page counter next up previous contents
Next: 實機設定 Up: IPtables 防火牆 Previous: 動作 Target   Contents   DYWANG_HOME

預設環境

  1. 檢查 iptables 哪些表格被載入,目前只有過濾 filter 表格被載入。 
    [root@kvm8 ~]# lsmod | grep ip_tables
ip_tables              17831  1 iptable_filter
  2. iptables 用選項 -L 檢查 iptables 啟動後預設的規則,可以看到有 INPUT, FORWARD, OUTPUT 三條鏈,且預設政策都是 ACCEPT。 
    [root@kvm8 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source           destination       
ACCEPT     all  --  anywhere         anywhere          state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere         anywhere          
ACCEPT     all  --  anywhere         anywhere          
ACCEPT     tcp  --  anywhere         anywhere          state NEW tcp dpt:ssh 
REJECT     all  --  anywhere         anywhere          reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source           destination       
REJECT     all  --  anywhere         anywhere          reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source           destination
  3. 雖然 INPUT 及 FORWARD 鏈的預設政策是 ACCEPT,但在規則的最後一條 REJECT 來自 anywhere 到 anywhere,任何 port 的封包,都以 icmp-host-prohibited type REJECT,一樣可以達到「不符合接受規則的封包都拒絕的目標」。