàn)filter表FORWARD鏈無(wú)明顯的大流量通過(guò)
4、針對(duì)2的現(xiàn)象作調(diào)試，通過(guò)iptables -t mangle -L FORWARD -nv查看統(tǒng)計(jì)，發(fā)現(xiàn)mangle表FORWARD有明顯流量通過(guò)，目測(cè)接近下載速度。
5、通過(guò) iptables -I FORWARD -s 192.168.1.128 -j DROP，生效，電腦不能下載（因?yàn)檫B接是雙向的）

個(gè)人理解：根據(jù)iptables處理順序，在FORWARD中，先執(zhí)行mangle表、再執(zhí)行filter表，除非mangle處理結(jié)果為DROP，否則數(shù)據(jù)將無(wú)條件經(jīng)過(guò)filter

問(wèn)：為什么下載時(shí)數(shù)據(jù)不經(jīng)過(guò)FORWARD鏈的filter表？

以下是iptables 規(guī)則

root@OpenWrt:~#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
delegate_input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere PC201409180946.lan
p2pblock udp -- anywhere anywhere udp spts:1024:65535 dpts:1024:65535
p2pblock tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535
delegate_forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 192.168.1.90 anywhere
delegate_output all -- anywhere anywhere
Chain BCP38 (3 references)
target prot opt source destination
RETURN udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
REJECT all -- anywhere anywhere match-set bcp38-ipv4 dst reject-with icmp-net-unreachable
DROP all -- anywhere anywhere match-set bcp38-ipv4 src
Chain MINIUPNPD (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.1.22 tcp dpt:10946
ACCEPT udp -- anywhere 192.168.1.22 udp dpt:10489
ACCEPT tcp -- anywhere PC201409180946.lan tcp dpt:10946
ACCEPT udp -- anywhere PC201409180946.lan udp dpt:10489
Chain delegate_forward (1 references)
target prot opt source destination
forwarding_rule all -- anywhere anywhere /* user chain for forwarding */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere 192.168.1.22 /* ddrop */
zone_lan_forward all -- anywhere anywhere
zone_wan_forward all -- anywhere anywhere
reject all -- anywhere anywhere
Chain delegate_input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
input_rule all -- anywhere anywhere /* user chain for input */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
zone_lan_input all -- anywhere anywhere
zone_wan_input all -- anywhere anywhere
Chain delegate_output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
output_rule all -- anywhere anywhere /* user chain for output */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
zone_lan_output all -- anywhere anywhere
zone_wan_output all -- anywhere anywhere
Chain forwarding_lan_rule (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
BCP38 all -- anywhere anywhere
Chain forwarding_wan_rule (1 references)
target prot opt source destination
Chain input_lan_rule (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
BCP38 all -- anywhere anywhere
Chain input_wan_rule (1 references)
target prot opt source destination
Chain luci_splash_filter (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-net-prohibited
Chain luci_splash_forwarding (0 references)
target prot opt source destination
RETURN all -- anywhere lvps176-28-11-93.dedicated.hosteurope.de
luci_splash_filter all -- anywhere anywhere
Chain output_lan_rule (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destination
BCP38 all -- anywhere anywhere
Chain output_wan_rule (1 references)
target prot opt source destination
Chain p2pblock (2 references)
target prot opt source destination
LOG all -- anywhere anywhere -m ipp2p --apple limit: avg 1/min burst 5 LOG level warning prefix "P2PBLOCK-seen-apple:"
all -- anywhere anywhere -m ipp2p --apple recent: SET name: P2PBLOCK side: dest mask: 255.255.255.255
LOG all -- anywhere anywhere -m ipp2p --winmx limit: avg 1/min burst 5 LOG level warning prefix "P2PBLOCK-seen-winmx:"
all -- anywhere anywhere -m ipp2p --winmx recent: SET name: P2PBLOCK side: dest mask: 255.255.255.255
LOG all -- anywhere anywhere -m ipp2p --soul limit: avg 1/min burst 5 LOG level warning prefix "P2PBLOCK-seen-soul:"
all -- anywhere anywhere -m ipp2p --soul recent: SET name: P2PBLOCK side: dest mask: 255.255.255.255
LOG all -- anywhere anywhere -m ipp2p --ares limit: avg 1/min burst 5 LOG level warning prefix "P2PBLOCK-seen-ares:"
all -- anywhere anywhere -m ipp2p --ares recent: SET name: P2PBLOCK side: dest mask: 255.255.255.255
LOG all -- anywhere anywhere -m ipp2p --bit limit: avg 1/min burst 5 LOG level warning prefix "P2PBLOCK-seen-bit:"
all -- anywhere anywhere -m ipp2p --bit recent: SET name: P2PBLOCK side: dest mask: 255.255.255.255
LOG all -- anywhere anywhere -m ipp2p --gnu limit: avg 1/min burst 5 LOG level warning prefix "P2PBLOCK-seen-gnu:"
all -- anywhere anywhere -m ipp2p --gnu recent: SET name: P2PBLOCK side: dest mask: 255.255.255.255
LOG all -- anywhere anywhere -m ipp2p --kazaa limit: avg 1/min burst 5 LOG level warning prefix "P2PBLOCK-seen-kazaa:"
all -- anywhere anywhere -m ipp2p --kazaa recent: SET name: P2PBLOCK side: dest mask: 255.255.255.255
LOG all -- anywhere anywhere -m ipp2p --dc limit: avg 1/min burst 5 LOG level warning prefix "P2PBLOCK-seen-dc:"
all -- anywhere anywhere -m ipp2p --dc recent: SET name: P2PBLOCK side: dest mask: 255.255.255.255
LOG all -- anywhere anywhere -m ipp2p --edk limit: avg 1/min burst 5 LOG level warning prefix "P2PBLOCK-seen-edk:"
all -- anywhere anywhere -m ipp2p --edk recent: SET name: P2PBLOCK side: dest mask: 255.255.255.255
LOG all -- anywhere anywhere recent: CHECK seconds: 60 hit_count: 3 name: P2PBLOCK side: dest mask: 255.255.255.255 limit: avg 1/min burst 5 LOG level warning prefix "P2PBLOCK-DROP:"
DROP all -- anywhere anywhere recent: CHECK seconds: 60 hit_count: 3 name: P2PBLOCK side: dest mask: 255.255.255.255
Chain reject (3 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all -- anywhere anywhere
Chain zone_lan_dest_ACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain zone_lan_forward (1 references)
target prot opt source destination
forwarding_lan_rule all -- anywhere anywhere /* user chain for forwarding */
zone_wan_dest_ACCEPT all -- anywhere anywhere /* forwarding lan -> wan */
ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port forwards */
zone_lan_dest_ACCEPT all -- anywhere anywhere
Chain zone_lan_input (1 references)
target prot opt source destination
input_lan_rule all -- anywhere anywhere /* user chain for input */
ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port redirections */
zone_lan_src_ACCEPT all -- anywhere anywhere
Chain zone_lan_output (1 references)
target prot opt source destination
output_lan_rule all -- anywhere anywhere /* user chain for output */
zone_lan_dest_ACCEPT all -- anywhere anywhere
Chain zone_lan_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain zone_wan_dest_ACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain zone_wan_dest_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere
Chain zone_wan_forward (1 references)
target prot opt source destination
MINIUPNPD all -- anywhere anywhere
forwarding_wan_rule all -- anywhere anywhere /* user chain for forwarding */
ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port forwards */
zone_wan_dest_REJECT all -- anywhere anywhere
Chain zone_wan_input (1 references)
target prot opt source destination
input_wan_rule all -- anywhere anywhere /* user chain for input */
ACCEPT udp -- anywhere anywhere udp dpt:bootpc /* Allow-DHCP-Renew */
ACCEPT icmp -- anywhere anywhere icmp echo-request /* Allow-Ping */
ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port redirections */
zone_wan_src_REJECT all -- anywhere anywhere
Chain zone_wan_output (1 references)
target prot opt source destination
output_wan_rule all -- anywhere anywhere /* user chain for output */
zone_wan_dest_ACCEPT all -- anywhere anywhere
Chain zone_wan_src_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
luci_splash_mark_out all -- anywhere anywhere
mwan3_hook all -- anywhere anywhere
fwmark all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
mssfix all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
mwan3_hook all -- anywhere anywhere
mwan3_output_hook all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
luci_splash_mark_in all -- anywhere anywhere
Chain fwmark (1 references)
target prot opt source destination
Chain luci_splash_mark_in (1 references)
target prot opt source destination
Chain luci_splash_mark_out (1 references)
target prot opt source destination
Chain mssfix (1 references)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN /* wan (mtu_fix) */ TCPMSS clamp to PMTU
Chain mwan3_connected (2 references)
target prot opt source destination
MARK all -- anywhere 127.0.0.0/8 MARK or 0xff00
MARK all -- anywhere base-address.mcast.net/3 MARK or 0xff00
MARK all -- anywhere 10.20.12.0/24 MARK or 0xff00
MARK all -- anywhere 192.168.1.0/24 MARK or 0xff00
Chain mwan3_hook (2 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK restore mask 0xff00
mwan3_ifaces all -- anywhere anywhere mark match 0x0/0xff00
mwan3_connected all -- anywhere anywhere mark match 0x0/0xff00
mwan3_rules all -- anywhere anywhere mark match 0x0/0xff00
CONNMARK all -- anywhere anywhere CONNMARK save mask 0xff00
mwan3_connected all -- anywhere anywhere mark match ! 0xff00/0xff00
Chain mwan3_iface_wan (1 references)
target prot opt source destination
MARK all -- 10.20.12.0/24 anywhere mark match 0x0/0xff00 /* default */ MARK or 0xff00
MARK all -- anywhere anywhere mark match 0x0/0xff00 /* wan */ MARK xset 0x100/0xff00
Chain mwan3_ifaces (1 references)
target prot opt source destination
mwan3_iface_wan all -- anywhere anywhere mark match 0x0/0xff00
Chain mwan3_output_hook (1 references)
target prot opt source destination
mwan3_track_wan icmp -- anywhere anywhere icmp echo-request length 32
Chain mwan3_policy_balanced (1 references)
target prot opt source destination
MARK all -- anywhere anywhere mark match 0x0/0xff00 /* wan 3 3 */ MARK xset 0x100/0xff00
Chain mwan3_policy_wan2_only (0 references)
target prot opt source destination
MARK all -- anywhere anywhere mark match 0x0/0xff00 /* unreachable */ MARK xset 0xfe00/0xff00
Chain mwan3_policy_wan2_wan (1 references)
target prot opt source destination
MARK all -- anywhere anywhere mark match 0x0/0xff00 /* wan 3 3 */ MARK xset 0x100/0xff00
Chain mwan3_policy_wan_only (0 references)
target prot opt source destination
MARK all -- anywhere anywhere mark match 0x0/0xff00 /* wan 3 3 */ MARK xset 0x100/0xff00
Chain mwan3_policy_wan_wan2 (1 references)
target prot opt source destination
MARK all -- anywhere anywhere mark match 0x0/0xff00 /* wan 3 3 */ MARK xset 0x100/0xff00
Chain mwan3_rules (1 references)
target prot opt source destination
mwan3_policy_wan_wan2 tcp -- 0.0.0.0/0.0.0.1 anywhere multiport sports 0:65535 multiport dports https mark match 0x0/0xff00 /* sticky_even */
mwan3_policy_wan2_wan tcp -- 0.0.0.1/0.0.0.1 anywhere multiport sports 0:65535 multiport dports https mark match 0x0/0xff00 /* sticky_odd */
mwan3_policy_balanced all -- anywhere anywhere mark match 0x0/0xff00 /* default_rule */
Chain mwan3_track_wan (1 references)
target prot opt source destination
MARK all -- anywhere resolver2.opendns.com MARK or 0xff00
MARK all -- anywhere resolver1.opendns.com MARK or 0xff00
MARK all -- anywhere google-public-dns-a.google.com MARK or 0xff00
MARK all -- anywhere google-public-dns-b.google.com MARK or 0xff00
Chain qos_Default (0 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK restore mask 0xf
qos_Default_ct all -- anywhere anywhere mark match 0x0/0xf
MARK udp -- anywhere anywhere mark match 0x0/0xf0 length 0:500 MARK xset 0x22/0xff
MARK icmp -- anywhere anywhere MARK xset 0x11/0xff
MARK tcp -- anywhere anywhere mark match 0x0/0xf0 tcp spts:1024:65535 dpts:1024:65535 MARK xset 0x44/0xff
MARK udp -- anywhere anywhere mark match 0x0/0xf0 udp spts:1024:65535 dpts:1024:65535 MARK xset 0x44/0xff
CONNMARK all -- anywhere anywhere CONNMARK save mask 0xf0
Chain qos_Default_ct (1 references)
target prot opt source destination
MARK tcp -- anywhere anywhere mark match 0x0/0xf tcp multiport ports ssh,domain /* ssh, dns */ MARK xset 0x11/0xff
MARK udp -- anywhere anywhere mark match 0x0/0xf udp multiport ports ssh,domain /* ssh, dns */ MARK xset 0x11/0xff
MARK tcp -- anywhere anywhere mark match 0x0/0xf tcp multiport ports ftp-data,ftp,smtp,www,pop3,https,imaps,pop3s /* ftp, smtp, http(s), imap */ MARK xset 0x33/0xff
MARK tcp -- anywhere anywhere mark match 0x0/0xf tcp multiport ports 5190 /* AOL, iChat, ICQ */ MARK xset 0x22/0xff
MARK udp -- anywhere anywhere mark match 0x0/0xf udp multiport ports 5190 /* AOL, iChat, ICQ */ MARK xset 0x22/0xff
CONNMARK all -- anywhere anywhere CONNMARK save mask 0xff
MARK tcp -- anywhere anywhere mark match 0x0/0xf tcp multiport ports ssh,domain /* ssh, dns */ MARK xset 0x11/0xff
MARK udp -- anywhere anywhere mark match 0x0/0xf udp multiport ports ssh,domain /* ssh, dns */ MARK xset 0x11/0xff
MARK tcp -- anywhere anywhere mark match 0x0/0xf tcp multiport ports ftp-data,ftp,smtp,www,pop3,https,imaps,pop3s /* ftp, smtp, http(s), imap */ MARK xset 0x33/0xff
MARK tcp -- anywhere anywhere mark match 0x0/0xf tcp multiport ports 5190 /* AOL, iChat, ICQ */ MARK xset 0x22/0xff
MARK udp -- anywhere anywhere mark match 0x0/0xf udp multiport ports 5190 /* AOL, iChat, ICQ */ MARK xset 0x22/0xff
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- anywhere 10.20.12.13 to:192.168.1.22
DNAT tcp -- anywhere 10.20.12.13 tcp dpt:8022 to:192.168.1.130:22
delegate_prerouting all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
delegate_postrouting all -- anywhere anywhere
Chain MINIUPNPD (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:10946 to:192.168.1.22:10946
DNAT udp -- anywhere anywhere udp dpt:10946 to:192.168.1.22:10489
DNAT tcp -- anywhere anywhere tcp dpt:17083 to:192.168.1.128:10946
DNAT udp -- anywhere anywhere udp dpt:17083 to:192.168.1.128:10489
Chain delegate_postrouting (1 references)
target prot opt source destination
postrouting_rule all -- anywhere anywhere /* user chain for postrouting */
zone_lan_postrouting all -- anywhere anywhere
zone_wan_postrouting all -- anywhere anywhere
Chain delegate_prerouting (1 references)
target prot opt source destination
prerouting_rule all -- anywhere anywhere /* user chain for prerouting */
zone_lan_prerouting all -- anywhere anywhere
zone_wan_prerouting all -- anywhere anywhere
Chain luci_splash_leases (1 references)
target prot opt source destination
REDIRECT udp -- anywhere anywhere udp dpt:domain redir ports 53
REDIRECT tcp -- anywhere anywhere tcp dpt:www redir ports 8082
Chain luci_splash_prerouting (0 references)
target prot opt source destination
RETURN all -- anywhere lvps176-28-11-93.dedicated.hosteurope.de
luci_splash_leases all -- anywhere anywhere
Chain postrouting_lan_rule (1 references)
target prot opt source destination
Chain postrouting_rule (1 references)
target prot opt source destination
Chain postrouting_wan_rule (1 references)
target prot opt source destination
Chain prerouting_lan_rule (1 references)
target prot opt source destination
Chain prerouting_rule (1 references)
target prot opt source destination
Chain prerouting_wan_rule (1 references)
target prot opt source destination
Chain zone_lan_postrouting (1 references)
target prot opt source destination
postrouting_lan_rule all -- anywhere anywhere /* user chain for postrouting */
Chain zone_lan_prerouting (1 references)
target prot opt source destination
prerouting_lan_rule all -- anywhere anywhere /* user chain for prerouting */
Chain zone_wan_postrouting (1 references)
target prot opt source destination
postrouting_wan_rule all -- anywhere anywhere /* user chain for postrouting */
MASQUERADE all -- anywhere anywhere
Chain zone_wan_prerouting (1 references)
target prot opt source destination
MINIUPNPD all -- anywhere anywhere
prerouting_wan_rule all -- anywhere anywhere /* user chain for prerouting */
root@OpenWrt:~#

復(fù)制代碼

文庫(kù)|博客

Apache官方強(qiáng)心劑：開(kāi)源不受出口管理?xiàng)l例約束！
Linux基礎(chǔ)命令---lynx瀏覽器
Dell R740服務(wù)器設(shè)置磁盤直通,不做RAID虛擬磁盤陣列
Linux基礎(chǔ)命令---elinks文本瀏覽器
Linux基礎(chǔ)命令---wget下載工具

pheyx

白手起家

論壇徽章:: 0

2樓 [報(bào)告]

發(fā)表于 2014-10-23 20:52 |只看該作者

可能和那幾條miniupnpd的規(guī)則有關(guān)

實(shí)戰(zhàn)分享：從技術(shù)角度談機(jī)器學(xué)習(xí)入門| 【大話IT】RadonDB低門檻向MySQL集群下戰(zhàn)書(shū) | ChinaUnix打賞功能已上線！ | 新一代分布式關(guān)系型數(shù)據(jù)庫(kù)RadonDB知多少？

yestreenstars

富甲一方

論壇徽章:: 32

程序設(shè)計(jì)版塊每日發(fā)帖之星
日期:2015-06-16 22:20:00

3樓 [報(bào)告]

發(fā)表于 2014-10-24 13:43 |只看該作者

好復(fù)雜的iptables，看起來(lái)好費(fèi)勁~{:3_201:}

阿鸞44

白手起家

論壇徽章:: 0

4樓 [報(bào)告]

發(fā)表于 2014-10-24 16:25 |只看該作者

回復(fù) 2# pheyx

謝謝你的回答！MINIUPNPD那些規(guī)則是我自己不知怎么配進(jìn)去的，重啟后沒(méi)了，但上面的一樣存在

阿鸞44

白手起家

論壇徽章:: 0

5樓 [報(bào)告]

發(fā)表于 2014-10-24 16:30 |只看該作者

回復(fù) 3# yestreenstars

可以這么看：其實(shí)就是3個(gè)表：filter（默認(rèn)）、mangle、nat，我以大量換行分開(kāi)了，然后是5個(gè)基本鏈，PREROUTING、INPUT、FORWARD、OUTPUT、POSTROUTING，后面亂七八糟的是自定義鏈，自定義鏈通過(guò)上面5條基本鏈跳轉(zhuǎn)過(guò)去，比如說(shuō)：INPUT的某條規(guī)則的target是MINIUPNPD，那么就跳到MINIUPNPD鏈執(zhí)行規(guī)則，像函數(shù)調(diào)用一樣

阿鸞44

白手起家

論壇徽章:: 0

6樓 [報(bào)告]

發(fā)表于 2014-10-27 18:35 |只看該作者

回復(fù) 3# yestreenstars

問(wèn)題已解決，如果有興趣可以看我的博客。

http://blog.chinaunix.net/uid-29690780-id-4578554.html

yestreenstars

富甲一方

論壇徽章:: 32

7樓 [報(bào)告]

發(fā)表于 2014-10-28 08:59 |只看該作者

回復(fù) 6# 阿鸞44

好的~{:3_193:}

返回列表

Chinaunix › 論壇 › 操作系統(tǒng) › Linux系統(tǒng)管理 › iptables無(wú)法過(guò)濾

亚洲av成人无遮挡网站在线观看,少妇性bbb搡bbb爽爽爽,亚洲av日韩精品久久久久久,兔费看少妇性l交大片免费,无码少妇一区二区三区

[系統(tǒng)安全] iptables無(wú)法過(guò)濾 [復(fù)制鏈接]