分析Ebtables/Iptables实现及命令。
ebtables和iptables都是linux系统下,netfilter的配置工具,可以在链路层和网络层的几个关键节点配置报文过滤和修改规则。
ebtables更侧重vlan,mac和报文流量。
iptables侧重ip层信息,4层的端口信息。
ebtables
命令实例:
ebtables -t filter -L 显示filter table的内容,默认也是显示该table
ebtables -t broute -L 显示broute table的内容
ebtables -t nat -L 显示nat table的内容
显示
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 0, policy: ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
ebtables -t filter -N jason -P ACCEPT 增加一个名为jason的chain
显示
ebtables -t filter -L
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 0, policy: ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: jason, entries: 0, policy: ACCEPT
但其实现在不会有报文走到该chain,因为该chain没有实际挂载到任何内核报文收发点上。
ebtables -t filter -A INPUT -j jason
显示
ebtables -t filter -L
Bridge table: filter
Bridge chain: INPUT, entries: 1, policy: ACCEPT
-j jason
Bridge chain: FORWARD, entries: 0, policy: ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: jason, entries: 0, policy: DROP
这样从br来的报文,会查询jason chain的规则,最后被丢弃。
ebtables -t filter -P jason DROP
显示
ebtables -t filter -L
Bridge table: filter
Bridge chain: INPUT, entries: 1, policy: ACCEPT
-j jason
Bridge chain: FORWARD, entries: 0, policy: ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: jason, entries: 0, policy: DROP
这样从br来的报文,会查询jason chain的规则,最后被丢弃。
ebtables -t filter -F INPUT
ebtables -t filter -L
Bridge table: filter
Bridge chain: INPUT, entries: 1, policy: ACCEPT
-j jason
Bridge chain: FORWARD, entries: 0, policy: ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: jason, entries: 0, policy: DROP
ebtables [-t table ] -[ACDI] chain rule specification [match extensions] [watcher extensions] target
Options:
–proto -p [!] proto : protocol hexadecimal, by name or LENGTH
–src -s [!] address[/mask]: source mac address
–dst -d [!] address[/mask]: destination mac address
–in-if -i [!] name[+] : network input interface name
–out-if -o [!] name[+] : network output interface name
–logical-in [!] name[+] : logical bridge input interface name
–logical-out [!] name[+] : logical bridge output interface name
–set-counters -c chain
pcnt bcnt : set the counters of the to be added rule
网上流行的iptable/ebtables的流程图有误,在此更正如下其各个table的位置
下图仅供参考:
Ebtables详解:
http://www.cnblogs.com/peteryj/archive/2011/07/24/2115602.html
Iptables详解
http://blog.csdn.net/reyleon/article/details/12976341
iptables 小结
http://blog.csdn.net/xingliyuan22/article/details/9152037
ebtables命令
http://blog.csdn.net/rudyn/article/details/28630495
1、NAT loopback
https://unix.stackexchange.com/questions/282086/how-does-nat-reflection-nat-loopback-work
2、LAN2LAN 组播报文二层不转发。
ebtables -t filter -A FORWARD -i eth0.+ -o eth0.+ -d 01:00:00:00:00:00/01:00:00:00:00:00 -j DROP
-d MAC/MASK的方式,将组播报文找出来。
http://ebtables.netfilter.org/
http://ebtables.netfilter.org/misc/ebtables-man.html