本文主要是介绍iptables and ebtables,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
iptables和ebtables都是linux上常用的防火墙,前者主要负责网络层的数据包过滤,后者则负责数据链路层的包过滤。对于两者的语法,可以参考博文 http://blog.csdn.net/windxxf/article/details/815973
http://itoedr.blog.163.com/blog/static/1202842972012101022023796/
下面是本人总结的相关防火墙策略
iptables
1) Allow all packets input from eth1
2) Allow all packets output to eth0
3) Transmit packets from eth1 to eth0
4) Defend SYN Flood
5) Forbid new access request from eth0
6) Accept tcp traffic from 01:02:03:04:05:06
7) Deny pings from outside
8) Allow the source ip 202.106.12.130 to connect theSSH service port:
9) Drop all request of icmp echo request from eth1
10) Replace the source address and port to one of194.236.50.155~194.236.50.160 and one of 1024~32000 for all tcp traffic frometh0
11) Allow 192.168.1.34 pretend to access outsidenetwork’s 25 port from eth0
12) Transmit all traffic send to 15.45.23.67 to arange of LAN: 192.168.1.2~192.168.1.10.
1. iptables -A INPUT -i eth1 -j ACCEPT
2. iptables -A OUTPUT -i eth0 -j ACCEPT
3. iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
4. iptables -A INPUT -p tcp --syn -m limit --limit1/s -j ACCEPT
5. iptables -A INPUT -i eth0 -m state --state NEW -jDROP
6. iptables -A INPUT -p tcp -m mac --mac-source01:02:03:04:05:06 -j ACCEPT
7. iptables -A INPUT -p icmp --icmp-type 8 -j DROP
8. iptables -A INPUT -p tcp -s 202.106.12.130--dport 22 -j ACCEPT
9. iptables -A INPUT -p icmp --icmp-type echo-request-i eth1 -j DROP
10. iptables -t nat -A POSTROUTING -p tcp -o eth0 -jSNAT --to-source 194.236.50.155-194.236.50.160:1024-32000
11. iptables -A INPUT -s 192.168.1.34 -i eth0--dport 25 -j ACCEPT
12. iptables -t nat -A PREROUTING -d 15.45.23.67 -jDNAT --to-destination 192.168.1.2-19.168.1.10
ebtables1)Forward the packets with source MAC00:11:22:33:44:55
2) Change the iptables rule to ebtables: iptables -AFORWARD -s 172.16.1.4 -m mac --mac-source ! 00:11:22:33:44:55 -j DROP
3) Drop all traffic with matching MAC-IP sourceaddress pairs: 00:11:22:33:44:55->192.168.1.300:66:77:88:00:11->192.168.1.4
4) Make all frames destined to 00:11:22:33:44:55that arrived on interface eth0 be transferred to 54:44:33:22:11:00 instead
5) br0 is 0.0.0.0, eth0 is 172.16.1.1, br0 has eth0,make the IP packets must be routed enter the IP routing code through the eth0device, not through the br0 device
6) Make all IP traffic that entered through eth0with the second mark value; and let later rules have the chance of seeing theframe/packet
7) Using arpreply for arp requests and letting thearp request populate the arp cache
8) send all to be forwarded packets to userspaceprograms listening on netlink group number 5 before dropping the packets
1. ebtables -A FORWARD -s 00:11:22:33:44:55 -jACCEPT
2. ebtables -A FORWARD -p ipv4 --ip-src 172.16.1.4-s!00:11:22:33:44:55 -j DROP
3. ebtables -N MACHINE-MC-IP-PAIR
ebtables -AFORWARD -p ipv4 --among-dst00:11:22:33:44:55=172.16.1.4,00:11:33:44:22:55=172.16.1.5 -j MACHINE-MC-IP-PAIR
4. ebtables -t nat -A PREROUTING -d00:11:22:33:44:55 -i eth0 -j DNAT --to-destination 54:44:33:22:11:00
5. ebtables -t broute -A BROUTING -p ipv4 -i eth0--ip-dst 172.16.1.1 -j DROP
6. ebtables -t broute -A BROUTING -i eth0 -p ipv4 -jREDIRECT --redirect-target DROP
7. ebtables -t nat -A PREROUTING -p arp --arp-opcodeRequest -j ARPREPLY --arpreply-mac 10:11:12:13:14:15
8. ebtables -A FORWARD --ulog-nlgroup 5 -j DROP
这篇关于iptables and ebtables的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
