給iptables規則添加注釋,以此給你的老板和同事一個好印象。方法如下:
什么是iptables的注釋呢?
iptables的注釋一般使用在每條規則的后面,注釋一般用 /* */ 包住。(具體的見下面的iptables規則中的注釋 /* allow SSH to this host from anywhere */ )
復制代碼
代碼如下:
$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED /* allow inbound traffic for established and related connections */
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh /* allow SSH to this host from anywhere */
ACCEPT udp -- anywhere anywhere udp dpt:route /* allow incoming RIP on the internal interface */
ACCEPT all -- localhost localhost /* allow any local-only traffic */
ACCEPT ipv6 -- tserv2.ash1.he.net anywhere /* allow IPv6 tunnel traffic from HE */
ACCEPT icmp -- anywhere anywhere /* allow ICMP traffic to this host from anywhere */</p> <p> Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED /* allow inbound traffic for established and related connections */
ACCEPT all -- anywhere anywhere /* allow all Internet bound traffic from the internal network */
ACCEPT icmp -- anywhere anywhere /* forward any ICMP traffic */</p> <p> Chain OUTPUT (policy ACCEPT)
target prot opt source destination</p> <p> Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED /* allow inbound traffic for established and related connections */
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh /* allow SSH to this host from anywhere */
ACCEPT udp -- anywhere anywhere udp dpt:route /* allow incoming RIP on the internal interface */
ACCEPT all -- localhost localhost /* allow any local-only traffic */
ACCEPT ipv6 -- tserv2.ash1.he.net anywhere /* allow IPv6 tunnel traffic from HE */
ACCEPT icmp -- anywhere anywhere /* allow ICMP traffic to this host from anywhere */</p> <p> Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED /* allow inbound traffic for established and related connections */
ACCEPT all -- anywhere anywhere /* allow all Internet bound traffic from the internal network */
ACCEPT icmp -- anywhere anywhere /* forward any ICMP traffic */</p> <p> Chain OUTPUT (policy ACCEPT)
target prot opt source destination</p> <p> Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
為新的iptables規則添加注釋
為新的iptables規則添加注釋的語法為 : comment --comment “要添加的注釋文字”
具體的例子:下面添加一條允許ssh流量通過的規則,并且給這條規則添加注釋:
復制代碼
代碼如下:
$ sudo iptables -A INPUT -p tcp -m tcp --dport 22 -m comment --comment "allow SSH to this host from anywhere" -j ACCEPT
然后用 -L 列出規則,就會看到剛才添加的規則和下面的一樣:
復制代碼
代碼如下:
$ sudo iptables -L</p> <p>ACCEPT tcp -- anywhere anywhere tcp dpt:ssh /* allow SSH to this host from anywhere */
教程完!
