Written by
arstercz
-
iptables自定义链的使用
iptables中,target/jump决定了符合条件的包到何处去,语法是--jump target或-j target。
通过-N参数创建自定义链:
iptables -N BLOCK
之后将BLOCK链作为jump的目标:
iptables -I INPUT 6 -p tcp --dport 80 -i p3p1 -j BLOCK
如下:
[root@cz ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt inout source destination
230K 118M ACCEPT all-- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2939 247K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
4882 293K ACCEPT all-- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
24 1432 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 BLOCK tcp -- p3p1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
38897 3908K REJECT all-- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt inout source destination
0 0 REJECT all-- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 17 packets, 1604 bytes)
pkts bytes target prot opt inout source destination
Chain BLOCK (1 references)
pkts bytes target prot opt inout source destination
这样从INPUT链中匹配规则6的包都会跳入BLOCK链中,若到达了BLOCK链的结尾(即未被链中的规则匹配),则会回到INPUT链的下一条规则。如果在子链中被ACCEPT了,则就相当于在父链中被ACCEPT了,那么它不会再经过父链中的其他规则。但要注意这个包能被其他表的链匹配;
为BLOCK链增加规则:
iptables -A BLOCK -p tcp -s 10.1.1.92/32 -i p3p1 --dport 80 -j DROP
查看如下:
Chain BLOCK (1 references)
pkts bytes target prot opt inout source destination
18 912 DROP tcp -- p3p1 * 10.1.1.92 0.0.0.0/0 tcp dpt:80
这样就配置完成,可验证访问;