最后,我只是在阅读 iptables。我有点困惑,因为过滤器表(已安装,fedora 17)的输入链如下所示:
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 state NEW udp dpt:mdns
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
从我读到的内容来看,第三条规则应该只接受任何内容,但事实并非如此(我必须禁用 iptables 以允许访问 sshd 或 https 服务器)。所有其他表的所有其他链都是策略接受,没有规则,除了过滤器转发它拒绝一切。
那么 ACCEPT 到底做了什么?
iptables -v -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
36625 38M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
1 60 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT udp -- any any anywhere 224.0.0.251 state NEW udp dpt:mdns
534 73926 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 31484 packets, 3973K bytes)
pkts bytes target prot opt in out source destination
所以这对我来说意味着第三条规则实际上只适用于环回接口? [是的]
答案1
该ACCEPT目标是允许数据包通过 NetFilter 的终止目标。这REJECT是一个终止目标,它有效地禁止数据包通过并导致 ICMP 响应发送到数据包发起者。如果您使用“iptables -v -L”命令列出表,则示例中的第三条规则很可能如下所示:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
639 304K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
101 7798 ACCEPT all -- lo any anywhere anywhere
该列中in有一个规则匹配的接口。对于第三条规则,它是lo接口,因此该规则允许接口上的任何流量loopback,这是正确的,否则您将无法通过地址访问任何本地主机TCP服务。UDPlocalhost