Linux
iptables 阻止網路範圍
我正在嘗試通過
REJECT
網路進行網路連接iptables(8)
,無論出於何種原因,它都沒有這樣做:# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.6 (Santiago) # uname -a Linux X 2.6.32-504.16.2.el6.x86_64 #1 SMP Tue Mar 10 17:01:00 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux # rpm -q iptables iptables-1.4.7-14.el6.x86_64 # service iptables restart iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] iptables: Loading additional modules: nf_conntrack_ftp [ OK ] # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:memcache ACCEPT udp -- anywhere anywhere state NEW udp dpt:memcache ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5666 ACCEPT udp -- anywhere anywhere state NEW udp dpt:snmp REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination # iptables -A INPUT -s 172.16.0.0/16 -j REJECT # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:memcache ACCEPT udp -- anywhere anywhere state NEW udp dpt:memcache ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5666 ACCEPT udp -- anywhere anywhere state NEW udp dpt:snmp REJECT all -- anywhere anywhere reject-with icmp-host-prohibited REJECT all -- 172.16.0.0/16 anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination #
我究竟做錯了什麼?
IPtables 從上到下在列表中應用規則。如果拒絕之前有允許規則,則允許規則優先。
要阻止網路範圍,需要將其添加到 IPTables 規則的開頭。
iptables -I INPUT 1 -s 172.16.0.0/16 -j REJECT
將為網路 172.16.0.0/16 插入拒絕規則作為 IPtables 中的第一行。
IPTABLES的好方法。