我正在嘗試REJECT透過網路連接iptables(8),但出於某種原因它沒有這樣做:
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.6 (Santiago)
# uname -a
Linux X 2.6.32-504.16.2.el6.x86_64 #1 SMP Tue Mar 10 17:01:00 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
# rpm -q iptables
iptables-1.4.7-14.el6.x86_64
# service iptables restart
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
iptables: Loading additional modules: nf_conntrack_ftp [ OK ]
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:memcache
ACCEPT udp -- anywhere anywhere state NEW udp dpt:memcache
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5666
ACCEPT udp -- anywhere anywhere state NEW udp dpt:snmp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables -A INPUT -s 172.16.0.0/16 -j REJECT
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:memcache
ACCEPT udp -- anywhere anywhere state NEW udp dpt:memcache
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5666
ACCEPT udp -- anywhere anywhere state NEW udp dpt:snmp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
REJECT all -- 172.16.0.0/16 anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#
我究竟做錯了什麼?
答案1
IPtables 在清單中從上到下套用規則。如果拒絕之前有允許規則,則允許規則優先。
若要封鎖網路範圍,需要將其新增至 IPTables 規則的開頭。
iptables -I INPUT 1 -s 172.16.0.0/16 -j REJECT
將插入網路 172.16.0.0/16 的拒絕規則作為 IPtables 中的第一行。
一個好的如何對於IPTables。