- 论坛徽章:
- 0
|
原帖由 platinum 于 2006-8-31 14:06 发表
iptables 默认有 filter、nat 和 mangle 三个表
若想用 iptables 命令贴全所有规则,应该用
- # for i in filter nat mangle;do iptables -vnL -t $i;done
复制代码
我打印出来了,这个是恢复出厂值后的规则:
#
# for i in filter nat mangle;do iptables -vnL -t $i;done
Chain INPUT (policy ACCEPT 131 packets, 23008 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- eth0 * 192.168.1.0/24 0.0.0.0/0 udp dpt:3000
6
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3000
5
0 0 ACCEPT udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:173
84:17390
0 0 ACCEPT udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:534
56:53462
0 0 ACCEPT udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATE
D,ESTABLISHED
0 0 LOG tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x
16/0x02 limit: avg 6/hour burst 5 LOG flags 0 level 1 prefix `Intrusion -> '
117 13072 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- eth0 * 192.168.1.0/24 0.0.0.0/0 udp dpt:3000
6
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3000
5
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATE
D,ESTABLISHED
0 0 LOG tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x
16/0x02 limit: avg 6/hour burst 5 LOG flags 0 level 1 prefix `Intrusion -> '
0 0 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 168 packets, 116K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * eth0 0.0.0.0/0 239.255.255.250
Chain PREROUTING (policy ACCEPT 154 packets, 15624 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- br0 * 0.0.0.0/0 192.168.1.1 udp dpt:53 t
o:172.17.36.11
Chain POSTROUTING (policy ACCEPT 9 packets, 602 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 192.168.1.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 287 packets, 40311 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 248 packets, 36080 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 168 packets, 116K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 226 packets, 133K bytes)
pkts bytes target prot opt in out source destination
#
还是上面的问题:想加一条内部地址是广播地址的规则,希望从端口17001进来的数据向内网所有的机器的17001都发送
我是这样做的,加了2条规则,使用的命令如下:
iptables -I FORWARD -i eth0 -p udp --dport 17001 -d 255.255.255.255 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 17001 -j DNAT --to-destination 255.255.255.255:17001
添加的规则如下:
[Chain PREROUTING]DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:17001 to:255.255.255.255:17001
[Chain FORWARD]ACCEPT udp -- 0.0.0.0/0 255.255.255.255 udp dpt:17001
这样不能实现,为什么?
怎样才能达到这种目的呢?
thanks |
|