Alibabacloud.com offers a wide variety of articles about iptables multiport, easily find your iptables multiport information here online.
.org-j ACCEPT Iptables-A Filter-d img.cn99.com-j ACCEPT Iptables-A Filter-j DROP Open some ports of an IP address, and other ports are closed Iptables-A Filter-p tcp -- dport 80-s 192.168.100.200-d www.pconline.com.cn-j ACCEPT Iptables-A Filter-p tcp -- dport 25-s 192.168.100.200-j ACCEPT
be compared to a single port or a range, for example, -- sport 22: 80, indicating that the port from 22 to 80 is qualified, to compare multiple non-consecutive ports, you must use the -- multiport parameter. For more information, see the following section. You can use it when comparing the port number! The operator performs reverse comparison. Parameter -- dport, -- destination-port Example iptables-a inpu
used to match the packet can match a single port or a range, for example:? Sport 22: 80It indicates that ports 22 to 80 are both qualified. if you want to match multiple discontinuous ports, you must use? For more information about multiport parameters, see the following section. You can use it when matching the port number! Operator for reverse matching. Parameter? Dport ,? Destination-portExample iptables
makes a reverse alignment, for example:-S! 192.168.0.0/24.Parameter-D,--DST,--destinationExample Iptables-a input-d 192.168.1.1Description used to compare the destination IP of the packet, set the same way.Parameter-I.,--in-interfaceExample Iptables-a input-i eth0The description is used to match the packet from which card to enter, you can use the wildcard character + to enlarge the range ratio, for exampl
write to multiple discrete ports or multiple sets of contiguous ports, the maximum limit of 15 sets of ports, each port range occupies two ports; Protocols that can be supported: TCP, UDP, Udplite, DCCP, SCTP. Related options: [!]--source-ports,--Sports Port[,port|,port:port] ... [!] --destination-ports,--dports Port[,port|,port:port] ... [!] --ports Port[,port|,port:port] ...--dports 22,80,3306-j ACCEPT Exam
eth + indicates all ethernet network cards. You can also use it! The operator performs reverse comparison, for example,-I! Eth0.Parameter-o, -- out-interfaceExample iptables-a forward-o eth0Specifies the network card from which the packet is sent.Parameter -- sport, -- source-portExample iptables-a input-p tcp -- sport 22It indicates that the source port number of the packet can be compared to a single por
pass. You can use the-FRAGMENT/-F option to specify the second and subsequent IP fragments to resolve the above problem.#iptables-A forward-f-S 192.168.1.0/24-d 192.168.2.100-j ACCEPTNote There are now many instances of IP fragmentation attacks, such as Dos attacks, so allowing IP fragmentation to pass is a security risk, which can be limited by iptables matching extensions.Set the rule match for the exten
continuous set of IP addresses) For example: Iptables-t nat-a prerouting-i ppp0-p TCP--dport 80/ -j Dnat--to 192.168.0.1 Change the destination address of the packet to access TCP/80 from Ppp0 to 192.168.0.1 Iptables-t nat-a prerouting-i ppp0-p TCP--dport 81/ -j Dnat--to 192.168.0.2:80 Iptables-t nat-a prerouting-i ppp0-p TCP--dport 80/ -j Dnat--to 192.168.0.1
(policy ACCEPT) Target prot opt source destination ACCEPT tcp -- 192.168.1.0/24 192.168.1.234 tcp dpt: http ACCEPT tcp-f 192.168.1.0/24 192.168.1.234 tcp dpt: http Chain OUTPUT (policy ACCEPT) Target prot opt source destination ---------------------------------------------------------------------------------- Set the scaling rule matching: (For brief description of matching, use iptables-m name_of_match -- help) Multi-port matching extension:
?tcp?-m?tcp?!?--sport?22?-j?ACCEPTCase FIVE:Examples of multiport extension modules1)使用 multiport 模块 指定 拒绝 101,102 两个端口iptables?-l INPUT?-s?192.168.1.101?-p?udp?-m?multiport?--sports?101,102?-j?REJECT2)使用 multiport 模块 指定 拒绝 22,80 两个端口ipt
action is ignored)1, multi-port matching.1) match multiple source ports.#iptables-A input-p tcp-m multiport–sport 22,53,80,1102) match multiple destination ports.#iptables-A input-p tcp-m multiport–dpoort 22,53,803) matching multiport (either source port or destination port
bm | kmp specifies the algorithm bm or kmp.-- String "STRING" specifies the string itself Iptables-A input-p tcp-m multiport -- dports110, 80, 25, 445,1863, 5222-j ACCEPTIptables-a input-p tcp-s 172.16.0.0/16 -- dport 139-jACCEPT# Allow dns resolution. if a DNS server (forwarder) is configured on the intranet, only the IP address of the forwarder can be used. modify the ip address (-s IP address) on your o
, and multiport... Target (Common Action ): Target descriptionAcceptDrop dropped data packetsReturn directly without comparisonThe application that the queue sends to the user-space to process the data packet.Snat nat: Translation Source AddressDnat nat: Translation addressDedicated for masquerade NAT: Translation source address becomes Nic MacDedicated for redirect NAT: A port transferred to the Local Machine Use/etc/rc. d/init. d/
)Num Target prot opt source destinationChain FORWARD (Policy ACCEPT)Num Target prot opt source destinationChain OUTPUT (Policy ACCEPT)Num Target prot opt source destinationYou can see that the rule has been deleted.5. Prohibit a network segment from accessing my eth0 network card, such as 10.10.10.0/24[Email protected] ~]# iptables-a input-i eth0-s 10.10.10.0/24-j DROP[Email protected] ~]# iptables-l-NChain
custom empty chain. ⑤ Use of extension options Eg: for http service requests, the connection status of the 192.168.5.1 server segment is controlled. Iptables-a input-d 192.168.5.1-p tcp-dport 80-m state-state NEW, ESTABLISHED-j ACCEPT Iptables-a output-s 192.168.5.1-p tcp-sport 80-m state-state ESTABLISHED-j ACCEPT // The server responds to the NEW and ESTABLISHED packets of the INPUT server. The OUTPUTo
used to compare the packets. It can be compared to a single port or a range, for example, -- sport 22: 80, which indicates that the port number ranges from 22 to 80. Ports are both qualified. To compare multiple ports that are not consecutive, you must use the -- multiport parameter. For details, see the following section. You can use it when comparing the port number! The operator performs reverse comparison. Parameter -- dport, -- destination-port
-- to-destination 192.168.100.2: 500 Iptables-t nat-a prerouting-p udp -- dport 4500-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 4500 NAT of the FTP server Iptables-I PFWanPriv-p tcp -- dport 21-d 192.168.100.200-jACCEPT Iptables-t nat-a prerouting-p tcp -- dport 21-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: 21 Only access to the s
to 80 are qualified. To compare multiple ports that are not consecutive, you must use the -- multiport parameter. For details, see the following section. You can use it when comparing the port number! The operator performs reverse comparison. Parameter -- dport, -- destination-port example iptables-a input-p tcp -- dport 22 indicates the destination port number used to compare the packets. The setting meth
Iptables-a filter-p TCP--dport 53-j ACCEPT Iptables-a filter-d www.3322.org-j ACCEPT Iptables-a filter-d img.cn99.com-j ACCEPT Iptables-a filter-j DROP Open some ports for one IP, others are closed Iptables-a filter-p TCP--dport 80-s 192.168.100.200-d www.pconline.com
iptables-a input-d 192.168.1.1Description used to compare the destination IP address of the packet. the setting method is the same as above. Parameter-I, -- in-interfaceExample iptables-a input-I eth0The description is used to compare the network card from which the package Enters. you can use wildcard character + to perform large-scale comparison. for example,-I eth + indicates all ethernet network cards.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
