防火墙的配置
丢弃来自192.168.10.36的所有数据包-A追加规则
[root@chenxi ~]# iptables -A INPUT -s 192.168.10.36 -j DROP
查看默认表的规则,带行号显示
[root@chenxi ~]# iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 271 packets, 20573 bytes) num pkts bytes target prot opt in out source destination 1 37 3108 DROP all -- * * 192.168.10.36 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 48 packets, 4440 bytes) num pkts bytes target prot opt in out source destination
允许来自192.168.10.36的所有数据包
[root@chenxi ~]# iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 44 packets, 3358 bytes) num pkts bytes target prot opt in out source destinatio 1 8 672 ACCEPT all -- * * 192.168.10.36 0.0.0.0/0 2 37 3108 DROP all -- * * 192.168.10.36 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destinatio Chain OUTPUT (policy ACCEPT 16 packets, 2256 bytes) num pkts bytes target prot opt in out source destination
查看nat表里的链
[root@chenxi ~]# iptables -vnL --line-numbers -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destinatio n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destinatio n Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destinatio n Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destinatio n [root@chenxi ~]# iptables -vnL --line-numbers -t nat Chain PREROUTING (policy ACCEPT 3 packets, 240 bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 2 packets, 162 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 716 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1 packets, 716 bytes) num pkts bytes target prot opt in out source destination
查看规则
[root@chenxi ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 192.168.10.36 0.0.0.0/0 DROP all -- 192.168.10.36 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
删除第1条规则
[root@chenxi ~]# iptables -D INPUT 1 [root@chenxi ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- 192.168.10.36 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
添加允许192.168.10.1主的作用报文出入本机-s源地址-d目标
[root@chenxi ~]# iptables -A INPUT -s 192.168.10.1 -j ACCEPT [root@chenxi ~]# iptables -A OUTPUT -d 192.168.10.1 -j ACCEPT [root@chenxi ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- 192.168.10.36 0.0.0.0/0 ACCEPT all -- 192.168.10.1 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 192.168.10.1
修改默认规则为拒绝 表默认过滤表
[root@chenxi ~]# iptables -P INPUT DROP [root@chenxi ~]# iptables -P OUTPUT DROP [root@chenxi ~]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination DROP all -- 192.168.10.36 0.0.0.0/0 ACCEPT all -- 192.168.10.1 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 192.168.10.1
在192.168.10.36主机用ping命令测试
[root@mail bin]# ping 192.168.10.40 PING 192.168.10.40 (192.168.10.40) 56(84) bytes of data.
在192.168.10.40 主机添加允许192.168.10.36数据包进来的规则
[root@chenxi ~]# iptables -A INPUT -s 192.168.10.36 -j ACCEPT [root@chenxi ~]# tcpdump -i ens33 -nn icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 08:39:08.910676 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 40976, seq 149, length 6408:39:09.910752 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 40976, seq 150, length 6408:39:10.922666 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 40976, seq 151, length 6408:39:11.940137 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 40976, seq 152, length 64
在192.168.10.40主机上添加允许目标主机为192.169.10.36的开发规则
[root@chenxi ~]# iptables -A OUTPUT -d 192.168.10.36 -j ACCEPT [root@chenxi ~]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 192.168.10.1 0.0.0.0/0 ACCEPT all -- 192.168.10.36 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 192.168.10.1 ACCEPT all -- 0.0.0.0/0 192.168.10.36 08:40:53.800793 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 40976, seq 253, length 64 08:40:53.801135 IP 192.168.10.40 > 192.168.10.36: ICMP echo reply, id 40976, seq 253, length 64
添加192.168.10.36的icmp协议可ping通192.168.10.40主机的规则
[root@chenxi ~]# iptables -A INPUT -s 192.168.10.36 -p icmp -j ACCEPT 进主机的规则 [root@mail bin]# ping 192.168.10.40 PING 192.168.10.40 (192.168.10.40) 56(84) bytes of data. [root@chenxi ~]# tcpdump -i ens33 -nn icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 08:55:23.850949 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 6, length 64 08:55:24.851240 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 7, length 64 08:55:25.851304 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 8, length 64 08:55:26.855839 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 9, length 64 08:55:27.853459 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 10, length 64 08:55:28.854609 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 11, length 64 08:55:29.857906 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 12, length 64 08:55:30.856784 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 13, length 64 08:55:31.858473 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 14, length 64 08:55:32.857969 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 15, length 64 08:55:33.859005 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 16, length 64 08:55:34.914116 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 17, length 64 08:55:35.916034 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 18, length 64 08:55:36.916717 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 19, length 64 08:55:37.940721 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 20, length 64 08:55:38.935520 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 21, length 64 08:55:39.935601 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 4148 [root@chenxi ~]# iptables -A OUTPUT -d 192.168.10.36 -p icmp -j ACCEPT 出主机的规则 [root@chenxi ~]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 192.168.10.1 0.0.0.0/0 ACCEPT icmp -- 192.168.10.36 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 192.168.10.1 ACCEPT icmp -- 0.0.0.0/0 192.168.10.36 8, seq 22, length 64 08:55:39.935702 IP 192.168.10.40 > 192.168.10.36: ICMP echo reply, id 41488, seq 22, length 64 08:55:40.936550 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 23, length 64 08:55:40.936628 IP 192.168.10.40 > 192.168.10.36: ICMP echo reply, id 41488, seq 23, length 64 08:55:41.938630 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 24, length 64 08:55:41.938690 IP 192.168.10.40 > 192.168.10.36: ICMP echo reply, id 41488, seq 24, length 64 08:55:42.939814 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 25, length 64 08:55:42.939889 IP 192.168.10.40 > 192.168.10.36: ICMP echo reply, id 41488, seq 25, length 64 08:55:43.941753 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 26, length 64 08:55:43.941831 IP 192.168.10.40 > 192.168.10.36: ICMP echo reply, id 41488, seq 26, length 64 08:55:44.975164 IP 192.168.10.36 > 192.168.10.40: ICMP echo request, id 41488, seq 27, length 64 08:55:44.975228 IP 192.168.10.40 > 192.168.10.36: ICMP echo reply, id 41488, seq 27, length 64 [root@mail bin]# ping 192.168.10.40 PING 192.168.10.40 (192.168.10.40) 56(84) bytes of data. 64 bytes from 192.168.10.40: icmp_seq=22 ttl=64 time=0.493 ms 64 bytes from 192.168.10.40: icmp_seq=23 ttl=64 time=1.09 ms 64 bytes from 192.168.10.40: icmp_seq=24 ttl=64 time=0.336 ms 64 bytes from 192.168.10.40: icmp_seq=25 ttl=64 time=1.36 ms 64 bytes from 192.168.10.40: icmp_seq=26 ttl=64 time=0.430 ms 64 bytes from 192.168.10.40: icmp_seq=27 ttl=64 time=0.243 ms
在192.168.10.40的主机上添加允许192.168.10.36访问本机22端口
[root@mail bin]# ssh 192.168.10.40 ssh: connect to host 192.168.10.40 port 22: Connection timed out [root@chenxi ~]# iptables -A INPUT -s 192.168.10.36 -p tcp --dport 22 -j ACCEPT 进来数据包 [root@chenxi ~]# iptables -A OUTPUT -d 192.168.10.36 -p tcp --sport 22 -j ACCEPT 返回数据包 [root@chenxi ~]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 192.168.10.1 0.0.0.0/0 ACCEPT icmp -- 192.168.10.36 0.0.0.0/0 ACCEPT tcp -- 192.168.10.36 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 192.168.10.1 ACCEPT icmp -- 0.0.0.0/0 192.168.10.36 ACCEPT tcp -- 0.0.0.0/0 192.168.10.36 tcp spt:22 [root@mail bin]# ssh 192.168.10.40 The authenticity of host '192.168.10.40 (192.168.10.40)' can't be established. RSA key fingerprint is c9:1c:63:b4:a2:a5:c4:cf:5a:a2:46:19:81:63:d2:f5. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.10.40' (RSA) to the list of known hosts. root@192.168.10.40's password: Last login: Tue Mar 19 08:37:05 2019 from 192.168.10.1 [root@chenxi ~]#
拒绝源地址为192.168.10.36主机的tcp的第一次握手连接
[root@chenxi ~]# iptables -I INPUT 2 -s 192.168.10.36 -p tcp --syn -j REJECT
[root@chenxi ~]# iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.10.1 0.0.0.0/0
REJECT tcp -- 192.168.10.36 0.0.0.0/0 tcp flags:0x17/0x02 reject-with icmp-port-unreachable
ACCEPT icmp -- 192.168.10.36 0.0.0.0/0
ACCEPT tcp -- 192.168.10.36 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 192.168.10.1
ACCEPT icmp -- 0.0.0.0/0 192.168.10.36
ACCEPT tcp -- 0.0.0.0/0 192.168.10.36 tcp spt:22
[root@mail ~]# ssh 192.168.10.40
ssh: connect to host 192.168.10.40 port 22: Connection refused
[root@mail ~]# ssh 192.168.10.40
ssh: connect to host 192.168.10.40 port 22: Connection refused
[root@mail bin]# ssh 192.168.10.40
The authenticity of host '192.168.10.40 (192.168.10.40)' can't be established.
RSA key fingerprint is c9:1c:63:b4:a2:a5:c4:cf:5a:a2:46:19:81:63:d2:f5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.40' (RSA) to the list of known hosts.
root@192.168.10.40's password:
Last login: Tue Mar 19 08:37:05 2019 from 192.168.10.1
[root@chenxi ~]# ls
anaconda-ks.cfg
[root@chenxi ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:40:c2:01 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.40/24 brd 192.168.10.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::6e0:d902:bf99:5840/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:40:c2:0b brd ff:ff:ff:ff:ff:ff
inet 192.168.10.133/24 brd 192.168.10.255 scope global noprefixroute dynamic ens37
valid_lft 1453sec preferred_lft 1453sec
inet6 fe80::24a2:2585:2b12:e5ab/64 scope link noprefixroute
valid_lft forever preferred_lft forever
用允许192.168.10.36可以访问本机的22端口的tcp状态连接第一次握手替换点拒绝所有来源192.168.10.36TCP第一握手拒绝规则
[root@chenxi ~]# iptables -R INPUT 2 -s 192.168.10.36 -p tcp --dport 22 --syn -j ACCEPT -R 替换 [root@chenxi ~]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 192.168.10.1 0.0.0.0/0 ACCEPT tcp -- 192.168.10.36 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 ACCEPT icmp -- 192.168.10.36 0.0.0.0/0 ACCEPT tcp -- 192.168.10.36 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 192.168.10.1 ACCEPT icmp -- 0.0.0.0/0 192.168.10.36 ACCEPT tcp -- 0.0.0.0/0 192.168.10.36 tcp spt:22 [root@mail ~]# ssh 192.168.10.40 root@192.168.10.40's password: Last login: Tue Mar 19 09:23:21 2019 from 192.168.10.36 [root@chenxi ~]#
自定义链
[root@chenxi ~]# iptables -N chenxi 创建链
[root@chenxi ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12738 768K ACCEPT all -- * * 192.168.10.1 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
17882 3969K ACCEPT all -- * * 0.0.0.0/0 192.168.10.1
Chain chenxi (0 references)
pkts bytes target prot opt in out source destination
[root@chenxi ~]# iptables -X chenxi 删除自定义链
[root@chenxi ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12776 771K ACCEPT all -- * * 192.168.10.1 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
17897 3971K ACCEPT all -- * * 0.0.0.0/0 192.168.10.1
[root@chenxi ~]# iptables -N chenxi
[root@chenxi ~]# iptables -A chenxi -p tcp --tcp-flags ALL ALL -j REJECT TCP状态连接标志位全为1拒绝掉
[root@chenxi ~]# iptables -A chenxi -p tcp --tcp-flags ALL NONE -j REJECT TCP状态连接全为0 拒绝掉
[root@chenxi ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13181 801K ACCEPT all -- * * 192.168.10.1 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
18067 3989K ACCEPT all -- * * 0.0.0.0/0 192.168.10.1
Chain chenxi (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 reject-with icmp-port-unreachable
关联自定义链
[root@chenxi ~]# iptables -A INPUT -s 192.168.10.36 -j chenxi 把所有来源地址为192.168.10.36的数据包都丢到chenxi这个链里
[root@chenxi ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13333 812K ACCEPT all -- * * 192.168.10.1 0.0.0.0/0
0 0 chenxi all -- * * 192.168.10.36 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
18124 3995K ACCEPT all -- * * 0.0.0.0/0 192.168.10.1
Chain chenxi (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 reject-with icmp-port-unreachable
删除已关联的自定义链
[root@chenxi ~]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 192.168.10.1 0.0.0.0/0 chenxi all -- 192.168.10.36 0.0.0.0/0 CHENXI all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 192.168.10.1 cx all -- 0.0.0.0/0 0.0.0.0/0 Chain CHENXI (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 Chain chenxi (1 references) target prot opt source destination REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 reject-with icmp-port-unreachable Chain cx (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:443 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 [root@chenxi ~]# iptables -D INPUT 3 [root@chenxi ~]# iptables -D CHENXI 1 [root@chenxi ~]# iptables -D CHENXI 1 [root@chenxi ~]# iptables -D CHENXI 1 [root@chenxi ~]# iptables -D CHENXI 1 [root@chenxi ~]# iptables -D CHENXI 1 iptables: Index of deletion too big. [root@chenxi ~]# iptables -D CHENXI 1 iptables: Index of deletion too big. [root@chenxi ~]# iptables -X CHENXI [root@chenxi ~]# iptables -D OUTPUT 2 [root@chenxi ~]# iptables -D cx 1 [root@chenxi ~]# iptables -D cx 1 [root@chenxi ~]# iptables -D cx 1 [root@chenxi ~]# iptables -D cx 1 [root@chenxi ~]# iptables -D cx 1 iptables: Index of deletion too big. [root@chenxi ~]# iptables -D cx 1 iptables: Index of deletion too big. [root@chenxi ~]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 192.168.10.1 0.0.0.0/0 chenxi all -- 192.168.10.36 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 192.168.10.1 Chain chenxi (1 references) target prot opt source destination REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 reject-with icmp-port-unreachable Chain cx (0 references) target prot opt source destination
草都可以从石头缝隙中长出来更可况你呢
