FORWARD 链中的第一条规则对我来说很有趣。如果政策要放弃,为什么这是一条必要的规则?
root@tomato:/tmp/home/root# iptables -L --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 REJECT tcp -- anywhere tomato multiport dports www,https,ssh reject-with tcp-reset
2 REJECT tcp -- anywhere tomato-lan1 multiport dports www,https,ssh reject-with tcp-reset
3 DROP all -- anywhere anywhere state INVALID
4 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
5 shlimit tcp -- anywhere anywhere tcp dpt:ssh state NEW
6 ACCEPT all -- anywhere anywhere
7 ACCEPT all -- anywhere anywhere
8 ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
num target prot opt source destination
1 REJECT tcp -- anywhere tomato multiport dports www,https,ssh reject-with tcp-reset
2 REJECT tcp -- anywhere tomato-lan1 multiport dports www,https,ssh reject-with tcp-reset
3 ACCEPT all -- anywhere anywhere
4 ACCEPT all -- anywhere anywhere
5 DROP all -- anywhere anywhere state INVALID
6 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
7 DROP all -- anywhere anywhere
8 DROP all -- anywhere anywhere
9 wanin all -- anywhere anywhere
10 wanout all -- anywhere anywhere
11 ACCEPT all -- anywhere anywhere
12 ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain shlimit (1 references)
num target prot opt source destination
1 all -- anywhere anywhere recent: SET name: shlimit side: source
2 DROP all -- anywhere anywhere recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
Chain wanin (1 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere oldtimer tcp dpt:3300
Chain wanout (1 references)
num target prot opt source destination
答案1
1)规则是由一些采用更高级别描述的程序自动生成的。不要仅仅因为规则出现在那里就假设它是“必要的”。
2) 即使规则不是绝对必要的,包含它、明确声明某些内容是不允许的也是一种很好的做法。
3) 也就是说,实际上可能需要包含此规则,即如果在到达表末尾之前有其他规则会接受数据包并且应用默认 DROP 策略。
特别是,FORWARD 链中的规则 11 和 12 看起来相同,并且似乎接受所有内容(因此它们可能具有未列出的属性;尝试-S代替-L),如果确实如此,则与默认策略相同接受,所以你必须明确地放弃所有你想放弃的东西。