Linux ѧϰʹÓà iptables

ÔÚÕýʽ½éÉÜ iptables
µÄʹÓÃ
֮ǰ£¬ÎÒÃÇÏÈÀ´¿´Ò»ÏÂºÍ iptables

Ïà¹ØµÄһЩ»ù±¾¸ÅÄî¡£ÎÒÃÇÏÂÃ潫»áƵ·±Ê¹ÓÃ
µ½
ËüÃÇ¡£
Æ¥Å䣨match£©£º·ûºÏÖ¸¶¨µÄÌõ¼þ£¬±ÈÈçÖ¸¶¨µÄ IP µØÖ·ºÍ¶Ë¿Ú¡£
¶ªÆú£¨drop£©£ºµ±Ò»¸ö°üµ½´ïʱ£¬¼òµ¥µØ¶ªÆú£¬²»×öÆäËüÈκδ¦Àí¡£
½ÓÊÜ£¨accept£©£ººÍ¶ªÆúÏà·´£¬½ÓÊÜÕâ¸ö°ü£¬ÈÃÕâ¸ö°üͨ¹ý¡£
¾Ü¾ø£¨reject£©£ººÍ¶ªÆúÏàËÆ£¬µ«Ëü»¹»áÏò·¢ËÍÕâ¸ö°üµÄÔ´Ö÷»ú·¢ËÍ´íÎóÏûÏ¢¡£Õâ¸ö´íÎóÏûÏ¢¿ÉÒÔÖ¸¶¨£¬Ò²¿ÉÒÔ×Ô¶¯²úÉú¡£
Ä¿±ê£¨target£©£ºÖ¸¶¨µÄ¶¯×÷£¬ËµÃ÷ÈçºÎ´¦ÀíÒ»¸ö°ü£¬±ÈÈ磺¶ªÆú£¬½ÓÊÜ£¬»ò¾Ü¾ø¡£
Ìøת£¨jump£©£ººÍÄ¿±êÀàËÆ£¬²»¹ýËüÖ¸¶¨µÄ²»ÊÇÒ»¸ö¾ßÌåµÄ¶¯×÷£¬¶øÊÇÁíÒ»¸öÁ´£¬±íʾҪÌøתµ½ÄǸöÁ´ÉÏ¡£
¹æÔò£¨rule£©£ºÒ»¸ö»ò¶à¸öÆ¥Åä¼°Æä¶ÔÓ¦µÄÄ¿±ê¡£
Á´£¨chain£©£ºÃ¿ÌõÁ´¶¼°üº¬ÓÐһϵÁеĹæÔò£¬ÕâЩ¹æÔò»á±»ÒÀ´ÎÓ¦Óõ½Ã¿¸ö±éÀú¸ÃÁ´µÄÊý¾Ý°üÉÏ¡£Ã¿¸öÁ´¶¼Óи÷×ÔרÃŵÄÓÃ;£¬
ÕâÒ»µãÎÒÃÇÏÂÃæ»áÏêϸÌÖÂÛ¡£
±í £¨table£©£ºÃ¿¸ö±í°üº¬ÓÐÈô¸É¸ö²»Í¬µÄÁ´£¬±ÈÈç filter ±íĬÈÏ°üº¬ÓÐ INPUT£¬FORWARD£¬OUTPUT
Èý¸öÁ´¡£iptables
ÓÐËĸö±í£¬·Ö±ðÊÇ£ºraw£¬nat£¬mangleºÍfilter£¬Ã¿¸ö±í¶¼ÓÐ×Ô¼º×¨ÃŵÄÓô¦£¬±ÈÈç×î³£ÓÃfilter±í¾ÍÊÇרÃÅÓÃÀ´×ö°ü¹ýÂ˵ģ¬¶ø
nat ±íÊÇרÃÅÓÃÀ´×öNATµÄ¡£
²ßÂÔ£¨police£©£ºÎÒÃÇÔÚÕâÀïÌáµ½µÄ²ßÂÔÊÇÖ¸£¬¶ÔÓÚ iptables ÖÐijÌõÁ´£¬µ±ËùÓйæÔò¶¼Æ¥Åä²»³É¹¦Ê±ÆäĬÈϵĴ¦Àí¶¯×÷¡£
Á¬½Ó¸ú×Ù£¨connection
track£©£ºÓÖ³ÆΪ¶¯Ì¬¹ýÂË£¬¿ÉÒÔ¸ù¾ÝÖ¸¶¨Á¬½ÓµÄ״̬½øÐÐһЩÊʵ±µÄ¹ýÂË£¬ÊÇÒ»¸öºÜÇ¿´óµÄ¹¦ÄÜ£¬µ«Í¬Ê±Ò²±È½ÏÏûºÄÄÚ´æ×ÊÔ´¡£
iptables ½éÉÜ
iptables µÄ±íºÍÁ´£º
ÏÖÔÚ£¬ÈÃÎÒÃÇ¿´¿´µ±Ò»¸öÊý¾Ý°üµ½´ïʱËüÊÇÔõôÒÀ´Î´©¹ý¸÷¸öÁ´ºÍ±íµÄ¡£»ù±¾²½ÖèÈçÏ£º
1. Êý¾Ý°üµ½´ïÍøÂç½Ó¿Ú£¬±ÈÈç eth0¡£
2. ½øÈë raw ±íµÄ PREROUTING Á´£¬Õâ¸öÁ´µÄ×÷ÓÃÊǸÏÔÚÁ¬½Ó¸ú×Ù֮ǰ´¦ÀíÊý¾Ý°ü¡£
3. Èç¹û½øÐÐÁËÁ¬½Ó¸ú×Ù£¬ÔÚ´Ë´¦Àí¡£
4. ½øÈë mangle ±íµÄ PREROUTING Á´£¬ÔÚ´Ë¿ÉÒÔÐÞ¸ÄÊý¾Ý°ü£¬±ÈÈç TOS µÈ¡£
5. ½øÈë nat ±íµÄ PREROUTING Á´£¬¿ÉÒÔÔÚ´Ë×öDNAT£¬µ«²»Òª×ö¹ýÂË¡£
6. ¾ö¶¨Â·ÓÉ£¬¿´Êǽ»¸ø±¾µØÖ÷»ú»¹ÊÇת·¢¸øÆäËüÖ÷»ú¡£
µ½ÁËÕâÀïÎÒÃǾ͵÷ÖÁ½ÖÖ²»Í¬µÄÇé¿ö½øÐÐÌÖÂÛÁË£¬Ò»ÖÖÇé¿ö¾ÍÊÇÊý¾Ý°üҪת·¢¸øÆäËüÖ÷»ú£¬ÕâʱºòËü»áÒÀ´Î¾­¹ý£º
7. ½øÈë mangle ±íµÄ FORWARD
Á´£¬ÕâÀïÒ²±È½ÏÌØÊ⣬ÕâÊÇÔÚµÚÒ»´Î·Óɾö¶¨Ö®ºó£¬ÔÚ½øÐÐ×îºóµÄ·Óɾö¶¨Ö®Ç°£¬ÎÒÃÇÈÔÈ»¿ÉÒÔ¶ÔÊý¾Ý°ü½øÐÐijЩÐ޸ġ£
8. ½øÈë filter ±íµÄ FORWARD
Á´£¬ÔÚÕ