iptables应用(二)—基础实践

1.1 iptables命令帮助信息

[root@centos6 ~]# iptables -h       # 详细信息可以使用man iptables获取
iptables v1.4.7

Usage: iptables -[ACD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
# 长格式和短格式多可以使用
Either long or short options are allowed.
# 向指定链中添加规则,默认从规则序号结尾进行添加
  --append  -A chain                        Append to chain
  --check   -C chain                        Check for the existence of a rule
# 删除指定链里面规则策略
  --delete  -D chain                        Delete matching rule from chain
# 删除链上指定的规则序号(1=first)
  --delete  -D chain rulenum                Delete rule rulenum (1 = first) from chain
# 向指定链中插入规则,默认插入规则到第一条,也可以指定插入位置
  --insert  -I chain [rulenum]              Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum                Replace rule rulenum (1 = first) in chain
# 查看iptables软件控制策略列表信息
  --list    -L [chain [rulenum]]            List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]         Print the rules in a chain or all chains
# 清除所有规则,不会处理默认的规则
  --flush   -F [chain]                      Delete all rules in  chain or all chains
# 链的计数器清零(数据包计数器与数据包字节计数器)
  --zero    -Z [chain [rulenum]]            Zero counters in chain or all chains
# 创建新的用户定义链
  --new     -N chain                        Create a new user-defined chain
# 删除用户自定义的链
  --delete-chain   -X [chain]               Delete a user-defined chain
# 改变链上的最终默认规则策略
  --policy  -P chain target·               Change policy on chain to target
  --ren  -E  old-chain new-chain    Change chain name, (moving any references)

Options:
# 指定访问数据的协议类型(tcp|udp|icmp)
[!] --proto -p proto    protocol: by number or name, eg. `tcp'
# 指定数据流量源地址或网段信息
[!] --source    -s address[/mask][...]      source specification
# 指定数据流量目标地址或网段信息
[!] --destination -d address[/mask][...]    destination specification
# 指定数据流量进入接口信息(只能配置在INPUT链)
[!] --in-interface -i input name[+]         network interface name ([+] for wildcard)
# 指定操作的动作(ACCEPT|DROP|REJECT)
 --jump -j target   target for rule (may load target extension)
  --goto   -g chain   jump to chain with no return
# 调用扩展策略模块
  --match   -m match    extended match (may load extension)
# 查看iptables软件控制策略列表里面的ip地址和端口信息,以数字表示
  --numeric -n      numeric output of addresses and ports
# 指定数据流量流出接口信息(只能配置在OUTPUT链)
[!] --out-interface -o output name[+]   network interface name ([+] for wildcard)
# 查看iptables策略信息,指定查看相应表(不指定-t 默认查看filter)
  --table   -t table    table to manipulate (default: `filter')
# 查看iptables策略详细信息
  --verbose -v      verbose mode
# 查看iptables策略信息是,显示每条规则序号信息
  --line-numbers    print line numbers when listing
# 扩展数字(显示精确数值)
  --exact   -x      expand numbers (display exact values)
[!] --fragment  -f      match second or further fragments only
  --modprobe=<command>      try to insert modules using this command
  --set-counters    PKTS BYTES  set the counter during insert/append
# 查看iptables软件版本信息
[!] --version   -V      print package version.

1.2 防火墙相关内核模块

1.2.1 iptables默认加载的内核模块

[root@centos6 ~]# lsmod | egrep "nat|filter|ipt"
iptable_nat             5923  0
nf_nat                 22676  1 iptable_nat
ip6table_filter         2889  1
ip6_tables             18796  1 ip6table_filter
nf_conntrack_ipv4       9186  5 iptable_nat,nf_nat
nf_conntrack           79537  5 iptable_nat,nf_nat,nf_conntrack_ipv6,nf_conntrack_ipv4,xt_state
iptable_filter          2793  1
ip_tables              17895  2 iptable_nat,iptable_filter
ipt_REJECT              2383  2

1.2.2 加载防火墙模块到内核中

# 防火墙相关模块
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_state          <- centos6版本系统中可忽略此模块的加载
[root@centos6 ~]# modprobe nf_conntrack
[root@centos6 ~]# lsmod | egrep "nf"
nf_conntrack_ipv6       7985  3
nf_defrag_ipv6         26468  1 nf_conntrack_ipv6
nf_conntrack           79537  2 nf_conntrack_ipv6,xt_state
ipv6                  336368  267 ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6

1.2.3 lsmod查看内核模块命令说明

图片[1]|iptables应用(二)—基础实践|leon的博客

  • 模块介绍说明:
模块 模块说明
ip_tables 防火墙的核心模块,负责维护防火墙的规则表,通过这些规则,实现防火墙的核心功能。归纳起来主要有三种功能:包过滤(filter)、NAT以及包处理(Mangle)
iptable_filter 防火墙数据包过滤模块,实现对数据包的过滤和放行功能
iptable_nat 防火墙数据包转发模块,用于对数据包进行修改,从而实现数据转发的目的
ip_conntrack 主要用于修改应用层协议控制包,务必重要的作用就是实现NAT
ip_conntrack_ftp 与FTP服务NAT映射相关的模块
ip_nat_ftp 与FTP服务NAT映射相关的模块
ipt_state 防火墙状态信息模块,在新版CentOS6系统中已经忽略此模块的加载

1.3 测试iptables规则

1.3.1 启动和查看iptables状态

[root@centos6 ~]# service iptables start
[root@centos6 ~]# /etc/init.d/iptables start
  • 启动并查看iptables状态
[root@centos6 ~]# service iptables start
[root@centos6 ~]# service iptables status
Table: filter                       # 默认表是filter表
Chain INPUT (policy ACCEPT)         # 表示当所有规则都不匹配时的默认规则
num  target     prot opt source               destination        
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
# 以上信息是INPUT链下面的规则信息
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
# 以上信息是FORWARD链下面的规则信息
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination      
# 以上信息是OUTPUT链下面的规则信息

1.3.2 无法启动iptables的解决方法

1.3.2.1 No config file
【问题现象】:

[root@centos6 ~]# service iptables start
iptables: No config file.                                  [WARNING]

【解决办法】:

【setup】—>【Firewall configuration】—>选择【Enabled】

1.3.2.2 无法开启Enable选项

【问题现象】:

dbus.exceptions.DBusException: org.freedesktop.DBus.Error.FileNotFound: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory

【解决办法】:
开启系统总线服务即可,并且可以设置为开机自启动:

[root@centos6 ~]# dbus-daemon --system
# dbus是一个消息传递系统,应用程序间可以通过它来相互传递消息,dbus-daemon是一个守护进程
# 在rc.sysinit最后添加一行dbus-daemon --system,这样系统启动时avahi就不会出问题了。

字符集问题

1.3.3 清除默认规则

iptables -F     # 清除所有规则,不会处理默认的规则
iptables -X     # 删除用户自定义的链
iptables -Z     # 链的计数器清零(数据包计数器与数据包字节计数器)
  • 清除规则
[root@test ~]# iptables -F
[root@test ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

1.3.4 配置禁止规则

  • 禁止ssh默认22端口
[root@centos6 ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j DROP
[root@centos7 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 3 packets, 456 bytes)
 pkts bytes target     prot opt in     out     source               destination
  • 命令说明:
  1. iptables默认是frlter表,因此可以不加-t参数指定filter表
  2. 其中INPUT和DROP要大写
  3. -p参数包括all、tcp、udp、icmp,默认all
  4. –jump -j基本的处理行为:ACCEPT(接受)DROP(丢弃)REJECT(拒绝)
  5. 比较:DROP优于REJECT,有响应表示拒绝,没响应表示丢弃
  6. 命令执行的规则仅仅在内存里临时生效
  • 恢复刚才断掉的SSH连接
  1. 去机房重启系统或者登陆服务器删除刚才的禁止规则
  2. 让机房人员重启服务器或者让机房人员拿用户密码登录进去
  3. 通过服务器的远程管理卡管理(推荐)
  4. 先写一个定时任务,每5分钟就停止防火墙
  5. 测试环境测试好,写成脚本,批量执行
# 利用-I参数实现强行阻止访问22端口,将此规则放在第一位

[root@centos6 ~]# iptables -t filter -I INPUT -p tcp --dport 22 -j ACCEPT
[root@centos6 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
  123 10872 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 3 packets, 456 bytes)
 pkts bytes target     prot opt in     out     source               destination
提示:
使用-I和-A的顺序,防火墙的过滤根据规则顺序决定:
  1. -A是添加规则到指定链的结尾,最后一条
  2. -I 是添加规则到指定链的开头,即第一条;也可以指定插入位置

企业应用-A和-I说明:

一般封IP地址时或进行策略配置就需要利用-I参数,因为-I参数会将规则列表最前面,会优先执行封IP策略,如果使用-A参数可能和之前的规则冲突,从而造成封不住IP的问题。

  • 删除多余的规则
  • 第一种删除规则策略方法(利用规则序列号删除):
[root@centos6 ~]# iptables -D INPUT 2
[root@centos6 ~]# iptables -nL --line-number
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
  • 第二种删除iptables防火墙规则策略方法:
[root@centos6 ~]# iptables -t filter -D INPUT -p tcp --dport 22 -j DROP
[root@centos6 ~]# iptables -nL --line-number
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
  • 匹配端口范围
  • 禁止23-80之间所有端口:
[root@centos6 ~]# iptables -A INPUT -p tcp --dport 23:80 -j DROP
[root@centos6 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 29 packets, 2104 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    6   312 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:23:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 23 packets, 4008 bytes)
 pkts bytes target     prot opt in     out     source               destination
# 查看当前运行的端口
[root@centos6 ~]# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  
tcp        0      0 0.0.0.0:70                  0.0.0.0:*                   LISTEN      26266/nginx        
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1304/sshd          
tcp        0      0 :::70                       :::*                        LISTEN      26266/nginx        
tcp        0      0 :::22                       :::*                        LISTEN      1304/sshd    
# 测试连接情况
[c:\~]$ telnet 10.0.0.102 70
Connecting to 10.0.0.102:70...
Could not connect to '10.0.0.102' (port 70): Connection failed.
  • 允许部分端口开放:
[root@centos6 ~]# iptables -I INPUT -p tcp -m multiport --dport 22,23,70,80 -j ACCEPT # 必须使用-m
[root@centos6 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
   61  4680 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 22,23,70,80
    6   312 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:23:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 35 packets, 4232 bytes)
 pkts bytes target     prot opt in     out     source               destination
# 测试连通性
[c:\~]$ telnet 10.0.0.102 70
Connecting to 10.0.0.102:70...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
  • 禁止网段连入(禁止0.0.0网段)
  • 从源地址网段禁止访问:
[root@centos6 ~]# iptables -A INPUT -i eth0 -s 10.0.0.0/24 -j DROP
# 登录其他主机使用SSH连接172.16.1.0段网卡
[root@centos7 ~]# ssh 172.16.1.102
root@172.16.1.102's password:
Last login: Mon Dec  4 17:12:10 2017 from 10.0.0.1
[root@test ~]# iptables -nL --line-number
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    DROP       all  --  10.0.0.0/24          0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
  • 从目的地址网段禁止访问:
[root@centos6  ~]# iptables -A INPUT -i eth0 -d 10.0.0.0/24 -j DROP
# 登录其他主机使用SSH连接172.16.1.0段网卡
[root@centos7 ~]# ssh 172.16.1.102
root@172.16.1.102's password:
Last login: Mon Dec  4 17:12:10 2017 from 10.0.0.1
[root@test ~]# iptables -nL --line-number
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    DROP       all  --  0.0.0.0/0            10.0.0.0/24         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
  • 禁止单个IP的访问
  • 从入网卡进行禁止:
[root@centos6 ~]# iptables -A INPUT -i eth0 -s 10.0.0.103 -j DROP
[root@centos6 ~]# iptables -nL --line-number
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    DROP       all  --  10.0.0.103           0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination 
# 从禁止IP访问测试
[root@centos7 ~]# ping 10.0.0.102
PING 10.0.0.102 (10.0.0.102) 56(84) bytes of data.
^C
--- 10.0.0.102 ping statistics ---
543 packets transmitted, 0 received, 100% packet loss, time 542269ms
  • 从出网卡进行禁止:
[root@centos6 ~]# iptables -A OUTPUT -o eth0 -s 10.0.0.102 -j DROP
# 登录其他主机使用SSH连接172.16.1.0段网卡
[root@centos7 ~]# ssh 172.16.1.102
root@172.16.1.102's password:
Last login: Mon Dec  4 17:12:10 2017 from 10.0.0.1
[root@centos7 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 64 packets, 7751 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 36 packets, 5549 bytes)
 pkts bytes target     prot opt in     out     source               destination        
   27  3220 DROP       all  --  *      eth0    10.0.0.102           0.0.0.0/0
  • 除了0.0.0网段都禁止
[root@centos6 ~]# iptables -A INPUT ! -s 10.0.0.0/24 -j DROP
[root@centos6 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 9 packets, 664 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    4   240 DROP       all  --  *      *      !10.0.0.0/24          0.0.0.0/0          

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 7 packets, 728 bytes)
 pkts bytes target     prot opt in     out     source               destination
提示:CentOS 5中的“!”在参数和网段之间,即 “-s ! 10.0.0.0/24”
  • 禁止ping主机
[root@centos6 ~]# iptables -A INPUT -p icmp -j DROP
[root@centos6 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 8 packets, 576 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 5 packets, 584 bytes)
 pkts bytes target     prot opt in     out     source               destination
# 测试
[c:\~]$ ping 10.0.0.102
正在 Ping 10.0.0.102 具有 32 字节的数据:
请求超时。
请求超时。
  • 允许单一IP ping主机
[root@centos6 ~]# iptables -I INPUT -i eth0 -s 10.0.0.1 -p icmp --icmp-type 8 -j ACCEPT
[root@centos6 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 432 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     icmp --  eth0   *       10.0.0.1             0.0.0.0/0           icmp type 8
  133 11100 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 4 packets, 576 bytes)
 pkts bytes target     prot opt in     out     source               destination 
# 测试
[c:\~]$ ping 10.0.0.102
正在 Ping 10.0.0.102 具有 32 字节的数据:
来自 10.0.0.102 的回复: 字节=32 时间<1ms TTL=64
来自 10.0.0.102 的回复: 字节=32 时间<1ms TTL=64

[root@centos7 ~]# ping 10.0.0.102
PING 10.0.0.102 (10.0.0.102) 56(84) bytes of data.
^C
--- 10.0.0.102 ping statistics ---
543 packets transmitted, 0 received, 100% packet loss, time 542269ms
提示:只有类型8是真正会影响ping,或者也可以采用any;
icmp类型:
0 Echo Reply——回显应答(Ping应答)
8 Echo request——回显请求(Ping请求)
了解更多icmp类型:http://www.cnitblog.com/yang55xiaoguang/articles/59581.html
  • 匹配网络状态
[root@centos6 ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@centos6 ~]# iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@centos6 ~]# iptables -nL --line-number
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
提示:状态连接要有进有出。
  • 连接状态信息参数详细说明:
state

[!] –state state

This module, when combined with connection tracking, allows access to the connection tracking state for this packet.

这个模块当结合连接追踪时,允许访问数据包的连接追踪状态

Where state is a comma separated list of the connection states to match.

这里的连接状态匹配列表采用逗号进行分割状态

INVALID meaning that the packet could not be identified for some reason which includes running out of memory and ICMP errors which don’t correspond to any known connection

由于一些问题无法识别的数据包,其中包含内存不足和ICMP协议错误,而这样的会话连接并不对应已知的连接状态,即无法是被的无效或非法连接状态

ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions

数据包和一个连接有关联,这个连接上可以在两个方向上都能看见这个数据包,即连接会话已建立的状态

NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions

数据包开启了一个新的连接,否则也可以说一个连接上两个方向都没有看见过这个数据包,即新建立会话连接状态

RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error

数据包开启了一个新的连接,但是与一个已经存在的连接相关联,比如FTP数据传输,或ICMP错误,即在已建立会话连接上,继续建立连接

 

  • 匹配网络限制策略
[root@centos6 ~]# iptables -I INPUT -s 10.0.0.0/24 -p icmp --icmp-type 8 -m limit --limit 6/min --limit-burst 5 -j ACCEPT
[root@centos6 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 32 packets, 2352 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     icmp --  *      *       10.0.0.0/24          0.0.0.0/0           icmp type 8 limit: avg 6/min burst 5

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 19 packets, 1800 bytes)
 pkts bytes target     prot opt in     out     source               destination
  • 命令说明:
  1. -m limit –limit n/{second/minute/hour}:指定时间内的请求数据包的个数为“n”,后面为时间单位:秒/分/时
  2. –limit-burst 5:在同一时间内允许通过的请求包的个数,不指定默认值为5
  • 命令实现原理:

当匹配规则的数据包个数达到5个(–limit-burst 5)上限时,将自动限制流入的数据包为每分钟6个(-m limit –limit 6/min),以此达到限制网速的目的。

温馨提示:本文最后更新于2022-12-20 20:57:51,已超过431天没有更新。某些文章具有时效性,若文章内容或图片资源有错误或已失效,请联系站长。谢谢!
转载请注明本文链接:https://blog.leonshadow.cn/763482/798.html
© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享