【iptables】yum -y install iptable
2024-03-29 本文已影响0人
Bogon
# yum -y install iptables iptables-services
# rpm -qa | grep iptables
iptables-1.4.21-35.el7.x86_64
iptables-services-1.4.21-35.el7.x86_64
# yum info iptables
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.163.com
* epel: mirrors.qlu.edu.cn
* extras: mirrors.163.com
* updates: mirrors.163.com
已安装的软件包
名称 :iptables
架构 :x86_64
版本 :1.4.21
发布 :35.el7
大小 :1.5 M
源 :installed
来自源:anaconda
简介 : Tools for managing Linux kernel packet filtering capabilities
网址 :http://www.netfilter.org/
协议 : GPLv2
描述 : The iptables utility controls the network packet filtering code in the
: Linux kernel. If you need to set up firewalls and/or IP masquerading,
: you should install this package.
可安装的软件包
名称 :iptables
架构 :i686
版本 :1.4.21
发布 :35.el7
大小 :424 k
源 :base/7/x86_64
简介 : Tools for managing Linux kernel packet filtering capabilities
网址 :http://www.netfilter.org/
协议 : GPLv2
描述 : The iptables utility controls the network packet filtering code in the
: Linux kernel. If you need to set up firewalls and/or IP masquerading,
: you should install this package.
# yum info iptables-services
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.163.com
* epel: mirrors.qlu.edu.cn
* extras: mirrors.163.com
* updates: mirrors.163.com
已安装的软件包
名称 :iptables-services
架构 :x86_64
版本 :1.4.21
发布 :35.el7
大小 :23 k
源 :installed
来自源:base
简介 : iptables and ip6tables services for iptables
网址 :http://www.netfilter.org/
协议 : GPLv2
描述 : iptables services for IPv4 and IPv6
:
: This package provides the services iptables and ip6tables that have been split
: out of the base package since they are not active by default anymore.
# rpm -ql iptables | grep bin
/usr/bin/iptables-xml
/usr/sbin/ip6tables
/usr/sbin/ip6tables-restore
/usr/sbin/ip6tables-save
/usr/sbin/iptables
/usr/sbin/iptables-restore
/usr/sbin/iptables-save
/usr/sbin/xtables-multi
# rpm -ql iptables | grep config
/etc/sysconfig/ip6tables-config
/etc/sysconfig/iptables-config
# rpm -ql iptables-services
/etc/sysconfig/ip6tables
/etc/sysconfig/iptables
/usr/lib/systemd/system/ip6tables.service
/usr/lib/systemd/system/iptables.service
/usr/libexec/initscripts/legacy-actions/ip6tables
/usr/libexec/initscripts/legacy-actions/ip6tables/panic
/usr/libexec/initscripts/legacy-actions/ip6tables/save
/usr/libexec/initscripts/legacy-actions/iptables
/usr/libexec/initscripts/legacy-actions/iptables/panic
/usr/libexec/initscripts/legacy-actions/iptables/save
/usr/libexec/iptables
/usr/libexec/iptables/ip6tables.init
/usr/libexec/iptables/iptables.init
# systemctl status iptables
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: inactive (dead)
# cat /usr/lib/systemd/system/iptables.service
--------------------------------------------------------------------
[Unit]
Description=IPv4 firewall with iptables
Before=network-pre.target
Wants=network-pre.target
Before=ip6tables.service
After=syslog.target
AssertPathExists=/etc/sysconfig/iptables
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/iptables/iptables.init start
ExecReload=/usr/libexec/iptables/iptables.init reload
ExecStop=/usr/libexec/iptables/iptables.init stop
Environment=BOOTUP=serial
Environment=CONSOLETYPE=serial
StandardOutput=syslog
StandardError=syslog
[Install]
WantedBy=basic.target
--------------------------------------------------------------------
关注如下2个文件:
iptables配置文件:/etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
/etc/sysconfig/iptables 是一个用于配置iptables防火墙规则的文件。
在这个文件中,可以定义一系列的规则,这些规则会被iptables服务在启动时加载。
下面是对这个配置文件的详细解读:
-
注释:以
#开头的行是注释,它们不会被iptables服务执行,仅用于说明和指导配置。 -
默认链设置:
-
*filter:这一行设置了默认的filter链(输入、转发和输出)的默认策略为ACCEPT。这意味着,除非有其他规则明确指定,否则所有进入的数据包都会被接受。
-
-
规则定义:
-
:INPUT ACCEPT [0:0]:设置INPUT链的默认策略为接受所有数据包,且计数器([0:0])被重置(表示不统计)。 -
:FORWARD ACCEPT [0:0]:设置FORWARD链的默认策略为接受所有转发的数据包。 -
:OUTPUT ACCEPT [0:0]:设置OUTPUT链的默认策略为接受所有从本机发出的数据包。
-
-
具体规则:
-
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT:对于已经在连接中的(如TCP握手后的)或已经建立的连接,接受数据包。 -
-A INPUT -p icmp -j ACCEPT:接受所有的ICMP(网络控制消息协议)数据包,这通常用于网络诊断。 -
-A INPUT -i lo -j ACCEPT:接受来自本地回环接口(lo)的所有数据包,这对于本机内部通信是必须的。 -
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT:接受所有新的TCP连接尝试,目的地端口为22(SSH服务通常使用的端口)。 -
-A INPUT -j REJECT --reject-with icmp-host-prohibited:对于所有其他未被前面规则匹配的数据包,执行拒绝操作,并通过ICMP发送一个“主机禁止”消息给发送者。 -
-A FORWARD -j REJECT --reject-with icmp-host-prohibited:对于所有转发的数据包,如果没有匹配到任何接受规则,也执行拒绝操作,并发送ICMP消息。
-
-
链的提交:
-
COMMIT:这个命令用于提交iptables的规则集。在iptables中,所有的规则必须以COMMIT结束,以确保所有规则都被应用。
-
这个配置文件提供了一个基本的iptables防火墙规则集,它允许了必要的网络通信,同时阻止了所有未经明确允许的入站连接。这是一个相对安全的默认设置,适用于大多数标准环境。管理员可以根据需要编辑这个文件,添加或修改规则以满足特定的安全要求。
iptables 服务管理shell脚本:/usr/libexec/iptables/iptables.init
#!/bin/bash
#
# iptables Start iptables firewall
#
# chkconfig: 2345 08 92
# description: Starts, stops and saves iptables firewall
#
# config: /etc/sysconfig/iptables
# config: /etc/sysconfig/iptables-config
#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop iptables firewall
# Description: Start, stop and save iptables firewall
### END INIT INFO
# Source function library.
. /etc/init.d/functions
IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
RESTORECON=$(which restorecon 2>/dev/null)
[ ! -x "$RESTORECON" ] && RESTORECON=/bin/true
# only usable for root
if [ $EUID != 0 ]; then
echo -n $"${IPTABLES}: Only usable by root."; warning; echo
exit 4
fi
if [ ! -x /sbin/$IPTABLES ]; then
echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
exit 5
fi
# Default firewall configuration:
IPTABLES_MODULES=""
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"
IPTABLES_STATUS_VERBOSE="no"
IPTABLES_STATUS_LINENUMBERS="yes"
IPTABLES_SYSCTL_LOAD_LIST=""
IPTABLES_RESTORE_WAIT=600
IPTABLES_RESTORE_WAIT_INTERVAL=1000000
# Load firewall configuration.
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
# Get active tables
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
# Prepare commands for wait options
IPTABLES_CMD="$IPTABLES"
IPTABLES_RESTORE_CMD="$IPTABLES-restore"
if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
OPT="--wait ${IPTABLES_RESTORE_WAIT}"
if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
OPT+=" --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
fi
IPTABLES_CMD+=" $OPT"
IPTABLES_RESTORE_CMD+=" $OPT"
fi
flush_n_delete() {
local ret=0
# Flush firewall rules and delete chains.
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
# Check if firewall is configured (has tables)
[ -z "$NF_TABLES" ] && return 1
echo -n $"${IPTABLES}: Flushing firewall rules: "
# For all tables
for i in $NF_TABLES; do
# Flush firewall rules.
$IPTABLES_CMD -t $i -F;
let ret+=$?;
# Delete firewall chains.
$IPTABLES_CMD -t $i -X;
let ret+=$?;
# Set counter to zero.
$IPTABLES_CMD -t $i -Z;
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
return $ret
}
set_policy() {
local ret=0
# Set policy for configured tables.
policy=$1
# Check if iptable module is loaded
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
# Check if firewall is configured (has tables)
tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
[ -z "$tables" ] && return 1
echo -n $"${IPTABLES}: Setting chains to policy $policy: "
for i in $tables; do
echo -n "$i "
case "$i" in
raw)
$IPTABLES_CMD -t raw -P PREROUTING $policy \
&& $IPTABLES_CMD -t raw -P OUTPUT $policy \
|| let ret+=1
;;
filter)
$IPTABLES_CMD -t filter -P INPUT $policy \
&& $IPTABLES_CMD -t filter -P OUTPUT $policy \
&& $IPTABLES_CMD -t filter -P FORWARD $policy \
|| let ret+=1
;;
nat)
$IPTABLES_CMD -t nat -P PREROUTING $policy \
&& $IPTABLES_CMD -t nat -P POSTROUTING $policy \
&& $IPTABLES_CMD -t nat -P OUTPUT $policy \
|| let ret+=1
;;
mangle)
$IPTABLES_CMD -t mangle -P PREROUTING $policy \
&& $IPTABLES_CMD -t mangle -P POSTROUTING $policy \
&& $IPTABLES_CMD -t mangle -P INPUT $policy \
&& $IPTABLES_CMD -t mangle -P OUTPUT $policy \
&& $IPTABLES_CMD -t mangle -P FORWARD $policy \
|| let ret+=1
;;
security)
# Ignore the security table
;;
*)
let ret+=1
;;
esac
done
[ $ret -eq 0 ] && success || failure
echo
return $ret
}
load_sysctl() {
local ret=0
# load matched sysctl values
if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
echo -n $"Loading sysctl settings: "
for item in $IPTABLES_SYSCTL_LOAD_LIST; do
fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
fi
return $ret
}
start() {
local ret=0
# Do not start if there is no config file.
if [ ! -f "$IPTABLES_DATA" ]; then
echo -n $"${IPTABLES}: No config file."; warning; echo
return 6
fi
# check if ipv6 module load is deactivated
if [ "${_IPV}" = "ipv6" ] \
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
echo $"${IPTABLES}: ${_IPV} is disabled."
return 150
fi
echo -n $"${IPTABLES}: Applying firewall rules: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
$IPTABLES_RESTORE_CMD $OPT $IPTABLES_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo;
if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
echo -n $"${IPTABLES}: Applying firewall fallback rules: "
$IPTABLES_RESTORE_CMD $OPT $IPTABLES_FALLBACK_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo; return 1
fi
else
return 1
fi
fi
# Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"${IPTABLES}: Loading additional modules: "
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
modprobe $mod > /dev/null 2>&1
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
fi
# Load sysctl settings
load_sysctl
touch $VAR_SUBSYS_IPTABLES
return $ret
}
stop() {
local ret=0
# Do not stop if iptables module is not loaded.
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
# Set default chain policy to ACCEPT, in order to not break shutdown
# on systems where the default policy is DROP and root device is
# network-based (i.e.: iSCSI, NFS)
set_policy ACCEPT
let ret+=$?
# And then, flush the rules and delete chains
flush_n_delete
let ret+=$?
rm -f $VAR_SUBSYS_IPTABLES
return $ret
}
save() {
local ret=0
# Check if iptable module is loaded
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
echo -n $"${IPTABLES}: Nothing to save."; warning; echo
return 0
fi
# Check if firewall is configured (has tables)
if [ -z "$NF_TABLES" ]; then
echo -n $"${IPTABLES}: Nothing to save."; warning; echo
return 6
fi
echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
&& chmod 600 "$TMP_FILE" \
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
|| ret=1
if [ $ret -eq 0 ]; then
if [ -e $IPTABLES_DATA ]; then
cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
&& chmod 600 $IPTABLES_DATA.save \
&& $RESTORECON $IPTABLES_DATA.save \
|| ret=1
fi
if [ $ret -eq 0 ]; then
mv -f $TMP_FILE $IPTABLES_DATA \
&& chmod 600 $IPTABLES_DATA \
&& $RESTORECON $IPTABLES_DATA \
|| ret=1
fi
fi
rm -f $TMP_FILE
[ $ret -eq 0 ] && success || failure
echo
return $ret
}
status() {
if [ ! -f "$VAR_SUBSYS_IPTABLES" ] && [ -z "$NF_TABLES" ]; then
echo $"${IPTABLES}: Firewall is not running."
return 3
fi
# Do not print status if lockfile is missing and iptables modules are not
# loaded.
# Check if iptable modules are loaded
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
echo $"${IPTABLES}: Firewall modules are not loaded."
return 3
fi
# Check if firewall is configured (has tables)
if [ -z "$NF_TABLES" ]; then
echo $"${IPTABLES}: Firewall is not configured. "
return 3
fi
NUM=
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
VERBOSE=
[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
COUNT=
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
for table in $NF_TABLES; do
echo $"Table: $table"
$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
done
return 0
}
reload() {
local ret=0
# Do not reload if there is no config file.
if [ ! -f "$IPTABLES_DATA" ]; then
echo -n $"${IPTABLES}: No config file."; warning; echo
return 6
fi
# check if ipv6 module load is deactivated
if [ "${_IPV}" = "ipv6" ] \
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
echo $"${IPTABLES}: ${_IPV} is disabled."
return 150
fi
echo -n $"${IPTABLES}: Trying to reload firewall rules: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
$IPTABLES_RESTORE_CMD $OPT $IPTABLES_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo; echo "Firewall rules are not changed."; return 1
fi
# Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"${IPTABLES}: Loading additional modules: "
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
modprobe $mod > /dev/null 2>&1
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
fi
# Load sysctl settings
load_sysctl
return $ret
}
restart() {
[ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
stop
start
}
case "$1" in
start)
[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
start
RETVAL=$?
;;
stop)
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
stop
RETVAL=$?
;;
restart|force-reload)
restart
RETVAL=$?
;;
reload)
[ -e "$VAR_SUBSYS_IPTABLES" ] && reload
RETVAL=$?
;;
condrestart|try-restart)
[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
restart
RETVAL=$?
;;
status)
status
RETVAL=$?
;;
panic)
set_policy DROP
RETVAL=$?
;;
save)
save
RETVAL=$?
;;
*)
echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}"
RETVAL=2
;;
esac
exit $RETVAL
这个脚本是一个用于管理iptables服务的初始化脚本,它定义了iptables服务的启动(start)、停止(stop)、重启(restart)、重新加载配置(reload)、保存当前规则(save)和查看状态(status)等操作。
脚本遵循Linux系统的初始化脚本标准,可以在使用System V init或Upstart等初始化系统的Linux发行版中使用。
以下是对脚本主要部分的详细解读:
-
脚本头部:定义了脚本的解释器(
#!/bin/bash),以及一些描述性信息,如chkconfig的参数、描述、配置文件路径等。### BEGIN INIT INFO和### END INIT INFO之间的内容提供了服务的元数据。 -
变量定义:定义了与iptables相关的变量,如iptables命令的路径、配置文件路径、IPv版本(ipv4或ipv6)、进程锁文件路径等。
-
函数定义:
-
flush_n_delete:清空iptables规则并删除链。 -
set_policy:设置iptables的默认策略。 -
load_sysctl:加载指定的sysctl设置。 -
start:启动iptables服务,应用防火墙规则。 -
stop:停止iptables服务,清空规则。 -
save:保存当前iptables规则到配置文件。 -
status:显示iptables的状态。 -
reload:重新加载iptables配置。 -
restart:重启iptables服务。 -
condrestart和try-restart:条件重启服务,仅当服务未运行时尝试重启。
-
-
权限检查:脚本检查是否以root用户身份运行,如果不是,则显示错误信息并退出。
-
主逻辑:脚本根据传入的第一个参数(
$1)执行不同的操作。这个参数可以是start、stop、restart、reload、condrestart、status、panic、save等,每个参数对应一个特定的操作。 -
退出状态:每个操作执行后都会返回一个状态码(
RETVAL),这个状态码在脚本的最后被用于退出脚本,并传递给系统。 -
辅助函数:
-
success和failure:用于输出操作成功或失败的消息。 -
warning:用于输出警告消息。
-
这个脚本是iptables服务管理的核心部分,通过它,系统管理员可以方便地管理系统的网络防火墙规则。
脚本的设计使得iptables服务可以很容易地集成到系统的服务管理框架中,从而实现自动化管理。
# systemctl start iptables
# systemctl status iptables
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: active (exited) since 六 2024-03-30 21:02:35 CST; 1s ago
Process: 1693 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 1693 (code=exited, status=0/SUCCESS)
3月 30 21:02:35 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
3月 30 21:02:35 localhost.localdomain iptables.init[1693]: iptables: Applying firewall rules: [ 确定 ]
3月 30 21:02:35 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.
# iptables -nvL --line
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 87 6108 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 48 packets, 4440 bytes)
num pkts bytes target prot opt in out source destination
规则对应的属性,字段的含义:
- pkts:对应规则匹配到的报文的个数
- bytes:对应匹配到的报文包的大小总和
- target:规则对应的target,往往表示规则对应的”动作”,即规则匹配成功后需要采取的措施
- prot:表示规则对应的协议,是否只针对某些协议应用此规则
- opt:表示规则对应的选项
- in:表示数据包由哪个接口(网卡)流入,即从哪个网卡来
- out:表示数据包将由哪个接口(网卡)流出,即到哪个网卡去
- source:表示规则对应的源头地址,可以是一个IP,也可以是一个网段
- destination:表示规则对应的目标地址,可以是一个IP,也可以是一个网段
# telnet 192.168.0.104 22
Trying 192.168.0.104...
Connected to 192.168.0.104.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4
Protocol mismatch.
Connection closed by foreign host.
# echo > /dev/tcp/192.168.0.104/22
# echo > /dev/tcp/192.168.0.104/80
-bash: connect: 没有到主机的路由
-bash: /dev/tcp/192.168.0.104/80: 没有到主机的路由
# telnet 192.168.0.104 80
Trying 192.168.0.104...
telnet: connect to address 192.168.0.104: No route to host
