为什么我的路由器会拒绝转发给自身的数据包?

为什么我的路由器会拒绝转发给自身的数据包?

FORWARD 链中的第一条规则对我来说很有趣。如果政策要放弃,为什么这是一条必要的规则?

root@tomato:/tmp/home/root# iptables -L --line-numbers
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    REJECT     tcp  --  anywhere             tomato               multiport dports www,https,ssh reject-with tcp-reset
2    REJECT     tcp  --  anywhere             tomato-lan1          multiport dports www,https,ssh reject-with tcp-reset
3    DROP       all  --  anywhere             anywhere             state INVALID
4    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
5    shlimit    tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW
6    ACCEPT     all  --  anywhere             anywhere
7    ACCEPT     all  --  anywhere             anywhere
8    ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    REJECT     tcp  --  anywhere             tomato               multiport dports www,https,ssh reject-with tcp-reset
2    REJECT     tcp  --  anywhere             tomato-lan1          multiport dports www,https,ssh reject-with tcp-reset
3    ACCEPT     all  --  anywhere             anywhere
4    ACCEPT     all  --  anywhere             anywhere
5    DROP       all  --  anywhere             anywhere             state INVALID
6    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
7    DROP       all  --  anywhere             anywhere
8    DROP       all  --  anywhere             anywhere
9    wanin      all  --  anywhere             anywhere
10   wanout     all  --  anywhere             anywhere
11   ACCEPT     all  --  anywhere             anywhere
12   ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain shlimit (1 references)
num  target     prot opt source               destination
1               all  --  anywhere             anywhere             recent: SET name: shlimit side: source
2    DROP       all  --  anywhere             anywhere             recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source

Chain wanin (1 references)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             oldtimer             tcp dpt:3300

Chain wanout (1 references)
num  target     prot opt source               destination

答案1

1)规则是由一些采用更高级别描述的程序自动生成的。不要仅仅因为规则出现在那里就假设它是“必要的”。

2) 即使规则不是绝对必要的,包含它、明确声明某些内容是不允许的也是一种很好的做法。

3) 也就是说,实际上可能需要包含此规则,即如果在到达表末尾之前有其他规则会接受数据包并且应用默认 DROP 策略。

特别是,FORWARD 链中的规则 11 和 12 看起来相同,并且似乎接受所有内容(因此它们可能具有未列出的属性;尝试-S代替-L),如果确实如此,则与默认策略相同接受,所以你必须明确地放弃所有你想放弃的东西。

相关内容