iptables and ebtables
来源:互联网 发布:windows phone app 编辑:程序博客网 时间:2024/05/18 01:27
iptables和ebtables都是linux上常用的防火墙,前者主要负责网络层的数据包过滤,后者则负责数据链路层的包过滤。对于两者的语法,可以参考博文 http://blog.csdn.net/windxxf/article/details/815973
http://itoedr.blog.163.com/blog/static/1202842972012101022023796/
下面是本人总结的相关防火墙策略
iptables
1) Allow all packets input from eth1
2) Allow all packets output to eth0
3) Transmit packets from eth1 to eth0
4) Defend SYN Flood
5) Forbid new access request from eth0
6) Accept tcp traffic from 01:02:03:04:05:06
7) Deny pings from outside
8) Allow the source ip 202.106.12.130 to connect theSSH service port:
9) Drop all request of icmp echo request from eth1
10) Replace the source address and port to one of194.236.50.155~194.236.50.160 and one of 1024~32000 for all tcp traffic frometh0
11) Allow 192.168.1.34 pretend to access outsidenetwork’s 25 port from eth0
12) Transmit all traffic send to 15.45.23.67 to arange of LAN: 192.168.1.2~192.168.1.10.
1. iptables -A INPUT -i eth1 -j ACCEPT
2. iptables -A OUTPUT -i eth0 -j ACCEPT
3. iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
4. iptables -A INPUT -p tcp --syn -m limit --limit1/s -j ACCEPT
5. iptables -A INPUT -i eth0 -m state --state NEW -jDROP
6. iptables -A INPUT -p tcp -m mac --mac-source01:02:03:04:05:06 -j ACCEPT
7. iptables -A INPUT -p icmp --icmp-type 8 -j DROP
8. iptables -A INPUT -p tcp -s 202.106.12.130--dport 22 -j ACCEPT
9. iptables -A INPUT -p icmp --icmp-type echo-request-i eth1 -j DROP
10. iptables -t nat -A POSTROUTING -p tcp -o eth0 -jSNAT --to-source 194.236.50.155-194.236.50.160:1024-32000
11. iptables -A INPUT -s 192.168.1.34 -i eth0--dport 25 -j ACCEPT
12. iptables -t nat -A PREROUTING -d 15.45.23.67 -jDNAT --to-destination 192.168.1.2-19.168.1.10
ebtables1)Forward the packets with source MAC00:11:22:33:44:55
2) Change the iptables rule to ebtables: iptables -AFORWARD -s 172.16.1.4 -m mac --mac-source ! 00:11:22:33:44:55 -j DROP
3) Drop all traffic with matching MAC-IP sourceaddress pairs: 00:11:22:33:44:55->192.168.1.300:66:77:88:00:11->192.168.1.4
4) Make all frames destined to 00:11:22:33:44:55that arrived on interface eth0 be transferred to 54:44:33:22:11:00 instead
5) br0 is 0.0.0.0, eth0 is 172.16.1.1, br0 has eth0,make the IP packets must be routed enter the IP routing code through the eth0device, not through the br0 device
6) Make all IP traffic that entered through eth0with the second mark value; and let later rules have the chance of seeing theframe/packet
7) Using arpreply for arp requests and letting thearp request populate the arp cache
8) send all to be forwarded packets to userspaceprograms listening on netlink group number 5 before dropping the packets
1. ebtables -A FORWARD -s 00:11:22:33:44:55 -jACCEPT
2. ebtables -A FORWARD -p ipv4 --ip-src 172.16.1.4-s!00:11:22:33:44:55 -j DROP
3. ebtables -N MACHINE-MC-IP-PAIR
ebtables -AFORWARD -p ipv4 --among-dst00:11:22:33:44:55=172.16.1.4,00:11:33:44:22:55=172.16.1.5 -j MACHINE-MC-IP-PAIR
4. ebtables -t nat -A PREROUTING -d00:11:22:33:44:55 -i eth0 -j DNAT --to-destination 54:44:33:22:11:00
5. ebtables -t broute -A BROUTING -p ipv4 -i eth0--ip-dst 172.16.1.1 -j DROP
6. ebtables -t broute -A BROUTING -i eth0 -p ipv4 -jREDIRECT --redirect-target DROP
7. ebtables -t nat -A PREROUTING -p arp --arp-opcodeRequest -j ARPREPLY --arpreply-mac 10:11:12:13:14:15
8. ebtables -A FORWARD --ulog-nlgroup 5 -j DROP
- iptables and ebtables
- ebtables/iptables
- iptables、ebtables、arptables
- iptables、ebtables、arptables
- 【Linux】iptables&ebtables
- Ebtables/Iptables分析
- iptables & ebtables 默认表名
- Linux网络路由表处理及钩子(Iptables and Ebtables)
- ebtables与iptables的区别(ebtables的简单应用)
- ebtables
- ebtables
- ebtables
- ebtables/iptables interaction on a Linux-based bridge
- AP 中Netfilter/Ebtables/Iptables本地和转发流量的路径
- AP 中Netfilter/Ebtables/Iptables本地和转发流量的路径
- 再谈Docker容器单机网络:利用iptables trace和ebtables log
- Samba and IPTables
- firewalld and iptables
- Access查询中文乱码
- webkit特有的css属性
- 线索二叉树
- 数据中心存储改造方案
- jfinal+poi导出excel
- iptables and ebtables
- 基于Vue JS, Webpack 以及Material Design的渐进式web应用 [Part 1]
- 简析文件描述符(fd)和FILE结构体的关系
- MySQL数据库学习日志5.11
- MRTG安装教程
- 结构型模式之代理模式(Proxy)
- (亲测可用)html5调用手机摄像头
- Jetty 的工作原理以及与 Tomcat 的比较
- 浅谈C# StackTrace 类的实例说明