Firewall 中譯是防火牆,他本身並不能用來防止你的電腦中毒,他只能制定一些rule,來規定哪些封包可以傳到你的電腦,但適當的運用防火牆擋掉不好的ip與關閉不常用到的port口,確實可以降低你電腦中毒的機率。
Example of usage:
iptables --help
iptables -L -n --line-numbers #List all rules
iptables -L INPUT -n --line-numbers #List INPUT rules
iptables -F #Delete
all rules
iptables -D INPUT 1 #Delete rule No.1
iptables -P INPUT ACCEPT #INPUT policy is set to
ACCEPT
iptables -I INPUT -s 192.168.0.157 -p tcp
—-deport 23 -j REJECT #Insert rule
with port
iptables -D INPUT -s 192.168.0.157 -p tcp
—-deport 23 -j REJECT #Delete rule
iptables -I INPUT -s 192.168.0.157 -p tcp
-j REJECT #Insert
rule without port
iptables -I OUTPUT -p tcp -m multipart
—-sport 80,443 -j REJECT #Insert rule
with multiple port
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete
matching rule from chain
--delete -D chain rulenum Delete rule rulenum (1 =
first) from chain
--insert
-I chain [rulenum] Insert
in chain as rulenum (default 1=first)
--flush -F [chain] Delete all
rules in chain or all chains
--list -L [chain [rulenum]] List the rules in a chain or all chains
--policy -P chain target Change policy on chain to target
Options:
[!] --proto -p
proto protocol: by
number or name, eg. `tcp'
[!] --source -s address[/mask][...] source
specification
[!] --destination -d address[/mask][...] destination specification
[!] --in-interface -i input name[+] network interface name ([+] for
wildcard)
[!] --out-interface -o output name[+] network interface name ([+] for wildcard)
--jump -j target target for rule (may
load target extension)
--match -m match extended match (may load
extension), ex: multiport
--numeric -n numeric output
of addresses and ports
--table -t table table to manipulate
(default: `filter')
--line-numbers print
line numbers when listing
[!] --version -V print
package version.
--sport --source-port aim to source port
--dport --destination-port aim to destination port
0 comments:
張貼留言
留言