iptables企业生产iptables配置案例
1)企业生产iptables案例1配置:最安全的防火墙规则配置
[root@localhost 桌面]# iptables -F
[root@localhost 桌面]# iptables -X
[root@localhost 桌面]# iptables -Z
[root@localhost 桌面]# /etc/init.d/iptables save
[root@localhost 桌面]# /etc/init.d/iptables restart
[root@localhost 桌面]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost 桌面]# iptables -A INPUT -p tcp --dport 22 -s 192.168.4.0/24 -j ACCEPT //允许办公室网段的进来
[root@localhost 桌面]# iptables -A INPUT -i lo -j ACCEPT //允许自己的回环接口的入口的进来
[root@localhost 桌面]# iptables -A OUTPUT -o lo -j ACCEPT //允许自己的回环接口的出口的出去
设置默认的规则:
[root@localhost 桌面]# iptables -P INPUT DROP
[root@localhost 桌面]# iptables -P OUTPUT ACCEPT
[root@localhost 桌面]# iptables -P FORWARD DROP
开启信任的IP网段,允许合法的进入:
[root@localhost 桌面]# iptables -A INPUT -s 192.168.1.0/24 -p all -j ACCEPT
[root@localhost 桌面]# iptables -A INPUT -s 192.168.2.0/24 -p all -j ACCEPT
[root@localhost 桌面]# iptables -A INPUT -s 192.168.3.0/24 -p all -j ACCEPT
允许业务服务端口对外访问:(允许http服务无条件通过)
[root@localhost 桌面]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@localhost 桌面]# iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT //若希望外面人能ping通可以加
允许关联的状态包通过(主要指FTP)
[root@localhost 桌面]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@localhost 桌面]# iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
扫描一下自己开了哪些端口:
[root@localhost 桌面]# nmap 127.0.0.1 -p 1-65535
Starting Nmap 5.51 ( http://nmap.org ) at 2016-07-06 23:54 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
631/tcp open ipp
Nmap done: 1 IP address (1 host up) scanned in 0.86 seconds
[root@localhost 桌面]# /etc/init.d/iptables save
iptables:将防火墙规则保存到 /etc/sysconfig/iptables: [确定] //将规则保存到配置文件中
[root@localhost 桌面]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Jul 7 00:04:19 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 192.168.4.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -j ACCEPT
-A INPUT -s 192.168.3.0/24 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Jul 7 00:04:19 2016
如果外面的机器扫描本机,只能看到80端口开着,并且只能ping通。
2)企业案例2:企业内部主机实现共享上网 SNAT规则
在A机器10.0.0.6上(eth0(vmnet2)):外网web服务器,图中未画出
[root@localhost 桌面]# yum -y install httpd
[root@localhost 桌面]# /etc/init.d/httpd restart
[root@localhost 桌面]# echo 1111 > /var/www/html/index.html
[root@localhost 桌面]# curl localhost
1111
[root@localhost 桌面]# /etc/init.d/iptables stop
在B机器上:外网10.0.0.19(eth0(vmnet2))网卡配网关10.0.0.254,内网192.168.1.19(eth1(vmnet1))不配网关
[root@localhost 桌面]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:90:BC:2C
inet addr:10.0.0.19 Bcast:10.0.255.255 Mask:255.255.0.0
eth1 Link encap:Ethernet HWaddr 00:0C:29:90:BC:36
inet addr:192.168.1.19 Bcast:192.168.1.255 Mask:255.255.255.0
[root@localhost 桌面]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.0.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1
0.0.0.0 10.0.0.254 0.0.0.0 UG 0 0 0 eth0
[root@localhost 桌面]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
wq
[root@localhost 桌面]# sysctl –p
[root@localhost 桌面]# iptables -F
[root@localhost 桌面]# iptables -Z
[root@localhost 桌面]# iptables –X
[root@localhost 桌面]# /etc/init.d/iptables save
[root@localhost 桌面]# /etc/init.d/iptables restart
[root@localhost 桌面]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
注意:如果INPUT和FORWARD不是ACCEPT,需修改成ACCEPT:
[root@localhost 桌面]# iptables -P INPUT ACCEPT
[root@localhost 桌面]# iptables -P FORWARD ACCEPT
[root@localhost 桌面]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost 桌面]# modprobe ip_tables
[root@localhost 桌面]# modprobe iptable_filter
[root@localhost 桌面]# modprobe iptable_nat
[root@localhost 桌面]# modprobe ip_conntrack
[root@localhost 桌面]# modprobe ip_conntrack_ftp
[root@localhost 桌面]# modprobe ip_nat_ftp
[root@localhost 桌面]# modprobe ipt_state
[root@localhost 桌面]# lsmod |egrep ^ip
iptable_nat 6158 0
iptable_filter 2793 0
ip_tables 17831 2 iptable_nat,iptable_filter
ip6t_REJECT 4628 2
ip6table_filter 2889 1
ip6_tables 18732 1 ip6table_filter
ipv6 317340 143 ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6
在C机器192.168.1.17上:eth0(vmnet1)配置网关:192.168.1.19
[root@localhost 桌面]# ifconfig |head -2
eth0 Link encap:Ethernet HWaddr 00:0C:29:AD:DF:B3
inet addr:192.168.1.17 Bcast:192.168.1.255 Mask:255.255.255.0
[root@localhost 桌面]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 192.168.1.19 0.0.0.0 UG 0 0 0 eth0
[root@localhost 桌面]# /etc/init.d/iptables stop
此时:小验证
B机器(路由服务器)能ping通内部机器和外部web服务器,且能访问外部web服务
[root@localhost 桌面]# ping 192.168.1.19
PING 192.168.1.19 (192.168.1.19) 56(84) bytes of data.
64 bytes from 192.168.1.19: icmp_seq=1 ttl=64 time=1.89 ms
64 bytes from 192.168.1.19: icmp_seq=2 ttl=64 time=0.297 ms
[root@localhost 桌面]# ping 10.0.0.6
PING 10.0.0.6 (10.0.0.6) 56(84) bytes of data.
64 bytes from 10.0.0.6: icmp_seq=1 ttl=64 time=1.16 ms
64 bytes from 10.0.0.6: icmp_seq=2 ttl=64 time=0.485 ms
[root@localhost 桌面]# curl http://10.0.06
1111
C机器(企业内部机器192.168.1.17)能ping通B(路由)的公网和私网,但ping不通外部web服务器,访问不了web
[root@localhost 桌面]# ping 192.168.1.17
PING 192.168.1.17 (192.168.1.17) 56(84) bytes of data.
64 bytes from 192.168.1.17: icmp_seq=1 ttl=64 time=0.492 ms
64 bytes from 192.168.1.17: icmp_seq=2 ttl=64 time=0.450 ms
[root@localhost 桌面]# ping 10.0.0.19
PING 10.0.0.19 (10.0.0.19) 56(84) bytes of data.
64 bytes from 10.0.0.19: icmp_seq=1 ttl=64 time=0.072 ms
64 bytes from 10.0.0.19: icmp_seq=2 ttl=64 time=0.047 ms
[root@localhost 桌面]# ping 10.0.0.6
PING 10.0.0.6 (10.0.0.6) 56(84) bytes of data.
一直空白,ping不通。
[root@localhost 桌面]# curl http://10.0.0.6
一直空白,访问不了外部web服务。
B机器(路由服务器)配置SNAT规则:让内部主机能够共享上外网:
[root@localhost 桌面]# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.0.0.19
//-o eth0 从eth0网卡出去,网关的外网卡接口,--to-source后面是B机器的公网地址
注意:当路由的公网是一个变化的IP时,可以用地址欺骗伪装的方式配置,如下:
[root@localhost 桌面]# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
[root@localhost 桌面]# /etc/init.d/iptables save
C机器(企业内部机器192.168.1.17)能ping通B(路由)的公网和私网和外部web服务器,且能访问web服务
[root@localhost 桌面]# ping 192.168.1.19
PING 192.168.1.19 (192.168.1.19) 56(84) bytes of data.
64 bytes from 192.168.1.19: icmp_seq=1 ttl=64 time=1.89 ms
64 bytes from 192.168.1.19: icmp_seq=2 ttl=64 time=0.297 ms
[root@localhost 桌面]# ping 10.0.0.19
PING 10.0.0.19 (10.0.0.19) 56(84) bytes of data.
64 bytes from 10.0.0.19: icmp_seq=1 ttl=64 time=0.583 ms
64 bytes from 10.0.0.19: icmp_seq=2 ttl=64 time=0.582 ms
[root@localhost 桌面]# ping 10.0.0.6
PING 10.0.0.6 (10.0.0.6) 56(84) bytes of data.
64 bytes from 10.0.0.6: icmp_seq=1 ttl=63 time=2.19 ms
64 bytes from 10.0.0.6: icmp_seq=2 ttl=63 time=1.40 ms
[root@localhost 桌面]# curl http://10.0.0.6
1111
SNAT作用:改变数据包的源地址、源端口等。(不改变目标地址、目标端口)
注意:之前的思维老是认为是:内网出去的时候才配置SNAT,外网进来的时候配置DNAT,这是一个误区,SNAT和DNAT既可以出去也可进来,我们只是要根据作用和需要进行相应规则配置。
3)企业案例3:把外网IP地址及端口映射到内部服务器地址及端口 DNAT规则
在10段主机可以通过访问B10.0.0.19:80,即可访问到192.168.1.17:80 C机器提供的web服务。
在B机器上:外网10.0.0.19(eth0(vmnet2))网卡配网关10.0.0.254,内网192.168.1.19(eth1(vmnet1))不配网关
[root@localhost 桌面]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:90:BC:2C
inet addr:10.0.0.19 Bcast:10.0.255.255 Mask:255.255.0.0
eth1 Link encap:Ethernet HWaddr 00:0C:29:90:BC:36
inet addr:192.168.1.19 Bcast:192.168.1.255 Mask:255.255.255.0
[root@localhost 桌面]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.0.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1
0.0.0.0 10.0.0.254 0.0.0.0 UG 0 0 0 eth0
[root@localhost 桌面]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@localhost 桌面]# sysctl –p
[root@localhost 桌面]# iptables -F
[root@localhost 桌面]# iptables -Z
[root@localhost 桌面]# iptables –X
[root@localhost 桌面]# /etc/init.d/iptables save
[root@localhost 桌面]# /etc/init.d/iptables restart
[root@localhost 桌面]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
注意:如果INPUT和FORWARD不是ACCEPT,需修改成ACCEPT:
[root@localhost 桌面]# iptables -P INPUT ACCEPT
[root@localhost 桌面]# iptables -P FORWARD ACCEPT
[root@localhost 桌面]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost 桌面]# modprobe ip_tables
[root@localhost 桌面]# modprobe iptable_filter
[root@localhost 桌面]# modprobe iptable_nat
[root@localhost 桌面]# modprobe ip_conntrack
[root@localhost 桌面]# modprobe ip_conntrack_ftp
[root@localhost 桌面]# modprobe ip_nat_ftp
[root@localhost 桌面]# modprobe ipt_state
[root@localhost 桌面]# lsmod |egrep ^ip
iptable_nat 6158 0
iptable_filter 2793 0
ip_tables 17831 2 iptable_nat,iptable_filter
ip6t_REJECT 4628 2
ip6table_filter 2889 1
ip6_tables 18732 1 ip6table_filter
ipv6 317340 143 ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6
C机器(企业内部机器192.168.1.17) (vmnet1) #配置了网关:192.168.1.19
[root@localhost 桌面]# yum -y install httpd
[root@localhost 桌面]# /etc/init.d/httpd start
[root@localhost 桌面]# echo 2222 > /var/www/html/index.html
[root@localhost 桌面]# curl localhost
2222
[root@localhost 桌面]# /etc/init.d/iptables stop
小验证:
此时:外网A机器(10.0.0.6)不能访问内网web服务 能ping通企业外网,当访问不了web服务
[root@localhost 桌面]# ping 10.0.0.19
PING 10.0.0.19 (10.0.0.19) 56(84) bytes of data.
64 bytes from 10.0.0.19: icmp_seq=1 ttl=64 time=0.319 ms
64 bytes from 10.0.0.19: icmp_seq=2 ttl=64 time=0.331 ms
[root@localhost 桌面]# curl http://10.0.0.19
curl: (7) couldn't connect to host
在B机器(路由)上配置DNAT规则,让外部主机能够访问到内网的web服务:(需要配置路由转发)
[root@localhost 桌面]# iptables -t nat –F
[root@localhost 桌面]# iptables -t nat -A PREROUTING -d 10.0.0.19 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.17:80
#若C机器没有配置网关,则还需要添加下面一条规则:(此处配了网关,所以可以不加下面的规则)
iptables -t nat -A POSTROUTING -d 192.168.1.17 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.1.19
[root@localhost 桌面]# /etc/init.d/iptables save
[root@localhost 桌面]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 10.0.0.19 tcp dpt:80 to:192.168.1.17:80
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
验证:在A机器10.0.0.6上(eth0(vmnet2)):访问内网web服务 能访问内网web服务
[root@localhost 桌面]# curl http://10.0.0.19
2222
[root@localhost 桌面]# ping 10.0.0.19
PING 10.0.0.19 (10.0.0.19) 56(84) bytes of data.
64 bytes from 10.0.0.19: icmp_seq=1 ttl=64 time=0.518 ms
64 bytes from 10.0.0.19: icmp_seq=2 ttl=64 time=0.272 ms
常见的企业iptables应用案例:
linux主机防火墙(表:filter)
1)局域网机器共享上网(表:nat,SNAT规则,POSTROUTING)
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.0.0.19
2)映射多个IP地址,让企业内部员工上网:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.0.0.15-10.0.0.20
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j SNAT --to-source 10.0.0.21-10.0.0.25
3)外部地址和端口,映射为内部地址和端口(表:nat,DNAT规则,PREROUTIGN)
iptables -t nat -A PREROUTING -d 10.0.0.19 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.17:80
DNAT: 作用:改变数据包的目标地址、目标端口等。(不改变源地址、源端口)
补充:
PREROUTING :(和DNAT连用) 在数据包到达防火墙时,进行路由判断之前执行的规则。作用:改变数据包的目标地址、目标端口等。(不改变源地址、源端口)
POSTROUTING:(和SNAT连用)在数据包离开防火墙时,进行路由判断之后执行的规则。作用:改变数据包的源地址、源端口等。(不改变目标地址、目标端口)
SNAT和DNAT案例1:使外网客户端能访问到内网的web(http服务器)的案例:
外网客户端端:192.168.231.xx
iptables机器:外网IP: 192.168.231.128 内网IP: 192.168.4.205 (有httpd服务80端口和mysql 3306端口,两个端口都是供测试用,本身对应的服务没啥用)
内网web机器: 只有内网IP: 192.168.4.10 80端口(httpd服务)(网页内网web)
DNAT:只改变目标地址、目标端口, SNAT:只改变源地址、源端口。
vim /etc/sysctl.conf
开启路由转发 =1
iptables -t nat -A PREROUTING -d 192.168.231.128 -p tcp -m tcp --dport 80/3306 -j DNAT --to-destination 192.168.4.10:80
iptables -t nat -A POSTROUTING -d 192.168.4.10 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.4.205
#注意:下面这条规则,如果内网web机器的网关指向了iptables机器的内网:192.168.4.205,则可以不需要配置下面的那条。
如果内网web机器没有配置网关,则需要下面的那条规则。
解释:上面一条规则是指 外网客户端访问iptables机器的外网 和端口80或3306时,转发到目标192.168.4.10的80端口。但是,它虽然更改了目标IP地址和端口,但没有更改源IP和端口,相当于源IP是外网客户端,目标是内网服务器。这两个IP本来也无法通信,所以仅这一条规则不行。还需下面一条。-p tcp是指按照tcp协议操作,-m tcp是指装入tcp的协议模块(没-m tcp也可)
当有了上面一条规则,在此基础上,再加一条,当访问内网web服务器192.168.4.10(目标机器)的80端口时候,我改变源地址的IP为:iptables机器的内网IP:192.168.4.205,这时相当于源ip地址是:内网192.168.4.205,目标IP地址也是内网:192.168.4.10,这时候他肯定能访问到web服务
客户端访问:http://192.168.231.128:80/3306
结果: web
SNAT和DNAT案例2:使外网客户端的plsql能连接到内网的oracle服务器案例:(工作案例,iptables机器作为跳板机)
外网客户端机器: 外网的任意IP机器。
iptables机器:外网IP: 124.42.15.118 内网:192.168.15.110 有监听端口:10050(通过配置能和内网192.168.8.151连通)
内网oracle机器: 只有内网: 192.168.8.151:1521 (通过配置能和内网192.168.15.110连通)
在iptables机器上配置规则:(需要开启路由转发)
iptables -t nat -A PREROUTING -d 124.42.15.118 -p tcp -m tcp --dport 10050 -j DNAT --to-destination 192.168.8.151:1521
iptables -t nat -A POSTROUTING -d 192.168.8.151 -p tcp -m tcp --dport 1521 -j SNAT --to-source 192.168.15.110
外网客户端机器操作:
在plsql的tns文件中修改端口和跳板机的IP地址,如下:
A_PRI_CRM =
(DESCRIPTION =
(ADDRESS_LIST =(ADDRESS = (PROTOCOL = TCP)(HOST = 124.42.15.118)(PORT = 10050)))
(CONNECT_DATA =(SERVICE_NAME = orcl))
)
以后登录plsql时候可以如下图登录:
-p tcp是指按照tcp协议操作
-m tcp是指装入tcp的协议模块
防火墙指定链的链条编号删除指定的链: 格式: iptables -t nat -D 链名 链名对应的编号
#iptables -t nat -A PREROUTING -d 192.168.231.128 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.4.10:80
#iptables -t nat -A POSTROUTING -d 192.168.4.10 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.4.205
#iptables -t nat -A PREROUTING -d 192.168.231.128 -p tcp -m tcp --dport 3306 -j DNAT --to-destination 192.168.4.10:3306
#iptables -t nat -A POSTROUTING -d 192.168.4.10 -p tcp -m tcp --dport 3306 -j SNAT --to-source 192.168.4.205
[root@localhost ~]# iptables -t nat -nL --line-numbers 查看规则并显示出链条的编号
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- 0.0.0.0/0 192.168.231.128 tcp dpt:80 to:192.168.4.10:80
2 DNAT tcp -- 0.0.0.0/0 192.168.231.128 tcp dpt:3306 to:192.168.4.10:3306
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 SNAT tcp -- 0.0.0.0/0 192.168.4.10 tcp dpt:80 to:192.168.4.205
2 SNAT tcp -- 0.0.0.0/0 192.168.4.10 tcp dpt:3306 to:192.168.4.205
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
删掉3306相关端口的链: (删除指定链条号的链)
[root@localhost ~]# iptables -t nat -D PREROUTING 2
[root@localhost ~]# iptables -t nat -D POSTROUTING 2
[root@localhost ~]# iptables -t nat -nL --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- 0.0.0.0/0 192.168.231.128 tcp dpt:80 to:192.168.4.10:80
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 SNAT tcp -- 0.0.0.0/0 192.168.4.10 tcp dpt:80 to:192.168.4.205
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
扫一扫
179
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
