udp扩展
匹配源端口--sport
匹配目标端口--dport
iptables -t filter -A INPUT -p dup -m udp --dport 137 -j REJECT
iptables -t filter -A INPUT -p dup -m udp --dport 138 -j REJECT
端口范围
iptables -t filter -A INPUT -p dup -m udp --dport 136:137 -j REJECT
icmp扩展
ping 走的是icmp协议
iptables -t filter -I INPUT ip icmp -m icmp --icmp-type 8/0 -j REJEST
iptables -t filter -I INPUT ip icmp -m icmp --icmp-type 8 -j REJEST
iptables -t filter -I INPUT ip icmp -m icmp --icmp-type "echo-request" -j REJEST
state扩展
状态–连接追踪:
NEW--新建连接第一个报文
ESTABLISHED 已建立连接
RELATED 命令连接 如FTP连接
INVALID 没有办法呗识别的连接
UNTRACKED 报文违背跟踪
禁止新的连接的建立
iptables -t filter -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
自定义链
除了iptables 提供的INPUT PREROUTING FORWARD POSTROUTING OUTPUT链之外我们还可以自定义链
[root@localhost ~]# iptables -t filter -N INWEB
[root@localhost ~]# iptables -t filter -nvxL | grep INWEB
Chain INWEB (0 references)
[root@localhost ~]# iptables -t filter -nvxL INWEB
Chain INWEB (0 references)
pkts bytes target prot opt in out source destination
添加规则
root@localhost ~]# iptables -t filter -I INWEB -s 192.168.2.2 -d 192.168.1.3 -j ACCEPT
[root@localhost ~]# iptables -t filter -nvxL INWEB
Chain INWEB (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 192.168.2.2 192.168.1.3
引用
[root@localhost ~]# iptables -t filter -A INPUT -s 192.168.2.2 -d 92.168.1.3 -j INWEB
[root@localhost ~]# iptables -t filter -nvxL INWEB
Chain INWEB (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 192.168.2.2 192.168.1.3
删除自定义链
[root@localhost ~]# iptables -t filter -X INWEB
iptables: Too many links.
[root@localhost ~]# iptables -t filter -A INPUT -s 192.168.2.2 -d 92.168.1.3 -j INWEB^C
[root@localhost ~]# iptables -t filter -nvxL INPUT
Chain INPUT (policy ACCEPT 58 packets, 4048 bytes)
pkts bytes target prot opt in out source destination
0 0 INWEB all -- * * 192.168.2.2 92.168.1.3
[root@localhost ~]# iptables -t filter -D INPUT 1
[root@localhost ~]# iptables -t filter -X INWEB
iptables: Directory not empty.
[root@localhost ~]# iptables -t filter -D INWEB 1
[root@localhost ~]# iptables -t filter -X INWEB
参考:
扩展模块udp和icmp