当前位置: 技术问答>linux和unix
路由器Iptables的一些基础问题。
来源: 互联网 发布时间:2016-12-14
本文导语: 设置的跪着如下: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP udp -- anywhere anywhere udp dpt:tftp ACCEPT...
设置的跪着如下:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:tftp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:500
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT !esp -- anywhere anywhere MARK match 0x10000000/0x10000000
ACCEPT !ah -- anywhere anywhere MARK match 0x10000000/0x10000000
ACCEPT tcp -- anywhere anywhere tcp dpt:30005
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 6/hour burst 5 LOG level alert prefix `Intrusion -> '
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT !esp -- anywhere anywhere MARK match 0x10000000/0x10000000
ACCEPT !ah -- anywhere anywhere MARK match 0x10000000/0x10000000
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 6/hour burst 5 LOG level alert prefix `Intrusion -> '
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 239.255.255.250
说明,路由器使用的是PPPoE连接
问题1:alert prefix `Intrusion -> '是什么意思啊?
问题2:这样的设置,从外网能ping通我的路由器吗?为什么
问题3:外网能通过SNMP管理我的路由器吗?为什么
后面可能还有其它问题,先谢谢了。
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:tftp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:500
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT !esp -- anywhere anywhere MARK match 0x10000000/0x10000000
ACCEPT !ah -- anywhere anywhere MARK match 0x10000000/0x10000000
ACCEPT tcp -- anywhere anywhere tcp dpt:30005
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 6/hour burst 5 LOG level alert prefix `Intrusion -> '
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT !esp -- anywhere anywhere MARK match 0x10000000/0x10000000
ACCEPT !ah -- anywhere anywhere MARK match 0x10000000/0x10000000
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 6/hour burst 5 LOG level alert prefix `Intrusion -> '
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 239.255.255.250
说明,路由器使用的是PPPoE连接
问题1:alert prefix `Intrusion -> '是什么意思啊?
问题2:这样的设置,从外网能ping通我的路由器吗?为什么
问题3:外网能通过SNMP管理我的路由器吗?为什么
后面可能还有其它问题,先谢谢了。
|
snmp的话把相应的端口如161之类的禁用,ping的话禁用icmp协议吧,加访问列表,permit icmp 或deny icmp
楼主查下如何设置就行
|
可能是一些规则吧,以Intrusion ->作为前缀
ping通不通试一下呗,SNMP是应用层协议,如果路由器的TCP包没问题的话,snmp管理就没啥问题
ping通不通试一下呗,SNMP是应用层协议,如果路由器的TCP包没问题的话,snmp管理就没啥问题
|
初学iptable的话,装个前端,比直接看脚本要快
脚本的效率,那是对一定水平的人才有效的
我现在编译Windows下的VC项目,也尽量使用msbuild而不花时间去开庞大的VS2010,但初学者这么干只会降低效率
脚本的效率,那是对一定水平的人才有效的
我现在编译Windows下的VC项目,也尽量使用msbuild而不花时间去开庞大的VS2010,但初学者这么干只会降低效率