我想阻止 ICMP 并将 SSH 和 HTTPD 流量限制到 eth0 我原来的 iptables 如下所示
筛选
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# Start Custom Rules
-A INPUT -p tcp --dport 6000 -j ACCEPT -m comment --comment "New application
# End Custom Rules
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
曼格尔
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -p tcp --sport 22 -j MARK --set-mark 0x2
-A POSTROUTING -p tcp --sport 443 -j MARK --set-mark 0x2
COMMIT
我已修改规则,将“Accept”改为“DROP”,以丢弃 ICMP 流量
-A INPUT -p icmp -j DROP (this works fine)
然后修改SSH规则
-I INPUT 3 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT to included -i eth0 to limit SSH connections to eth0 only.
但它不会阻止与其他接口的 SSH 连接
I have changed the iptables to following but it accepting SSH connectin on all interfaces:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:6000 /*New Application */
DROP all -- anywhere anywhere
DROP icmp -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@CentoOS]# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6000 -m comment --comment "New Application" -j ACCEPT
-A INPUT -j DROP
-A INPUT -p icmp -j DROP
-A FORWARD -j DROP
有人能告诉我规则有什么问题吗,以及如何将流量限制到 eth0。我是 iptables 新手,所以任何帮助都将不胜感激。