- 论坛徽章:
- 2
|
iptables增加了对80端口的DROP
但用tcpdump还是能监听到关于80端口的SYN连接, 为什么iptables没有DROP掉SYN类型的包?
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 159.37.21.0/24 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 159.37.21.0/24
DROP all -- 0.0.0.0/0 0.0.0.0/0
tcpdump -i em2 host 218.24.24.55 -nn
14:21:10.187626 IP 218.24.24.55.27845 > 159.37.21.10.80: Flags [S], seq 159907489, win 8192, options [mss 1380,nop,wscale 2,nop,nop,sackOK], length 0 |
|