У меня есть правила iptables ниже от моего маршрутизатора OpenWRT, я не могу понять сценарий, в котором выполняются два моих правила ведения журнала (внутри zone_wan_dest_REJECT и zone_wan_src_REJECT), потому что-например-:
в forwarding_wan_rule все пакеты будут приняты zone_lan_dest_ACCEPT перед вводом zone_wan_dest_REJECT . Но на практике обе записи действительно выполняются, но я не могу понять, как, может ли кто-нибудь объяснить это мне, пожалуйста?
И может кто-нибудь также объяснить, как эти правила идентифицируют мой wan_dest из lan_dest? Другими словами, откуда они знают, что пакеты отправляются на мою локальную сеть, а пакеты исчезают? Я не могу понять это и здесь.
root@rt01:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* !fw3 */
input_rule all -- anywhere anywhere /* !fw3: user chain for input */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input all -- anywhere anywhere /* !fw3 */
zone_wan_input all -- anywhere anywhere /* !fw3 */
zone_wan_input all -- anywhere anywhere /* !fw3 */
Chain FORWARD (policy DROP)
target prot opt source destination
forwarding_rule all -- anywhere anywhere /* !fw3: user chain for forwarding */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward all -- anywhere anywhere /* !fw3 */
zone_wan_forward all -- anywhere anywhere /* !fw3 */
zone_wan_forward all -- anywhere anywhere /* !fw3 */
reject all -- anywhere anywhere /* !fw3 */
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* !fw3 */
output_rule all -- anywhere anywhere /* !fw3: user chain for output */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output all -- anywhere anywhere /* !fw3 */
zone_wan_output all -- anywhere anywhere /* !fw3 */
zone_wan_output all -- anywhere anywhere /* !fw3 */
Chain forwarding_lan_rule (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
Chain forwarding_wan_rule (1 references)
target prot opt source destination
Chain input_lan_rule (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan_rule (1 references)
target prot opt source destination
Chain output_lan_rule (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destination
Chain output_wan_rule (1 references)
target prot opt source destination
Chain reject (5 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere /* !fw3 */ reject-with tcp-reset
REJECT all -- anywhere anywhere /* !fw3 */ reject-with icmp-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP all -- anywhere anywhere /* !fw3 */
Chain zone_lan_dest_ACCEPT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_lan_forward (1 references)
target prot opt source destination
forwarding_lan_rule all -- anywhere anywhere /* !fw3: user chain for forwarding */
zone_wan_dest_ACCEPT all -- anywhere anywhere /* !fw3: forwarding lan -> wan */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
zone_lan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_lan_input (1 references)
target prot opt source destination
input_lan_rule all -- anywhere anywhere /* !fw3: user chain for input */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
zone_lan_src_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_lan_output (1 references)
target prot opt source destination
output_lan_rule all -- anywhere anywhere /* !fw3: user chain for output */
zone_lan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_lan_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_wan_dest_ACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_wan_dest_REJECT (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/sec burst 5 /* !fw3 */ LOG level warning prefix "REJECT(dest wan)"
reject all -- anywhere anywhere /* !fw3 */
reject all -- anywhere anywhere /* !fw3 */
Chain zone_wan_forward (2 references)
target prot opt source destination
forwarding_wan_rule all -- anywhere anywhere /* !fw3: user chain for forwarding */
zone_lan_dest_ACCEPT esp -- anywhere anywhere /* !fw3: @rule[7] */
zone_lan_dest_ACCEPT udp -- anywhere anywhere udp dpt:isakmp /* !fw3: @rule[8] */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
zone_wan_dest_REJECT all -- anywhere anywhere /* !fw3 */
Chain zone_wan_input (2 references)
target prot opt source destination
input_wan_rule all -- anywhere anywhere /* !fw3: user chain for input */
ACCEPT udp -- anywhere anywhere udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
ACCEPT icmp -- anywhere anywhere icmp echo-request /* !fw3: Allow-Ping */
ACCEPT igmp -- anywhere anywhere /* !fw3: Allow-IGMP */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
zone_wan_src_REJECT all -- anywhere anywhere /* !fw3 */
Chain zone_wan_output (2 references)
target prot opt source destination
output_wan_rule all -- anywhere anywhere /* !fw3: user chain for output */
zone_wan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_wan_src_REJECT (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/sec burst 5 /* !fw3 */ LOG level warning prefix "REJECT(src wan)"
reject all -- anywhere anywhere /* !fw3 */
reject all -- anywhere anywhere /* !fw3 */
root@rt01:~#
Отредактировано: добавлено iptables -L -v (согласно запросу)
root@rt01:~# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
88 9788 ACCEPT all -- lo any anywhere anywhere /* !fw3 */
1870 857K input_rule all -- any any anywhere anywhere /* !fw3: user chain for input */
1232 798K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
61 3016 syn_flood tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
492 34287 zone_lan_input all -- br-lan any anywhere anywhere /* !fw3 */
82 4472 zone_wan_input all -- pppoe-wan any anywhere anywhere /* !fw3 */
64 20992 zone_wan_input all -- eth1 any anywhere anywhere /* !fw3 */
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- any any anywhere anywhere tcp dpt:2213 LOG level warning prefix "(mycustom_ssh_forward) "
0 0 LOG tcp -- any any anywhere anywhere tcp dpt:ssh LOG level warning prefix "(ssh_forward) "
0 0 REJECT tcp -- any any anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable
40262 11M forwarding_rule all -- any any anywhere anywhere /* !fw3: user chain for forwarding */
38858 11M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
1403 208K zone_lan_forward all -- br-lan any anywhere anywhere /* !fw3 */
1 56 zone_wan_forward all -- pppoe-wan any anywhere anywhere /* !fw3 */
0 0 zone_wan_forward all -- eth1 any anywhere anywhere /* !fw3 */
2 92 reject all -- any any anywhere anywhere /* !fw3 */
Chain OUTPUT (policy ACCEPT 3 packets, 120 bytes)
pkts bytes target prot opt in out source destination
88 9788 ACCEPT all -- any lo anywhere anywhere /* !fw3 */
1865 251K output_rule all -- any any anywhere anywhere /* !fw3: user chain for output */
975 191K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
23 3055 zone_lan_output all -- any br-lan anywhere anywhere /* !fw3 */
867 57072 zone_wan_output all -- any pppoe-wan anywhere anywhere /* !fw3 */
0 0 zone_wan_output all -- any eth1 anywhere anywhere /* !fw3 */
Chain forwarding_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (5 references)
pkts bytes target prot opt in out source destination
61 2968 REJECT tcp -- any any anywhere anywhere /* !fw3 */ reject-with tcp-reset
87 22588 REJECT all -- any any anywhere anywhere /* !fw3 */ reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
61 3016 RETURN tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
0 0 DROP all -- any any anywhere anywhere /* !fw3 */
Chain zone_lan_dest_ACCEPT (4 references)
pkts bytes target prot opt in out source destination
21 2975 ACCEPT all -- any br-lan anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
1403 208K forwarding_lan_rule all -- any any anywhere anywhere /* !fw3: user chain for forwarding */
1403 208K zone_wan_dest_ACCEPT all -- any any anywhere anywhere /* !fw3: forwarding lan -> wan */
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
2 92 zone_lan_dest_ACCEPT all -- any any anywhere anywhere /* !fw3 */
Chain zone_lan_input (1 references)
pkts bytes target prot opt in out source destination
492 34287 input_lan_rule all -- any any anywhere anywhere /* !fw3: user chain for input */
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
492 34287 zone_lan_src_ACCEPT all -- any any anywhere anywhere /* !fw3 */
Chain zone_lan_output (1 references)
pkts bytes target prot opt in out source destination
23 3055 output_lan_rule all -- any any anywhere anywhere /* !fw3: user chain for output */
23 3055 zone_lan_dest_ACCEPT all -- any any anywhere anywhere /* !fw3 */
Chain zone_lan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
492 34287 ACCEPT all -- br-lan any anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_wan_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
2267 265K ACCEPT all -- any pppoe-wan anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
0 0 ACCEPT all -- any eth1 anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_wan_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- any pppoe-wan anywhere anywhere /* !fw3 */
0 0 reject all -- any eth1 anywhere anywhere /* !fw3 */
Chain zone_wan_forward (2 references)
pkts bytes target prot opt in out source destination
1 56 forwarding_wan_rule all -- any any anywhere anywhere /* !fw3: user chain for forwarding */
0 0 zone_lan_dest_ACCEPT esp -- any any anywhere anywhere /* !fw3: @rule[7] */
0 0 zone_lan_dest_ACCEPT udp -- any any anywhere anywhere udp dpt:isakmp /* !fw3: @rule[8] */
1 56 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_wan_dest_REJECT all -- any any anywhere anywhere /* !fw3 */
Chain zone_wan_input (2 references)
pkts bytes target prot opt in out source destination
146 25464 input_wan_rule all -- any any anywhere anywhere /* !fw3: user chain for input */
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request /* !fw3: Allow-Ping */
0 0 ACCEPT igmp -- any any anywhere anywhere /* !fw3: Allow-IGMP */
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
146 25464 zone_wan_src_REJECT all -- any any anywhere anywhere /* !fw3 */
Chain zone_wan_output (2 references)
pkts bytes target prot opt in out source destination
867 57072 output_wan_rule all -- any any anywhere anywhere /* !fw3: user chain for output */
867 57072 zone_wan_dest_ACCEPT all -- any any anywhere anywhere /* !fw3 */
Chain zone_wan_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
82 4472 reject all -- pppoe-wan any anywhere anywhere /* !fw3 */
64 20992 reject all -- eth1 any anywhere anywhere /* !fw3 */
root@rt01:~#