- 论坛徽章:
- 0
|
Godbach 发表于 2013-11-28 13:32
回复 19# atkisc
按您的要求,改动成如下规则
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :SYNCHK - [0:0]
- -A INPUT -i eth0 -p tcp -m tcp -j SYNCHK
- -A INPUT -i eth0 -p tcp -m tcp -j LOG --log-prefix 'Input-TCP' --log-level 7
- -A INPUT -i eth0 -p tcp -m tcp --dport 30022 -j LOG --log-prefix 'Input-TCP-30022' --log-level 7
- -A SYNCHK -p tcp -m tcp -j LOG --log-prefix 'SYNCHK-TCP --log-level 7
- -A SYNCHK -p tcp -m tcp --dport 30022 -j ACCEPT
- -A SYNCHK -p tcp -m tcp -j ACCEPT
- -A SYNCHK -p tcp -j DROP
- COMMIT
复制代码 尝试SSH登陆后的iptables -nvL
- Chain INPUT (policy ACCEPT 290 packets, 23774 bytes)
- pkts bytes target prot opt in out source destination
- 14 1384 SYNCHK tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp
- 0 0 LOG tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp LOG flags 0 level 7 prefix `'Input-TCP''
- 0 0 LOG tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30022 LOG flags 0 level 7 prefix `'Input-TCP-30022''
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- Chain OUTPUT (policy ACCEPT 290 packets, 23774 bytes)
- pkts bytes target prot opt in out source destination
- Chain SYNCHK (1 references)
- pkts bytes target prot opt in out source destination
- 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp LOG flags 0 level 7 prefix `'SYNCHK-TCP'
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30022
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp
- 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
复制代码 iptables LOG为空 |
|