WEB开发网
开发学院网络安全防火墙 NetFilter/iptables防火墙设置(下) 阅读

NetFilter/iptables防火墙设置(下)

 2007-02-23 12:39:42 来源:WEB开发网   
核心提示: 现在防火墙配置好了,我们得考虑下怎样监视它以防止出现问题,NetFilter/iptables防火墙设置(下)(3),我已经提到记录日志是个方法,但是iptables可以用来批量统计各种各样的规则:iptables -L -viptables -t nat -L -v第一条命令提供(默认)

现在防火墙配置好了,我们得考虑下怎样监视它以防止出现问题。我已经提到记录日志是个方法,但是iptables可以用来批量统计各种各样的规则:

iptables -L -v
iptables -t nat -L -v

第一条命令提供(默认)过滤表里每条链中规则的详细列表。该列表提供了那些规则要点以及容量。第二条命令则提供的NAT表中的相同内容。以下是过滤表中输出的范例:

Chain INPUT (policy DROP 2707 packets, 1083K bytes)
pkts bytes target prot opt in  out source     destination    
  0   0 DROP  tcp -- any any anywhere    anywhere    tcp dpt:irc
  0   0 DROP  udp -- any any anywhere    anywhere    udp dpt:irc
  0   0 DROP  tcp -- any any anywhere    anywhere    tcp dpt:irc-serv
  0   0 DROP  udp -- any any anywhere    anywhere    udp dpt:irc-serv
  0   0 DROP  tcp -- any any anywhere    anywhere    tcp dpt:ircs
  0   0 DROP  udp -- any any anywhere    anywhere    udp dpt:ircs
  0   0 REJECT all -- eth1 any 10.67.232.0/24 anywhere    reject-with icmp-net-
prohibited
  0   0 REJECT all -- eth1 any 10.220.231.236 anywhere    reject-with icmp-
host-prohibited
2169 524K ACCEPT all -- lo  any anywhere    anywhere      
226K  38M ACCEPT all -- eth0 any 192.168.1.0/24 anywhere      
224K  26M ACCEPT all -- eth1 any anywhere    anywhere    state RELATED,ESTABLISHED
  0   0 ACCEPT icmp -- any any anywhere    anywhere    icmp echo-reply
  0   0 ACCEPT icmp -- any any anywhere    anywhere    icmp destination-
unreachable
  0   0 ACCEPT icmp -- any any anywhere    anywhere    icmp time-exceeded
14647 640K ACCEPT icmp -- any any anywhere    anywhere    icmp echo-request
limit: avg 1/sec burst 5
  9  432 ACCEPT tcp -- eth1 any anywhere    10.0.0.1    tcp dpt:2202
4350 1459K DROP  udp -- eth1 any anywhere    anywhere    udp spt:bootps
3576 1103K LOG   all -- eth1 any anywhere    anywhere    LOG level warning
prefix `INPUT  '
 950 47785 REJECT tcp -- any any anywhere    anywhere    reject-with tcp-
reset
Chain FORWARD (policy DROP 7 packets, 1400 bytes)
pkts bytes target prot opt in  out source     destination   
1302K 681M ACCEPT all -- eth1 eth0 anywhere    anywhere    state
RELATED,ESTABLISHED
1229K 253M ACCEPT all -- eth0 eth1 anywhere    anywhere      
 411 21920 ACCEPT tcp -- eth1 any anywhere    anywhere    state
NEW,RELATED,ESTABLISHED tcp dpt:smtp
  1  48 ACCEPT tcp -- eth1 any anywhere    anywhere    state
NEW,RELATED,ESTABLISHED tcp dpt:pop3
 681 39308 ACCEPT tcp -- eth1 any anywhere    anywhere    state
NEW,RELATED,ESTABLISHED tcp dpt:http
  0   0 LOG   all -- any any anywhere    anywhere    LOG level warning
prefix `FORWARD '
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in  out source     destination    
2169 524K ACCEPT all -- any lo  anywhere    anywhere      
246K  23M ACCEPT all -- any eth0 anywhere    192.168.1.0/24  
220K  43M ACCEPT all -- any eth1 anywhere    anywhere      
  0   0 LOG   all -- any eth1 anywhere    anywhere    LOG level warning
prefix `OUTPUT '

以下是NAT表的输出范例:

上一页  1 2 3 4 5  下一页

Tags:NetFilter iptables 防火墙

编辑录入:爽爽 [复制链接] [打 印]
赞助商链接