您查看的文章来源于http://www.oklinux.cn
SuSE Linux 默认的iptables防火墙配置,你看的懂吗?
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min bu rst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min bu rst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,E STABLISHED
LOG all -- anywhere anywhere limit: avg 3/min bu rst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '
Chain forward_ext (0 references)
target prot opt source destination
Chain input_ext (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTAB LISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTAB LISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTAB LISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTAB LISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTAB LISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTAB LISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTAB LISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTAB LISHED icmp redirect
LOG tcp -- anywhere anywhere limit: avg 3/min bu rst 5 tcp dpt:5801 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-op tions prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:5801
LOG tcp -- anywhere anywhere limit: avg 3/min bu rst 5 tcp dpt:5901 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-op tions prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:5901
LOG tcp -- anywhere anywhere limit: avg 3/min bu rst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-opt ions prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
reject_func tcp -- anywhere anywhere tcp dpt:ident sta te NEW
LOG all -- anywhere anywhere limit: avg 3/min bu rst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2- INext-DROP-DEFLT '
DROP all -- anywhere anywhere PKTTYPE = multicast
LOG tcp -- anywhere anywhere limit: avg 3/min bu rst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options pre fix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min bu rst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min bu rst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG all -- anywhere anywhere limit: avg 3/min bu rst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext- DROP-DEFLT-INV '
DROP all -- anywhere anywhere
Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-res et
REJECT udp -- anywhere anywhere reject-with icmp-po rt-unreachable
REJECT all -- anywhere anywhere reject-with icmp-pr oto-unreachable
hugang:~ # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
