Iptables瞎乱记

来自三线的随记
Admin讨论 | 贡献2019年12月14日 (六) 18:02的版本
(差异) ←上一版本 | 最后版本 (差异) | 下一版本→ (差异)

chains

4个默认表

  1. nat
  2. filter
  3. mangle
  4. raw


REJECT

--reject-with tcp-reset

--reject-with icmp-host-prohibited

DROP


destination changed相关

 DNAT
       This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains.  It specifies
       that  the  destination  address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being
       examined.  It takes the following options:

       --to-destination [ipaddr[-ipaddr]][:port[-port]]
              which can specify a single new destination IP address, an inclusive range of IP addresses. Optionally a port range, if the rule also  specifies  one  of
              the  following  protocols: tcp, udp, dccp or sctp.  If no port range is specified, then the destination port will never be modified. If no IP address is
              specified then only the destination port will be modified.  In Kernels up to 2.6.10 you can add several --to-destination options. For those kernels,  if
              you specify more than one destination address, either via an address range or multiple --to-destination options, a simple round-robin (one after another
              in cycle) load balancing takes place between these addresses.  Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore.
REDIRECT
       This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains.  It redirects
       the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped  to  the
       localhost address, 127.0.0.1 for IPv4 and ::1 for IPv6).

       --to-ports port[-port]
              This  specifies  a  destination port or range of ports to use: without this, the destination port is never altered.  This is only valid if the rule also
              specifies one of the following protocols: tcp, udp, dccp or sctp.