当前位置: 技术问答>linux和unix
初学iptables,请问ICMP、MASQUERADE是什么?
来源: 互联网 发布时间:2015-09-02
本文导语: ALLOWED_ICMP="x x x/x x xx xx xx xx xx" iptables -N icmpfilter for TYPE in $ALLOWED_ICMP; do iptables -A icmpfilter -i $EXT_IF -p icmp --icmp-type $TYPE -j ACCEPT # ---------------------------------------------------------------------...
ALLOWED_ICMP="x x x/x x xx xx xx xx xx"
iptables -N icmpfilter
for TYPE in $ALLOWED_ICMP; do
iptables -A icmpfilter -i $EXT_IF -p icmp
--icmp-type $TYPE -j ACCEPT
# ------------------------------------------------------------------------------- #
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! $EXT_IF -j ACCEPT
iptables -A block -j DROP
# -------------------------------------------------------------------------------- #
iptables -A INPUT -j icmpfilter
iptables -A INPUT -j services
iptables -A INPUT -j block
iptables -A FORWARD -j icmpfilter
iptables -A FORWARD -j block
# --------------------------------------------------------------------------------- #
echo "Masquerading internel network..."
iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
请问这几段分别是什么意思?
iptables -N icmpfilter
for TYPE in $ALLOWED_ICMP; do
iptables -A icmpfilter -i $EXT_IF -p icmp
--icmp-type $TYPE -j ACCEPT
# ------------------------------------------------------------------------------- #
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! $EXT_IF -j ACCEPT
iptables -A block -j DROP
# -------------------------------------------------------------------------------- #
iptables -A INPUT -j icmpfilter
iptables -A INPUT -j services
iptables -A INPUT -j block
iptables -A FORWARD -j icmpfilter
iptables -A FORWARD -j block
# --------------------------------------------------------------------------------- #
echo "Masquerading internel network..."
iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
请问这几段分别是什么意思?
|
=========处理ICMP报文=========
1.定义允许通过的ICMP报文类型
2.增加新链
3.将每一个定义的ICMP报文类型加到iptable规则里
=========定义新链==============
1.增加新链
2.在新链加入规则允许TCP包的状态信息为ESTABLISHED,RELATED的通过
3.(对$EXT_IF不太清楚)
4.其余包不允许通过
=========将自自定义链加到netfilter的中========
=========定义伪装========
1.定义允许通过的ICMP报文类型
2.增加新链
3.将每一个定义的ICMP报文类型加到iptable规则里
=========定义新链==============
1.增加新链
2.在新链加入规则允许TCP包的状态信息为ESTABLISHED,RELATED的通过
3.(对$EXT_IF不太清楚)
4.其余包不允许通过
=========将自自定义链加到netfilter的中========
=========定义伪装========