Ich versuche, REJECTeine Verbindung über folgende Adresse herzustellen iptables(8), aber aus irgendeinem Grund funktioniert es nicht:
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.6 (Santiago)
# uname -a
Linux X 2.6.32-504.16.2.el6.x86_64 #1 SMP Tue Mar 10 17:01:00 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
# rpm -q iptables
iptables-1.4.7-14.el6.x86_64
# service iptables restart
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
iptables: Loading additional modules: nf_conntrack_ftp [ OK ]
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:memcache
ACCEPT udp -- anywhere anywhere state NEW udp dpt:memcache
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5666
ACCEPT udp -- anywhere anywhere state NEW udp dpt:snmp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables -A INPUT -s 172.16.0.0/16 -j REJECT
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:memcache
ACCEPT udp -- anywhere anywhere state NEW udp dpt:memcache
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5666
ACCEPT udp -- anywhere anywhere state NEW udp dpt:snmp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
REJECT all -- 172.16.0.0/16 anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#
Was mache ich falsch?
Antwort1
IPtables wendet Regeln von oben nach unten in der Liste an. Wenn vor einer Ablehnung Zulassungsregeln stehen, haben die Zulassungsregeln Vorrang.
Um einen Netzwerkbereich zu blockieren, muss er am Anfang der IPTables-Regeln hinzugefügt werden.
iptables -I INPUT 1 -s 172.16.0.0/16 -j REJECT
Fügt als erste Zeile in IPtables eine Ablehnungsregel für das Netzwerk 172.16.0.0/16 ein.
Eine guteWIE MANfür IPTABLES.