我热衷于在我的过滤器链之一中结合addrtype使用,像这样删除一些 bogon ip:-src
-A INPUT -p tcp --dport 80 -m addrtype --src-type UNICAST ! -s 127.0.0.0/8 -j WEB
手册页显示以下内容
地址类型
该模块根据数据包的地址类型来匹配数据包。地址类型在内核网络堆栈中使用,并将地址分为不同的组。该组的确切定义取决于特定的第三层协议。可能有以下地址类型:
- UNSPEC 未指定的地址(即 0.0.0.0)
- UNICAST 单播地址
- LOCAL 本地地址
- BROADCAST 广播地址
- ANYCAST 任播数据包
- MULTICAST 多播地址
- BLACKHOLE 黑洞地址
- UNREACHABLE 无法到达的地址
- PROHIBIT 禁止地址
- 抛出修复我
- NAT 修复
- 解决方案
目前尚不清楚确切的定义是什么,并表示这取决于特定的第 3 层协议。我是这样认为的:
- 单播(!广播、!组播、!ANYCAST)
- 当地的 (
127.0.0.0/8) - 播送 (
*.*.*.255) - 任播 (
*.*.*.*) - 组播 (
224.0.0.0/4)
有谁清楚这意味着什么以及 iptables 是如何实现的(例如,它如何知道黑洞到底在哪里)?
答案1
我认为这取决于你让内核知道哪个是黑洞地址类型。
从xt_addrtype.h在iptables源码中查看文件,可以看到:
/* rtn_type enum values from rtnetlink.h, but shifted */
enum {
XT_ADDRTYPE_UNSPEC = 1 << 0,
XT_ADDRTYPE_UNICAST = 1 << 1, /* 1 << RTN_UNICAST */
XT_ADDRTYPE_LOCAL = 1 << 2, /* 1 << RTN_LOCAL, etc */
XT_ADDRTYPE_BROADCAST = 1 << 3,
XT_ADDRTYPE_ANYCAST = 1 << 4,
XT_ADDRTYPE_MULTICAST = 1 << 5,
XT_ADDRTYPE_BLACKHOLE = 1 << 6,
XT_ADDRTYPE_UNREACHABLE = 1 << 7,
XT_ADDRTYPE_PROHIBIT = 1 << 8,
XT_ADDRTYPE_THROW = 1 << 9,
XT_ADDRTYPE_NAT = 1 << 10,
XT_ADDRTYPE_XRESOLVE = 1 << 11,
};
在 中rtnetlink.h,您将看到相同的定义:
enum {
RTN_UNSPEC,
RTN_UNICAST, /* Gateway or direct route */
RTN_LOCAL, /* Accept locally */
RTN_BROADCAST, /* Accept locally as broadcast,
send as broadcast */
RTN_ANYCAST, /* Accept locally as broadcast,
but send as unicast */
RTN_MULTICAST, /* Multicast route */
RTN_BLACKHOLE, /* Drop */
RTN_UNREACHABLE, /* Destination is unreachable */
RTN_PROHIBIT, /* Administratively prohibited */
RTN_THROW, /* Not in this table */
RTN_NAT, /* Translate this address */
RTN_XRESOLVE, /* Use external resolver */
__RTN_MAX
};
您可以看到iptables与内核 tcp 网络堆栈使用相同的地址类型定义。
然后从man ip:
Route types:
unicast - the route entry describes real paths to the destinations covered by the route prefix.
unreachable - these destinations are unreachable. Packets are discarded and the ICMP message host unreachable is generated.
The local senders get an EHOSTUNREACH error.
blackhole - these destinations are unreachable. Packets are discarded silently. The local senders get an EINVAL error.
prohibit - these destinations are unreachable. Packets are discarded and the ICMP message communication administratively
prohibited is generated. The local senders get an EACCES error.
local - the destinations are assigned to this host. The packets are looped back and delivered locally.
broadcast - the destinations are broadcast addresses. The packets are sent as link broadcasts.
throw - a special control route used together with policy rules. If such a route is selected, lookup in this table is termi‐
nated pretending that no route was found. Without policy routing it is equivalent to the absence of the route in the routing
table. The packets are dropped and the ICMP message net unreachable is generated. The local senders get an ENETUNREACH
error.
nat - a special NAT route. Destinations covered by the prefix are considered to be dummy (or external) addresses which
require translation to real (or internal) ones before forwarding. The addresses to translate to are selected with the
attribute Warning: Route NAT is no longer supported in Linux 2.6.
via.
anycast - not implemented the destinations are anycast addresses assigned to this host. They are mainly equivalent to local
with one difference: such addresses are invalid when used as the source address of any packet.
multicast - a special type used for multicast routing. It is not present in normal routing tables.
因此,当您通过命令定义到网络的路由ip并将其标记为黑洞路由时,内核现在将此网络地址设为黑洞类型:
ip route add blackhole X.X.X.X/24