iptables学习笔记

iptables

包过滤防火墙 iptables filewalld

- 网络层
    - 地址    {目的地址 源地址}
    - 协议    {ip icmp arp rarp}
- 传输层
    - 协议    {tcp udp}
    - 端口    {目的端口 源端口}

-代理服务器防火墙{ 应用防火墙 }

- 常用的软件防火墙有两种
    linux下: squid
    Windows: ISA { Internet security acceleration }
- 网络层
    - 地址    {目的地址 源地址}
    - 协议    {ip icmp arp rarp}
- 传输层
    - 协议    {tcp udp}
    - 端口    {目的端口 源端口}
- 应用层
    账号    内容    域名    url

链表chain

nat
    POSTROUTING    //路由判断之后的nat    SNAT    内网-->外网
    PREROUTING      //路由判断之前的nat    DNAT    外网-->内网

filter
    INPUT //针对主机自身服务进行过滤
    OUTPUT //过滤始发地是本机的策略
    FORWARD //过滤经过本主机的流量
mangle
    POSTROUTING
    PREROUTING
    INPUT
    OUTPUT
    FORWARD

语法

iptables -t 类型 指令 chain名称 选项 参数

    类型
    -t nat
       filter
       mangle
       
    指令
    -A --append 追加 chain 后边加编号
    -I --insert 插入 chain 后边加编号
    -D --delete 删除 chain 后边加编号
    -R --replace 替换 chain 后边加编号
    -F --flush //清空链规则
    -N --new //自定义新链
    -X //删除自定义的空链
    -P --policy //默认允许所有
    
    来源
    -s --source 地址/子网/网段
                地址 192.168.2.100
                子网 192.168.2.32/27
                网段 192.168.2.0/24
    -i ens33 //进口网卡名称
    
    目标
    -d --destination 地址/子网/网段
                        地址 192.168.2.100
                        子网 192.168.2.32/27
                        网段 192.168.2.0/24
    -o ens33 //出口网卡名称
    
    协议
    -p tcp/udp/icmp
        tcp
            --dport 3389
            --sport 3389
        udp
            --dport 8080
            --sport 8080
        icmp
            --icmp-type echo-request
            --icmp-type echo-reply
    -j SNAT/DNAT/MASQUERADE/ACCEPT/REJECT/DROP/REDIRECT/MARK
        MASQUERADE 伪装用来应对像PPPoE这种地址总是变化的情况

    常用模块
    -m mac/iprange/string
        mac
            [!] --mac-source XX:XX:XX:XX:XX:XX
        iprange
            [!] --src-range ip[-ip]    Match source IP in the specified range
            [!] --dst-range ip[-ip]    Match destination IP in the specified range
        string
            --algo kmp                   Algorithm //算法
            --icase                      Ignore case (default: 0)
            [!] --string string          Match a string in a packet
        time
            --datestart time     Start and stop time, to be given in ISO 8601 //绝对时间
            --datestop time      (YYYY[-MM[-DD[Thh[:mm[:ss]]]]]) //绝对时间
            --timestart time     Start and stop daytime (hh:mm[:ss]) //周期时间
            --timestop time      (between 00:00:00 and 23:59:59) //周期时间
        [!] --monthdays value    List of days on which to match, separated by comma
                                (Possible days: 1 to 31; defaults to all)
        [!] --weekdays value     List of weekdays on which to match, sep. by comma
                                (Possible days: Mon,Tue,Wed,Thu,Fri,Sat,Sun or 1 to 7
                                Defaults to all weekdays.)
        multiport
        [!] --source-ports port[,port:port,port...]
        --sports ...
			            match source port(s)
        [!] --destination-ports port[,port:port,port...]
        --dports ...
			            match destination port(s)
        [!] --ports port[,port:port,port]
			            match both source and destination port(s)
  • 查看Linux路由表
[root@localhost ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.169.255.254 0.0.0.0         UG    100    0        0 ens33
172.169.0.0     0.0.0.0         255.255.0.0     U     100    0        0 ens33
  • 安装iptables-services
[root@localhost ~]# rpm -qa |grep iptables
iptables-1.4.21-35.el7.x86_64
[root@localhost ~]# yum -y install iptables-services
[root@localhost ~]# service iptables start
Redirecting to /bin/systemctl start iptables.service
[root@localhost ~]# systemctl disable firewalld 
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
  • 查看iptables策略
[root@localhost ~]# iptables -t nat  -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
[root@localhost ~]# iptables -t filter  -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@localhost ~]# iptables -t mangle  -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
[root@localhost ~]# 
  • 查看核心转发功能是否打开
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@localhost ~]# cat /etc/sysctl.d/99-sysctl.conf 
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@localhost ~]# 
  • 查看nat信息
[root@localhost ~]# iptables -t nat -L POSTROUTING -v
Chain POSTROUTING (policy ACCEPT 16 packets, 2677 bytes)
 pkts bytes target     prot opt in     out     source               destination 
  • 根据序号删除一条规则,默认是filter规则列表
[root@localhost ~]# iptables -L FORWARD -n --line-number
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0            source IP range 192.168.2.8-192.168.2.13
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
4    FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0           
5    FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
6    FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
7    FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
8    FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
9    DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
10   REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
11   DROP       tcp  --  192.168.29.129       0.0.0.0/0            tcp dpt:80
[root@localhost ~]# iptables -D FORWARD 1
[root@localhost ~]# iptables -L FORWARD -n --line-number
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
3    FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0           
4    FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
5    FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
6    FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
7    FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
8    DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
9    REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
10   DROP       tcp  --  192.168.29.129       0.0.0.0/0            tcp dpt:80
[root@localhost ~]# 
  • 添加一条nat规则
[root@localhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:e0:a4:fe brd ff:ff:ff:ff:ff:ff
    inet 172.169.10.2/16 brd 172.169.255.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::af06:1875:6b81:99b/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: ens36: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:e0:a4:08 brd ff:ff:ff:ff:ff:ff
    inet 192.168.29.128/24 brd 192.168.29.255 scope global noprefixroute dynamic ens36
       valid_lft 1620sec preferred_lft 1620sec
    inet6 fe80::126:9a10:e289:eb01/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.29.0/24 ! -d 192.168.29.0/24 -j SNAT --to-source 172.169.10.2
[root@localhost ~]# iptables -t nat -L POSTROUTING 5 -n -v --line
5        0     0 SNAT       all  --  *      *       192.168.29.0/24     !192.168.29.0/24      to:172.169.10.2
[root@localhost ~]# ping -I 192.168.29.128 172.169.10.3
PING 172.169.10.3 (172.169.10.3) from 192.168.29.128 : 56(84) bytes of data.
64 bytes from 172.169.10.3: icmp_seq=1 ttl=64 time=0.716 ms
64 bytes from 172.169.10.3: icmp_seq=2 ttl=64 time=0.328 ms
64 bytes from 172.169.10.3: icmp_seq=3 ttl=64 time=0.334 ms
64 bytes from 172.169.10.3: icmp_seq=4 ttl=64 time=0.368 ms
^C
--- 172.169.10.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.328/0.436/0.716/0.163 ms
[root@localhost ~]# 

  • 根据序号删除nat规则列表
[root@localhost ~]# iptables -t nat -L -n --line-number
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    SNAT       all  --  172.169.0.0/16      !172.169.0.0/16       to:172.172.10.1
[root@localhost ~]# iptables -t nat -D POSTROUTING 1
[root@localhost ~]# iptables -t nat -L -n --line-number
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
[root@localhost ~]# 
  • 根据序号替换nat规则列表
[root@localhost ~]# iptables -t nat -L -n --line-number
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    SNAT       all  --  172.169.0.0/16      !172.169.0.0/16       to:172.172.10.1
[root@localhost ~]# iptables -t nat -R POSTROUTING 1 -s 192.168.29.0/24 ! -d 192.168.29.0/24 -j SNAT --to-source 172.169.10.2
[root@localhost ~]# iptables -t nat -L -n --line-number
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
[root@localhost ~]# 
  • 需要将外网192.168.29.129访问本地IP(192.168.29.128)的3389端口转换为访问192.168.29.1的3389端口

[root@localhost ~]# iptables -t nat -A PREROUTING -s 192.168.29.129 -d 192.168.29.128 -i ens36 -p tcp --dport 3389 -j DNAT --to-destination 192.168.29.1:3389
[root@localhost ~]# iptables -t nat -L PREROUTING 4 -n -v --line
4        0     0 DNAT       tcp  --  ens36  *       192.168.29.129       192.168.29.128       tcp dpt:3389 to:192.168.29.1:3389
[root@localhost ~]# iptables -t nat -A POSTROUTING -o ens36 -s 192.168.29.129 -d 192.168.29.1 -p tcp --dport 3389 -j SNAT --to-source 192.168.29.128
[root@localhost ~]# iptables -t nat -L POSTROUTING 4 -n -v --line
4        0     0 SNAT       tcp  --  *      ens36   192.168.29.129       192.168.29.1         tcp dpt:3389 to:192.168.29.128
[root@localhost ~]# telnet 192.168.29.128 3389
Trying 192.168.29.128...
Connected to 192.168.29.128.
Escape character is '^]'.
  • 保存iptables列表
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@localhost ~]# iptables-save 
# Generated by iptables-save v1.4.21 on Tue Jul 12 14:34:41 2022
*filter
:INPUT ACCEPT [1661:119024]
:FORWARD ACCEPT [29:1701]
:OUTPUT ACCEPT [1284:132141]
COMMIT
# Completed on Tue Jul 12 14:34:41 2022
# Generated by iptables-save v1.4.21 on Tue Jul 12 14:34:41 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -s 192.168.29.129/32 -d 192.168.29.128/32 -i ens36 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.29.1:3389
-A POSTROUTING -s 192.168.29.129/32 -d 192.168.29.1/32 -o ens36 -p tcp -m tcp --dport 3389 -j SNAT --to-source 192.168.29.128
COMMIT
# Completed on Tue Jul 12 14:34:41 2022
[root@localhost ~]# 

-情况防火墙规则

[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 20 packets, 1168 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 11 packets, 900 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@localhost ~]# 
  • 开通本机的80端口
[root@localhost ~]# iptables -t filter -I INPUT -p tcp --dport 80 -j ACCEPT
[root@localhost ~]# iptables -t filter -L INPUT 1 -n -v --line
1        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
[root@localhost ~]# 
  • 不允许本机往外ping
[root@localhost ~]# iptables -t filter -I OUTPUT -p icmp --icmp-type echo-request -j DROP
[root@localhost ~]# iptables -t filter -L OUTPUT 1 -n -v --line
1        0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
[root@localhost ~]# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
--- 192.168.10.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms

[root@localhost ~]# 

-本机禁ping

[root@localhost ~]# iptables -t filter -I INPUT -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
[root@localhost ~]# iptables -t filter -L INPUT 1 -n -v
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 reject-with icmp-host-unreachable
[root@localhost ~]# ping 192.168.29.128
PING 192.168.29.128 (192.168.29.128) 56(84) bytes of data.
From 192.168.29.128 icmp_seq=1 Destination Host Unreachable
From 192.168.29.128 icmp_seq=2 Destination Host Unreachable
--- 192.168.29.128 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms

[root@localhost ~]# 

-禁止29.129经过本机访问80端口

[root@localhost ~]# iptables -t filter -A FORWARD -s 192.168.29.129 -p tcp --dport 80 -j DROP
[root@localhost ~]# iptables -t filter -L FORWARD 1 -n -v
    0     0 DROP       all  --  *      ens33   0.0.0.0/0            0.0.0.0/0            source IP range 192.168.2.8-192.168.2.13
[root@localhost ~]# 

-禁止指定mac访问本机22端口

[root@localhost ~]# iptables -t filter -I INPUT -m mac --mac-source 00:0c:29:2a:be:73 -d 172.169.10.2 -p tcp --dport 22 -j REJECT
[root@localhost ~]# iptables -t filter -L INPUT 1 -n -v
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            172.169.10.2         MAC 00:0C:29:2A:BE:73 tcp dpt:22 reject-with icmp-port-unreachable
[root@localhost ~]# 

-禁止一段IP经过本主机

[root@localhost ~]# iptables -t filter -I FORWARD -m iprange --src-range 192.168.2.8-192.168.2.13 -o ens33 -j DROP
[root@localhost ~]# iptables -t filter -L FORWARD 1 -n -v
    0     0 DROP       all  --  *      ens33   0.0.0.0/0            0.0.0.0/0            source IP range 192.168.2.8-192.168.2.13
[root@localhost ~]# 

  • 禁止本机访问指定/某些网站
[root@localhost ~]# ping www.baidu.com
PING www.a.shifen.com (110.242.68.3) 56(84) bytes of data.
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=1 ttl=128 time=11.5 ms
--- www.a.shifen.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 11.545/11.545/11.545/0.000 ms
[root@localhost ~]# iptables -t filter -I OUTPUT -s 192.168.0.0/16 -o ens33 -m string --string baidu --algo kmp -j DROP
[root@localhost ~]# iptables -t filter -L OUTPUT 1 -n -v
    0     0 DROP       all  --  *      ens33   192.168.0.0/16       0.0.0.0/0            STRING match  "baidu" ALGO name kmp TO 65535
[root@localhost ~]# ping www.baidu.com
ping: www.baidu.com: Name or service not known
[root@localhost ~]# 
  • 每天固定8点到18点禁止源地址段上网,需要+8转换为北京时间

      [root@localhost ~]# iptables -I OUTPUT -s 192.168.10.0/24 -m  time  --timestart 00:00 --timestop 10:00 -j DROP
      [root@localhost ~]# iptables -t filter -L OUTPUT 1 -n -v
          0     0 DROP       all  --  *      *       192.168.10.0/24      0.0.0.0/0            TIME from 00:00:00 to 10:00:00 UTC
      [root@localhost ~]# 
    
  • 每周2周4固定8点到18点禁止源地址段上网,需要+8转换为北京时间

      [root@localhost ~]# iptables -I OUTPUT -s 192.168.10.0/24 -m  time  --timestart 00:00 --timestop 10:00 --weekdays 2,4 -j DROP
      [root@localhost ~]# iptables -t filter -L OUTPUT 1 -n -v
          0     0 DROP       all  --  *      *       192.168.10.0/24      0.0.0.0/0            TIME from 00:00:00 to 10:00:00 on Tue,Thu UTC
      [root@localhost ~]# 
    
  • 按固定日期时间段匹配,需要+8转换为北京时间

      [root@localhost ~]# iptables -I OUTPUT -s 192.168.10.0/24 -m  time  --datestart 2022-7-21T00:00:00 --datestop 2022-7-22T10:00:00 -j DROP[root@localhost ~]# 
      [root@localhost ~]# iptables -t filter -L OUTPUT 1 -n -v
          0     0 DROP       all  --  *      *       192.168.10.0/24      0.0.0.0/0            TIME starting from 2022-07-21 00:00:00 until date 2022-07-22 10:00:00 UTC
      [root@localhost ~]# 
    
  • 丢弃目的端口号:23,24,25以及135,136,137,138,139。在另外的主机上不能访问其中的任何一个端口。

      [root@localhost ~]# iptables -I INPUT -p tcp -m multiport --dports 23:25,135:139 -j DROP
      [root@localhost ~]# iptables -t filter -L INPUT 3 -n -v
          0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 23:25,135:139
      [root@localhost ~]# 
    
  • 屏蔽2222和12306不连续的两个端口

      [root@localhost ~]# iptables -I INPUT -p tcp -m multiport  --dport 2222,12306 -j DROP
      [root@localhost ~]# iptables -t filter -L INPUT -n -v
      Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
      pkts bytes target     prot opt in     out     source               destination         
          0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 2222,12306
      [root@localhost ~]# 
    
  • 放开80和8080不连续的两个端口

      [root@localhost ~]# iptables -I INPUT -p tcp -m multiport  --dport 80,8080 -j ACCEPT
      [root@localhost ~]# iptables -t filter -L INPUT 1 -n -v
          0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,8080
      [root@localhost ~]# 
    
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

NoYoWiFi

感谢大佬赐赏

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值