免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
论坛 操作系统 Linux论坛 网络与硬件 IPTABLES规则优化,提高效率问题?
最近访问板块 发新帖
查看: 842 | 回复: 0
打印 上一主题 下一主题

IPTABLES规则优化,提高效率问题? [复制链接]

kong@xm

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2006-12-21 17:26 |只看该作者 |倒序浏览
eth1 eth2做成一组桥接,eth1上行口,eth2下行口. 下面的规则结构设计能不能起到提高效率的作用?
或者有没有更好的想法?
# Generated by iptables-save v1.3.5 on Thu Dec 21 17:11:48 2006
*filter
:INPUT ACCEPT [73883:10783298]
:FORWARD ACCEPT [75763810:4729096424]
:OUTPUT ACCEPT [47872:13998500]
COMMIT
# Completed on Thu Dec 21 17:11:48 2006
# Generated by iptables-save v1.3.5 on Thu Dec 21 17:11:48 2006
*mangle
REROUTING ACCEPT [75843990:4740333134]
:INPUT ACCEPT [74070:10793934]
:FORWARD ACCEPT [75763810:4729096424]
:OUTPUT ACCEPT [48002:14007780]
OSTROUTING ACCEPT [75647026:4625321485]
:IP153down - [0:0]
:IP153up - [0:0]
:IP32down - [0:0]
:IP32up - [0:0]
:IP33down - [0:0]
:IP33up - [0:0]
:IP36down - [0:0]
:IP36up - [0:0]
:IP37down - [0:0]
:IP37up - [0:0]
:IP38down - [0:0]
:IP38up - [0:0]
:IP39down - [0:0]
:IP39up - [0:0]
-A POSTROUTING -s 192.168.32.0/255.255.255.0 -m physdev  --physdev-is-bridged -j IP32up
-A POSTROUTING -s 192.168.32.0/255.255.255.0 -m physdev  --physdev-is-bridged -j ACCEPT
-A POSTROUTING -d 192.168.32.0/255.255.255.0 -m physdev  --physdev-is-bridged -j IP32down
-A POSTROUTING -d 192.168.32.0/255.255.255.0 -m physdev  --physdev-is-bridged -j ACCEPT
-A POSTROUTING -s 192.168.33.0/255.255.255.0 -m physdev  --physdev-is-bridged -j IP33up
-A POSTROUTING -s 192.168.33.0/255.255.255.0 -m physdev  --physdev-is-bridged -j ACCEPT
-A POSTROUTING -d 192.168.33.0/255.255.255.0 -m physdev  --physdev-is-bridged -j IP33down
-A POSTROUTING -d 192.168.33.0/255.255.255.0 -m physdev  --physdev-is-bridged -j ACCEPT
-A POSTROUTING -s 192.168.36.0/255.255.255.0 -m physdev  --physdev-is-bridged -j IP36up
-A POSTROUTING -s 192.168.36.0/255.255.255.0 -m physdev  --physdev-is-bridged -j ACCEPT
-A POSTROUTING -d 192.168.36.0/255.255.255.0 -m physdev  --physdev-is-bridged -j IP36down
-A POSTROUTING -d 192.168.36.0/255.255.255.0 -m physdev  --physdev-is-bridged -j ACCEPT
-A POSTROUTING -s 192.168.37.0/255.255.255.0 -m physdev  --physdev-is-bridged -j IP37up
-A POSTROUTING -s 192.168.37.0/255.255.255.0 -m physdev  --physdev-is-bridged -j ACCEPT
-A POSTROUTING -d 192.168.37.0/255.255.255.0 -m physdev  --physdev-is-bridged -j IP37down
-A POSTROUTING -d 192.168.37.0/255.255.255.0 -m physdev  --physdev-is-bridged -j ACCEPT
-A POSTROUTING -m physdev  --physdev-is-bridged -j DROP
-A IP32down -d 192.168.32.47 -m physdev  --physdev-out eth2 -j CLASSIFY --set-class 0003:0020
-A IP32down -d 192.168.32.47 -m physdev  --physdev-is-bridged -j ACCEPT
-A IP32down -m physdev  --physdev-out eth2 -m iprange --dst-range 192.168.32.54-192.168.32.55 -j CLASSIFY --set-class 0003:0021
-A IP32down -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.32.54-192.168.32.55 -j ACCEPT
-A IP32up -s 192.168.32.47 -m physdev  --physdev-out eth1 -j CLASSIFY --set-class 0002:0020
-A IP32up -s 192.168.32.47 -m physdev  --physdev-is-bridged -j ACCEPT
-A IP32up -m physdev  --physdev-out eth1 -m iprange --src-range 192.168.32.54-192.168.32.55 -j CLASSIFY --set-class 0002:0021
-A IP32up -m physdev  --physdev-is-bridged -m iprange --src-range 192.168.32.54-192.168.32.55 -j ACCEPT
-A IP36down -m physdev  --physdev-out eth2 -m iprange --dst-range 192.168.36.9-192.168.36.10 -j CLASSIFY --set-class 0003:0056
-A IP36down -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.36.9-192.168.36.10 -j ACCEPT
-A IP36down -m physdev  --physdev-out eth2 -m iprange --dst-range 192.168.36.25-192.168.36.25 -j CLASSIFY --set-class 0003:0036
-A IP36down -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.36.25-192.168.36.25 -j ACCEPT
-A IP36down -m physdev  --physdev-out eth2 -m iprange --dst-range 192.168.36.17-192.168.36.17 -j CLASSIFY --set-class 0003:0035
-A IP36down -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.36.17-192.168.36.17 -j ACCEPT
-A IP36down -m physdev  --physdev-out eth2 -m iprange --dst-range 192.168.36.33-192.168.36.33 -j CLASSIFY --set-class 0003:0068
-A IP36down -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.36.33-192.168.36.33 -j ACCEPT
-A IP36down -m physdev  --physdev-out eth2 -m iprange --dst-range 192.168.36.21-192.168.36.21 -j CLASSIFY --set-class 0003:0071
-A IP36down -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.36.21-192.168.36.21 -j ACCEPT
-A IP36down -m physdev  --physdev-out eth2 -m iprange --dst-range 192.168.36.41-192.168.36.41 -j CLASSIFY --set-class 0003:0044
-A IP36down -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.36.41-192.168.36.41 -j ACCEPT
-A IP36down -m physdev  --physdev-out eth2 -m iprange --dst-range 192.168.36.45-192.168.36.45 -j CLASSIFY --set-class 0003:0048
-A IP36down -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.36.45-192.168.36.45 -j ACCEPT
-A IP36down -m physdev  --physdev-out eth2 -m iprange --dst-range 192.168.36.49-192.168.36.49 -j CLASSIFY --set-class 0003:0083
-A IP36down -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.36.49-192.168.36.49 -j ACCEPT
-A IP36down -m physdev  --physdev-is-bridged -j DROP
-A IP36up -m physdev  --physdev-out eth1 -m iprange --src-range 192.168.36.9-192.168.36.10 -j CLASSIFY --set-class 0002:0056
-A IP36up -m physdev  --physdev-is-bridged -m iprange --src-range 192.168.36.9-192.168.36.10 -j ACCEPT
-A IP36up -m physdev  --physdev-out eth1 -m iprange --src-range 192.168.36.25-192.168.36.25 -j CLASSIFY --set-class 0002:0036
-A IP36up -m physdev  --physdev-is-bridged -m iprange --src-range 192.168.36.25-192.168.36.25 -j ACCEPT
-A IP36up -m physdev  --physdev-out eth1 -m iprange --src-range 192.168.36.17-192.168.36.17 -j CLASSIFY --set-class 0002:0035
-A IP36up -m physdev  --physdev-is-bridged -m iprange --src-range 192.168.36.17-192.168.36.17 -j ACCEPT
-A IP36up -m physdev  --physdev-out eth1 -m iprange --src-range 192.168.36.33-192.168.36.33 -j CLASSIFY --set-class 0002:0068
-A IP36up -m physdev  --physdev-is-bridged -m iprange --src-range 192.168.36.33-192.168.36.33 -j ACCEPT
-A IP36up -m physdev  --physdev-out eth1 -m iprange --src-range 192.168.36.21-192.168.36.21 -j CLASSIFY --set-class 0002:0071
-A IP36up -m physdev  --physdev-is-bridged -m iprange --src-range 192.168.36.21-192.168.36.21 -j ACCEPT
-A IP36up -m physdev  --physdev-out eth1 -m iprange --src-range 192.168.36.41-192.168.36.41 -j CLASSIFY --set-class 0002:0044
-A IP36up -m physdev  --physdev-is-bridged -m iprange --src-range 192.168.36.41-192.168.36.41 -j ACCEPT
-A IP36up -m physdev  --physdev-out eth1 -m iprange --src-range 192.168.36.45-192.168.36.45 -j CLASSIFY --set-class 0002:0048
-A IP36up -m physdev  --physdev-is-bridged -m iprange --src-range 192.168.36.45-192.168.36.45 -j ACCEPT
-A IP36up -m physdev  --physdev-out eth1 -m iprange --src-range 192.168.36.49-192.168.36.49 -j CLASSIFY --set-class 0002:0083
-A IP36up -m physdev  --physdev-is-bridged -m iprange --src-range 192.168.36.49-192.168.36.49 -j ACCEPT
-A IP36up -m physdev  --physdev-is-bridged -j DROP
-A IP37down -d 192.168.37.64/255.255.255.192 -m physdev  --physdev-is-bridged -j ACCEPT
-A IP37down -m physdev  --physdev-out eth2 -m iprange --dst-range 192.168.37.13-192.168.37.13 -j CLASSIFY --set-class 0003:0033
-A IP37down -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.37.13-192.168.37.13 -j ACCEPT
-A IP37down -m physdev  --physdev-out eth2 -m iprange --dst-range 192.168.37.17-192.168.37.21 -j CLASSIFY --set-class 0003:0037
-A IP37down -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.37.17-192.168.37.21 -j ACCEPT
-A IP37down -m physdev  --physdev-out eth2 -m iprange --dst-range 192.168.37.225-192.168.37.237 -j CLASSIFY --set-class 0003:0037
-A IP37down -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.37.225-192.168.37.237 -j ACCEPT
-A IP37down -m physdev  --physdev-out eth2 -m iprange --dst-range 192.168.37.71-192.168.37.92 -j CLASSIFY --set-class 0003:0100
-A IP37down -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.37.71-192.168.37.92 -j ACCEPT
-A IP37down -m physdev  --physdev-out eth2 -m iprange --dst-range 192.168.37.111-192.168.37.125 -j CLASSIFY --set-class 0003:0099
-A IP37down -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.37.111-192.168.37.125 -j ACCEPT
-A IP37down -m physdev  --physdev-out eth2 -m iprange --dst-range 192.168.37.137-192.168.37.141 -j CLASSIFY --set-class 0003:0030
-A IP37down -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.37.137-192.168.37.141 -j ACCEPT
-A IP37down -m physdev  --physdev-out eth2 -m iprange --dst-range 192.168.37.148-192.168.37.149 -j CLASSIFY --set-class 0003:0102
-A IP37down -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.37.148-192.168.37.149 -j ACCEPT
-A IP37down -m physdev  --physdev-out eth2 -m iprange --dst-range 192.168.37.245-192.168.37.245 -j CLASSIFY --set-class 0003:0038
-A IP37down -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.37.245-192.168.37.245 -j ACCEPT
-A IP37down -m physdev  --physdev-is-bridged -j DROP
-A IP37up -s 192.168.37.64/255.255.255.192 -m physdev  --physdev-is-bridged -j ACCEPT
-A IP37up -m physdev  --physdev-out eth1 -m iprange --src-range 192.168.37.13-192.168.37.13 -j CLASSIFY --set-class 0002:0033
-A IP37up -m physdev  --physdev-is-bridged -m iprange --src-range 192.168.37.13-192.168.37.13 -j ACCEPT
-A IP37up -m physdev  --physdev-out eth1 -m iprange --src-range 192.168.37.17-192.168.37.21 -j CLASSIFY --set-class 0002:0037
-A IP37up -m physdev  --physdev-is-bridged -m iprange --src-range 192.168.37.17-192.168.37.21 -j ACCEPT
-A IP37up -m physdev  --physdev-out eth1 -m iprange --src-range 192.168.37.225-192.168.37.237 -j CLASSIFY --set-class 0002:0037
-A IP37up -m physdev  --physdev-is-bridged -m iprange --src-range 192.168.37.225-192.168.37.237 -j ACCEPT
-A IP37up -m physdev  --physdev-out eth1 -m iprange --src-range 192.168.37.71-192.168.37.92 -j CLASSIFY --set-class 0002:0100
-A IP37up -m physdev  --physdev-is-bridged -m iprange --src-range 192.168.37.71-192.168.37.92 -j ACCEPT
-A IP37up -m physdev  --physdev-out eth1 -m iprange --src-range 192.168.37.111-192.168.37.125 -j CLASSIFY --set-class 0002:0099
-A IP37up -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.37.111-192.168.37.125 -j ACCEPT
-A IP37up -m physdev  --physdev-out eth1 -m iprange --src-range 192.168.37.137-192.168.37.141 -j CLASSIFY --set-class 0002:0030
-A IP37up -m physdev  --physdev-is-bridged -m iprange --src-range 192.168.37.137-192.168.37.141 -j ACCEPT
-A IP37up -m physdev  --physdev-out eth1 -m iprange --src-range 192.168.37.148-192.168.37.149 -j CLASSIFY --set-class 0002:0102
-A IP37up -m physdev  --physdev-is-bridged -m iprange --dst-range 192.168.37.148-192.168.37.149 -j ACCEPT
-A IP37up -m physdev  --physdev-out eth1 -m iprange --src-range 192.168.37.245-192.168.37.245 -j CLASSIFY --set-class 0002:0038
-A IP37up -m physdev  --physdev-is-bridged -m iprange --src-range 192.168.37.245-192.168.37.245 -j ACCEPT
-A IP37up -m physdev  --physdev-is-bridged -j DROP
COMMIT
# Completed on Thu Dec 21 17:11:48 2006

[ 本帖最后由 kong@xm 于 2006-12-21 17:38 编辑 ]
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP