iptables基础(三):-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 这条命令的的解释:
从结果上来看,这条规则的作用是拒绝所有
-j REJECT 在iptables帮助文档里面有一下说明This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to
DROP so it is a terminating TARGET, ending rule traversal. This target is only valid in the INPUT, FORWARD and OUTPUT chains, and user-defined chains which
are only called from those chains. The following option controls the nature of the error packet returned:
--reject-with type
The type given can be
icmp-net-unreachable
icmp-host-unreachable
icmp-port-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited or
icmp-admin-prohibited (*)
我们简单的翻译一下,REJECT 是用来返回一个错误的包来回应匹配包,其他的等价于DROP,所以它是一个拒绝TARGET,在规则的结束。这个TARGET仅仅用在INPUT,FORWARD和
OUTPUT链和用户自定义的链,下列选项是用来定义返回错误的结果的:
The type given can be
icmp-net-unreachable
icmp-host-unreachable
icmp-port-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited or
icmp-admin-prohibited (*)
从以上,我们可以看出,定义了icmp主机拒绝,返回一个Destination host unreachable错误,但是由于有之前一句的存在,所以能够PING通-A RH-Firewall-1-INPUT -p icmp -
-icmp-type any -j ACCEPT。
这样子,我们就能理解
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
拒绝所有的anywhere所有端口 icmp-host-prohibited
下面我们做一个实验:
把其中一条给注释掉
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
这样子的话,我们就ping 不通了,而然后把
最下面一条
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
把其中 --reject-with 替换成其他的
icmp-net-unreachable
icmp-host-unreachable
icmp-port-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited or
icmp-admin-prohibited (*)
这样子的话,就知道不通的 条件,就会返回不通的包
第一种情况:
注释掉 在/etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
然后打开下面的
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
这样子,我们ping包返回的错误结果就是
C:\Documents and Settings\Administrator>ping 172.16.3.101
Pinging 172.16.3.101 with 32 bytes of data:
Reply from 172.16.3.101: Destination host unreachable.
Reply from 172.16.3.101: Destination host unreachable.
Reply from 172.16.3.101: Destination host unreachable.
Reply from 172.16.3.101: Destination host unreachable.
第二种情况
注释掉
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
然后打开下面
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-net-unreachable
在这种情况下返回的错误包是:
C:\Documents and Settings\Administrator>ping 172.16.3.101
Pinging 172.16.3.101 with 32 bytes of data:
Reply from 172.16.3.101: Destination net unreachable.
Reply from 172.16.3.101: Destination net unreachable.
Reply from 172.16.3.101: Destination net unreachable.
Reply from 172.16.3.101: Destination net unreachable.
第三种情况:
注释掉
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
然后打开下面
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-proto-unreachable
这种情况下返回的错误结果为:
C:\Documents and Settings\Administrator>ping 172.16.3.101
Pinging 172.16.3.101 with 32 bytes of data:
Reply from 172.16.3.101: Destination protocol unreachable.
Reply from 172.16.3.101: Destination protocol unreachable.
Reply from 172.16.3.101: Destination protocol unreachable.
Reply from 172.16.3.101: Destination protocol unreachable.
=======================================================
有以上三个实验结果,可以看出
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
这句的意思是拒绝所有的主机切ping包返回的错误结果是有 --reject-with 后面的
icmp-net-unreachable ICMP network unreachable
net-unreach alias
icmp-host-unreachable ICMP host unreachable
host-unreach alias
icmp-proto-unreachable ICMP protocol unreachable
proto-unreach alias
icmp-port-unreachable ICMP port unreachable (default)
port-unreach alias
icmp-net-prohibited ICMP network prohibited
net-prohib alias
icmp-host-prohibited ICMP host prohibited
host-prohib alias
tcp-reset TCP RST packet
tcp-rst alias
icmp-admin-prohibited ICMP administratively prohibited (*)
admin-prohib alias
这些选项控制的,也就是说,--reject-with 的作用是定义 返回错误包的