Ebtables/Iptables分析

分析Ebtables/Iptables实现及命令。

ebtables和iptables都是linux系统下,netfilter的配置工具,可以在链路层和网络层的几个关键节点配置报文过滤和修改规则。

ebtables更侧重vlan,mac和报文流量。

iptables侧重ip层信息,4层的端口信息。

ebtables
命令实例:

1、显示table

ebtables -t filter -L 显示filter table的内容,默认也是显示该table
ebtables -t broute -L 显示broute table的内容
ebtables -t nat -L 显示nat table的内容
显示
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 0, policy: ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

2、增加一个chain

ebtables -t filter -N jason -P ACCEPT 增加一个名为jason的chain
显示
ebtables -t filter -L
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 0, policy: ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: jason, entries: 0, policy: ACCEPT
但其实现在不会有报文走到该chain,因为该chain没有实际挂载到任何内核报文收发点上。

3、修改一个chain的跳转

ebtables -t filter -A INPUT -j jason
显示
ebtables -t filter -L
Bridge table: filter
Bridge chain: INPUT, entries: 1, policy: ACCEPT
-j jason
Bridge chain: FORWARD, entries: 0, policy: ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: jason, entries: 0, policy: DROP
这样从br来的报文,会查询jason chain的规则,最后被丢弃。

4、修改chain的规则

ebtables -t filter -P jason DROP
显示
ebtables -t filter -L
Bridge table: filter
Bridge chain: INPUT, entries: 1, policy: ACCEPT
-j jason
Bridge chain: FORWARD, entries: 0, policy: ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: jason, entries: 0, policy: DROP
这样从br来的报文,会查询jason chain的规则,最后被丢弃。

5、清空一个chain的规则

ebtables -t filter -F INPUT
ebtables -t filter -L
Bridge table: filter
Bridge chain: INPUT, entries: 1, policy: ACCEPT
-j jason
Bridge chain: FORWARD, entries: 0, policy: ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: jason, entries: 0, policy: DROP

ebtables [-t table ] -[ACDI] chain rule specification [match extensions] [watcher extensions] target

6、规则扩展部分:

Options:
–proto -p [!] proto : protocol hexadecimal, by name or LENGTH
–src -s [!] address[/mask]: source mac address
–dst -d [!] address[/mask]: destination mac address
–in-if -i [!] name[+] : network input interface name
–out-if -o [!] name[+] : network output interface name
–logical-in [!] name[+] : logical bridge input interface name
–logical-out [!] name[+] : logical bridge output interface name
–set-counters -c chain
pcnt bcnt : set the counters of the to be added rule

网上流行的iptable/ebtables的流程图有误,在此更正如下其各个table的位置
​​
Ebtables/Iptables分析_第1张图片
下图仅供参考:

相关文献和链接:

Ebtables详解:
http://www.cnblogs.com/peteryj/archive/2011/07/24/2115602.html
Iptables详解
http://blog.csdn.net/reyleon/article/details/12976341
iptables 小结
http://blog.csdn.net/xingliyuan22/article/details/9152037
ebtables命令
http://blog.csdn.net/rudyn/article/details/28630495

使用案例:

1、NAT loopback
https://unix.stackexchange.com/questions/282086/how-does-nat-reflection-nat-loopback-work

2、LAN2LAN 组播报文二层不转发。
ebtables -t filter -A FORWARD -i eth0.+ -o eth0.+ -d 01:00:00:00:00:00/01:00:00:00:00:00 -j DROP
-d MAC/MASK的方式,将组播报文找出来。

原始链接:

http://ebtables.netfilter.org/
http://ebtables.netfilter.org/misc/ebtables-man.html

你可能感兴趣的:(网络)