iptables -A FORWARD -s 192.168.20.7 -d 10.10.48.3 -p tcp --dport 25 -o eth1 -j ACCEPT
iptables -A FORWARD -s 10.10.48.3 -d 192.168.20.7 -p tcp --sport 25 -i eth1 -j ACCEPT
在调整我组织的防火墙时,我发现这两行让我感到困惑。该接口连接到 10.10.xx 网络,因此...分别放置和 已隐含的和ifeth1是否有意义?-o eth1-i eth1-d 10.10.48.3-s 10.10.48.3
答案1
根据手册页,iptables我也倾向于同意您的评估。
[!] -i, --in-interface name
Name of an interface via which a packet was received (only for
packets entering the INPUT, FORWARD and PREROUTING chains). When
the "!" argument is used before the interface name, the sense is
inverted. If the interface name ends in a "+", then any
interface which begins with this name will match. If this option
is omitted, any interface name will match.
[!] -o, --out-interface name
Name of an interface via which a packet is going to be sent (for
packets entering the FORWARD, OUTPUT and POSTROUTING chains). When
the "!" argument is used before the interface name, the sense is
inverted. If the interface name ends in a "+", then any interface
which begins with this name will match. If this option is omitted,
any interface name will match.
这些描述中的最后一句话确实是唯一值得关注的点。如果盒子上还有其他接口,则此规则可以允许流量使用它,并省略-o或-i选项。这一切都假设路由等的设置允许这种情况发生。