我试了
iptables -I FORWARD -p tcp --tcp-flags RST RST -j DROP
用 iptables -vL FORWARD
检查发现根本没有匹配,但根据 tcpdump 的结果,是有 RST 包通过的。弄不明白是哪里出了问题了?
12:05:38.763735 IP 192.168.1.147.57950 > 198.252.206.140.80: Flags [S], seq 705280096, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
12:05:39.116945 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [S.], seq 2373532821, ack 705280097, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
12:05:39.120185 IP 192.168.1.147.57950 > 198.252.206.140.80: Flags [.], ack 1, win 4380, length 0
12:05:39.125902 IP 192.168.1.147.57950 > 198.252.206.140.80: Flags [P.], seq 1:420, ack 1, win 4380, length 419
12:05:39.127969 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [R.], seq 1, ack 420, win 0, length 0
12:05:39.128106 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [R.], seq 1, ack 420, win 0, length 0
12:05:39.225220 IP 192.168.1.147.57951 > 83.145.197.2.80: Flags [S], seq 3277327128, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
12:05:39.470248 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [.], ack 1, win 29, length 0
12:05:39.470394 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [.], ack 1, win 29, length 0
12:05:39.553312 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [S.], seq 3843338864, ack 3277327129, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
12:05:39.555322 IP 192.168.1.147.57951 > 83.145.197.2.80: Flags [.], ack 1, win 4380, length 0
12:05:39.555820 IP 192.168.1.147.57951 > 83.145.197.2.80: Flags [P.], seq 1:529, ack 1, win 4380, length 528
12:05:39.559195 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [R.], seq 1, ack 529, win 0, length 0
12:05:39.559362 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [R.], seq 1, ack 529, win 0, length 0
12:05:39.881566 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [R], seq 3843338865, win 0, length 0
1
futursolo 2015-03-05 21:17:26 +08:00
试试以下命令
iptables -I FORWARD -p tcp --tcp-flags SYN,FIN,RST,URG,PSH RST -j DROP iptables -I INPUT -p tcp --tcp-flags SYN,FIN,RST,URG,PSH RST -j DROP |
3
kttde 2015-03-05 21:44:05 +08:00 1
在链前面加上表,如下
iptables -t mangle -I FORWARD -p tcp --tcp-flags RST RST -j DROP |
4
billlee OP @kttde 正解!
能解释下 mangle 表是干什么用的吗?我一直以为涉及 DROP 这个操作的都要放在 filter 表 |
5
ryd994 2015-03-06 01:27:08 +08:00 via Android
|
6
billlee OP @ryd994 我是 -I 添加到最前面的,应该其它都不影响了啊
``` root@WNDR4300:~# iptables -vL FORWARD Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- any any anywhere anywhere tcp flags:RST/RST 48486 3101K delegate_forward all -- any any anywhere anywhere root@WNDR4300:~# iptables -t mangle -vL FORWARD Chain FORWARD (policy ACCEPT 2890K packets, 2549M bytes) pkts bytes target prot opt in out source destination 12848 515K DROP tcp -- any any anywhere anywhere tcp flags:RST/RST 0 0 qos_Default all -- any eth0.2 anywhere anywhere 5745K 4824M mssfix all -- any any anywhere anywhere ``` |