Linux

iptables 阻止網路範圍

  • May 1, 2015

我正在嘗試通過REJECT網路進行網路連接iptables(8),無論出於何種原因,它都沒有這樣做:

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.6 (Santiago)
# uname -a
Linux X 2.6.32-504.16.2.el6.x86_64 #1 SMP Tue Mar 10 17:01:00 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
# rpm -q iptables
iptables-1.4.7-14.el6.x86_64
# service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
iptables: Loading additional modules: nf_conntrack_ftp     [  OK  ]
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:nfs 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:memcache 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:memcache 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:5666 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:snmp 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
# iptables -A INPUT -s 172.16.0.0/16 -j REJECT
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:nfs 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:memcache 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:memcache 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:5666 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:snmp 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
REJECT     all  --  172.16.0.0/16        anywhere            reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
# 

我究竟做錯了什麼?

IPtables 從上到下在列表中應用規則。如果拒絕之前有允許規則,則允許規則優先。

要阻止網路範圍,需要將其添加到 IPTables 規則的開頭。

iptables -I INPUT 1 -s 172.16.0.0/16 -j REJECT

將為網路 172.16.0.0/16 插入拒絕規則作為 IPtables 中的第一行。

IPTABLES的好方法。

引用自:https://serverfault.com/questions/687004