iptables 那点小知识
了解服务器防火墙 应该是玩服务器必须上的一课 。
linux的防火墙安全 的好坏 主要是 iptables 配置得如何,我认为。
于是乎,进入主题iptables的配置。(环境是centos 5.5)?
?
iptables 需了解的几个基本概念: ?TARGET , CHAINS(user-defined and ?built-in chains), TABLE ?
?
?
1. TABLE?
描述如下:
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. ?Several different tables?may be defined. ?Each table contains a number of built-in chains and may also contain user-defined chains.?
?
2. CHAINS?
描述如下:
Each chain is a list of rules which can match a set of packets. ?Each rule specifies what to do with a packet that matches.
This ?is ?called a ‘target’, which may be a jump to a user-defined chain in the same table.
?
chain 中包含各种规则(rule), 规则用来匹配数据包(packet), 同时了规则指定了如果匹配成功则对数据包(packet)做什么处理, 这就是所谓的target 。 也就是如果匹配成功,就交给taget 处理。?
?
3. TARGETS?
描述如下 :
A firewall rule specifies criteria for a packet, and a target. ?(可以忽略)
If the packet does not match, the next rule in the chain is the examined;?
if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain ?or?one of the special values ACCEPT, DROP, QUEUE, or RETURN. (这句话得认真看)
?
如果匹配成功,则数据包交给 由Target所决定的 下一条rule处理。 而Target 指定了什么? ?Target 可以是 用户定义的链,也可以是 ACCEPT ,DROP ,QUEUE,RETURN 。?
?
接下来看看 这个四个单词是神马??
?
ACCEPT ?means ?to ?let the packet through. ?
DROP means to drop the packet on the floor. ?
QUEUE means to pass the packet to userspace.? (How the packet can be received by a userspace process differs by the particular queue handler. ?2.4.x and 2.6.x kernels up to 2.6.13?include the ip_queue queue handler. ?Kernels 2.6.14 and later additionally include the nfnetlink_queue queue handler. ?Packets with a? target of QUEUE will be sent to queue number ’0’ in this case. Please also see the NFQUEUE target as ?described ?later ?in ?this ?man?page.) ?(这个在此忽略!!!)
RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. ?If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy ?determines?the fate of the packet.
?
其他三个不用解释了。?
?
基本概念清理完毕,开始写脚本?
?
??
注释应该很详细了,提醒一点,上面定义了一个LOGNDROP 链, 并为该链添加了3条rules 。?
?
附加修改syslog.conf的配置文件
?
?然后tail -f /var/log/iptables.log 查看被Denied的Packet, 可以看到来源的IP 。?
?
这些都是iptables鸡毛蒜皮的小事情, iptables还大有文章,继续学习。?
?
?
参考:?
http://wiki.ubuntu.org.cn/IptablesHowTo#More_detailed_Logging_.E5.85.B3.E4.BA.8E.E6.97.A5.E5.BF.97.E8.AE.B0.E5.BD.95.E7.9A.84.E6.9B.B4.E5.A4.9A.E7.BB.86.E8.8A.82
Basic Iptables How to for Ubuntu Server Edition?Ubuntu 服务器版 Iptables 基本设置指南
http://wiki.centos.org/HowTos/Network/IPTables??
