FORWARD 鏈中的第一條規則對我來說很有趣。如果政策要放棄,為什麼這是一條必要的規則?
root@tomato:/tmp/home/root# iptables -L --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 REJECT tcp -- anywhere tomato multiport dports www,https,ssh reject-with tcp-reset
2 REJECT tcp -- anywhere tomato-lan1 multiport dports www,https,ssh reject-with tcp-reset
3 DROP all -- anywhere anywhere state INVALID
4 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
5 shlimit tcp -- anywhere anywhere tcp dpt:ssh state NEW
6 ACCEPT all -- anywhere anywhere
7 ACCEPT all -- anywhere anywhere
8 ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
num target prot opt source destination
1 REJECT tcp -- anywhere tomato multiport dports www,https,ssh reject-with tcp-reset
2 REJECT tcp -- anywhere tomato-lan1 multiport dports www,https,ssh reject-with tcp-reset
3 ACCEPT all -- anywhere anywhere
4 ACCEPT all -- anywhere anywhere
5 DROP all -- anywhere anywhere state INVALID
6 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
7 DROP all -- anywhere anywhere
8 DROP all -- anywhere anywhere
9 wanin all -- anywhere anywhere
10 wanout all -- anywhere anywhere
11 ACCEPT all -- anywhere anywhere
12 ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain shlimit (1 references)
num target prot opt source destination
1 all -- anywhere anywhere recent: SET name: shlimit side: source
2 DROP all -- anywhere anywhere recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
Chain wanin (1 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere oldtimer tcp dpt:3300
Chain wanout (1 references)
num target prot opt source destination
答案1
1)規則是由一些採用更高層級描述的程式自動產生的。不要因為規則出現在那裡就假設它是「必要的」。
2) 即使規則不是絕對必要的,包含它、明確聲明某些內容是不允許的也是一種很好的做法。
3) 也就是說,實際上可能有必要包含此規則,即是否有其他規則可以在到達表末尾之前接受資料包並且應用預設的 DROP 策略。
特別是,FORWARD 鏈中的規則 11 和 12 看起來相同,並且似乎接受所有內容(因此它們可能具有未列出的屬性;嘗試-S代替-L),如果確實如此,則與默認策略相同接受,所以您必須明確地放棄所有你想放棄的東西。