我们可以从中看到,这是 Fedora 20 上的默认 iptables
$ iptables -L INPUT --line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
2 ACCEPT all -- anywhere anywhere
3 INPUT_direct all -- anywhere anywhere
4 INPUT_ZONES_SOURCE all -- anywhere anywhere
5 INPUT_ZONES all -- anywhere anywhere
6 ACCEPT icmp -- anywhere anywhere
7 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
对于规则 2,为什么它接受所有目标?
答案1
我们可以看到:
# iptables -S INPUT
-P INPUT ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
“-A INPUT -i lo -j ACCEPT”,这就是问题所在,iptables -L 错过了 lo 信息。