IPtables 防火墙笔记 1

虽然 openwrt 的防火墙规则可以使用 uci 命令进行配置。配置文件位于 /etc/config/firewall
通过分析 /etct/init.d/firewall 脚本文件。我们可以知道实际上执行防火墙功能的程序是 fw3
不过。openwrt 作为一个 linux 系统，也是支持 iptables 的。所以。掌握了 iptables 。

输入 iptables -L 查看当前防火墙规则：

root@goldsunny:~# iptables -LChain INPUT (policy ACCEPT)target     prot opt source               destination         delegate_input  all  --  anywhere             anywhere            Chain FORWARD (policy DROP)target     prot opt source               destination         delegate_forward  all  --  anywhere             anywhere            Chain OUTPUT (policy ACCEPT)target     prot opt source               destination         delegate_output  all  --  anywhere             anywhere            

可以看到默认的防火墙规则为：

Chain INPUT (policy ACCEPT)Chain FORWARD (policy DROP)Chain OUTPUT (policy ACCEPT)

也就是 输入 输出都是允许。当时转发是被悄悄丢弃。
常见取值如下：

     DROP：悄悄丢弃        一般我们多用DROP来隐藏我们的身份，以及隐藏我们的链表     REJECT：明示拒绝     ACCEPT：接受        custom_chain：转向一个自定义的链     DNAT     SNAT     MASQUERADE：源地址伪装     REDIRECT：重定向：主要用于实现端口重定向     MARK：打防火墙标记的     RETURN：返回        在自定义链执行完毕后使用返回，来返回原规则链。

此外每个链又各自包含一个规则：
delegate_input
delegate_forward
delegate_output

我们继续来看下这三个规则：

Chain delegate_forward (1 references)target     prot opt source               destination         forwarding_rule  all  --  anywhere             anywhere             /* user chain for forwarding */ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHEDzone_lan_forward  all  --  anywhere             anywhere            zone_lan_forward  all  --  anywhere             anywhere            zone_wan_forward  all  --  anywhere             anywhere            reject     all  --  anywhere             anywhere            Chain delegate_input (1 references)target     prot opt source               destination         ACCEPT     all  --  anywhere             anywhere            input_rule  all  --  anywhere             anywhere             /* user chain for input */ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHEDsyn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYNzone_lan_input  all  --  anywhere             anywhere            zone_lan_input  all  --  anywhere             anywhere            zone_wan_input  all  --  anywhere             anywhere            Chain delegate_output (1 references)target     prot opt source               destination         ACCEPT     all  --  anywhere             anywhere            output_rule  all  --  anywhere             anywhere             /* user chain for output */ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHEDzone_lan_output  all  --  anywhere             anywhere            zone_lan_output  all  --  anywhere             anywhere            zone_wan_output  all  --  anywhere             anywhere            

每个规则下面有包含了几条规则