can only be used for output, postrouting these two chains)Protocol-P TCP/UDP--sport Source port number--dport destination port numberICMP--icmp-typeModule:-M Module Name parameterAction:Accept PacketReject/drop drops the packet, REJECT is basically the same as the drop, except that it returns an error message to the sender in addition to blocking the packetSNAT Source Address TranslationDNAT Destination Address TranslationREDIRECT redirectionThe orde
Tags: LINUX iptablesThe main categories of firewalls are:1, NetFilter2. TCP Wrappers3. ProxyPacket filtering software for Linux: iptablesThe order of the rules is very importantThree sheets: Filter, NAT, mangleFive chains: input, output, forward, prerouting, postroutingView and purge of rulesiptables [-t tables] [-L] [-nv]-t:nat/filter-L:列出当前的规则-n:不进行IP的反查,显示速度快-v:列出更多的信息iptables-save [-t tables]#列出完整的防火墙规则iptables [-t tables] [-FXZ]-F:清除所有已制定的规则-X:除掉所有用户自定义的chain(tables)-Z:清零所有chain的计数和流量统计Defi
more suitable for desktop systems or random servers. It enables the connection status mechanism to facilitate external communication. Modify the/etc/sysconfig/iptables file:
* Raw # disable tracing for TCP connections, solve the Problem of connection failure caused by full ip_contrack-a prerouting-p tcp-m tcp -- dport 80-j NOTRACK-a prerouting-p tcp-m tcp -- dport 22-j NOTRACK- PREROUTING-p tcp-m tcp -- dport 21-j NOTRACK-a prerouting-p tcp-m tcp -- dport 11211-j NOTRACK-a prerouting-p tcp-m tc
often changed. Maybe one day you want to add a class definition to this DLL. Maybe you think it's okay, now the point is we're going to call this DLL in another assembly, and that's what our program has to be able to adapt to this DLL change, which means that even if you change the definition of the DLL file, we don't need to change our assembly. At this point we will use an unknown DLL. What are we going to do? Again, the reflection mechanism helps us, and we can do it through reflection.To be
(1) namespace ClassLibrarySport
{
Public abstract class Sport
{
Protected string name;
Public abstract string GetName ();
Public abstract string GetDuration ();
}
}
========================================================== ==============
(2) namespace ClassLibrarySomeSports // This project adds a reference to (1)
{
Public class Foot
our request command as followsIptables---P FORWARD DROP If you look at it again with iptables-l, you'll feel the default value changed.First to talk about the inflammation of several parameters XZFL-F Purge Rule-X Clear Chain-Z Zeroing the flow of the chain's countIn general, when you create an access rule, the old rules are zeroed out. This is a good habit, because the existence of certain rules will affect the rules you build.Basic syntax:Interface ] [-P tcp,udp.icmp,all] [-S ip/nerwork]
is not allowed by what packets pass.This setting is quite reasonable, of course, you can also drop three chains, but I think it is not necessary, and to write the rules will increase. But if you only want a few rules that are limited, such as just Web servers. It is recommended that all three chains are drop.Note: If you are a remote SSH login, you should drop it when you enter the first command. Because you didn't set any rules. What to do, go to the machine operation Bai!(4) Add a rule.first
chains.
If you do not specify the-o parameter, packets emitted through all available interfaces in the system can match the rule.
You can also use the long parameter –out-interface
4. Other Firewall parameter options?Some of the firewall parameters above also have their own parameter options, which can be used with them. Here are some common options.To use these parameter options, you need to specify parameters such as "-P TCP" (or "-P UDP") in the rule, for example, to use the "–
name]
List, listing rules
V: Display details, including the number of matching packets per rule and the number of matched bytes
x: On the basis of V, the automatic unit conversion is prohibited (K, M)
N: Display only IP address and port number, do not display domain name and service name
For example:
Iptables-l
A rough list of all the chains and all the rules of the filter table
Iptables-t NAT-VNL
Lists all the rules for all chains in the NAT table in detail, showing only IP addresses and
protocol stack meet expectations. The process of the TCP protocol stack is only two ends, one end uses the system call to simulate the stack behavior, the other end is the package we construct. Common scenarios are mainly: Server scenarios, client scenarios. Server scenario:
The server scenario uses system calls (that is, the user state program), while the client is a scapy-constructed package.
Here constructs a simple three times handshake to send the data to the server side. To prevent Linux
fi044 if [-f/usr/local/httpd-err/iptables. http]; then045 sh/usr/local/httpd-err/iptables. http046 fi047 #4. some types of ICMP packets are allowed to enter. we usually remove ICMP type 8 so that the remote host does not know whether the host exists, it will not respond to ping 048 AICMP = "0 3 3/4 4 11 12 14 16 18 "049 for tyicmp in $ AICMP050 do051 iptables-a input-I $ EXTIF-p icmp -- icmp-type $ tyicmp-j ACCEPT052 done053 #5. allow access to some services. please enable 054 iptables-a input-
the __init__ when the data property is called, then it will be looked up, and no error will be found. Additions and deletions of class attributesclassStudent (object): Ability='Excellent' def __init__(self, Name, score): Self.name=name Self.score=scoredefask_questions (self):Print('{0} is asking a math question'. Format (self.name))defExamination (self):Print('{ 0} exam results are {1}'. Format (self.name,self.score)) Student1= Student ('xiaoming', 90,)#instantiation of a class instancePrint
connectionsnetstat# Time Netstat-ant | grep EST | Wc-l3100real 0m12.960suser 0m0.334ssys 0m12.561s# time Ss-o State established | Wc-l3204real 0m0.030suser 0m0.005ssys 0m0.026sThe result is obviously SS statistics concurrent connection number efficiency Netstat, in SS can be done, you will also choose Netstat, still hesitate, see the following example, or jump to help page.Common SS Commands:Ss-l Show all ports open locally SS-PL show each process specific open socketss-t-a display all TCP Sock
secure. At this time, your machine will be equivalent to no network. if you ping localhost, you will find that the screen is always there, because ping cannot receive any response.4. Add RulesRun the following command:Iptables-a input-I! Ppp0-j ACCEPTThis rule indicates accepting all data from the network interface ppp0.Assume that you have two network interfaces, eth0 is connected to the LAN, and loop is the back-to-loop Network (localhost ). ppp0 is an internet interface for internet access t
, INPUT, and OUTPUT will certainly be used at this time, PREROUTING and FORWARD are used when data is only accessed by the server .)
It is assumed that the six doors are closed by default. Generate the following code.
* Nat: prerouting drop [0: 0]: output drop [0: 0]: postrouting drop [0: 0]-F-Z-X ### add a statement here to add a statement later. -L-vCOMMIT * filter: input drop [0: 0]: forward drop [0: 0]: output drop [0: 0]-F-Z-X ### to add a statement later, add it here. -L-vCOMMIT
-P.2. After-P is set to drop, be careful when using-f !!!3. If no chain name is specified, all rules in all chains in a table are cleared by default.3.2.6-[vxn] l-L [Chain name]List to list rules
V: displays details, including the number of matching packages and the number of matching bytes for each rule.X: Disable Automatic unit conversion (K, M) based on V)N: only the IP address and port number are displayed, and the domain name and service name are not displayed.
For example:Iptables-lA rough
machine will be equivalent to no network. If you ping localhost, you will find that the screen is always there, because Ping cannot receive any response.
4. Add Rules
Run the following command:
Iptables-A input-I! Ppp0-J accept
This rule means accepting all data from the network interface ppp0.
Assume that you have two network interfaces, eth0 is connected to the LAN, and loop is the back-to-Loop Network (localhost ). Ppp0 is an Internet interface for Internet access through ADSL. If you are no
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.