Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Iptables running Logic and Analysis of-I-A parameters

2025-04-04 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

As soon as I first came into contact with Iptables, I was confused about the-I and-A parameters,-I inserted one or more rules, and-An appended one or more rules.

It's all about adding a rule. What's the difference between them?

Experiment:

I took two machines, one sent PING packets and the other was PING.

Two machines use iptables-nvL INPUT to view, iptables is empty

Then add iptables-An INPUT-p icmp--icmp-type 8-s 0-j DROP to the machine being PING

Then use iptables-nvL INPUT to see the following:

Chain INPUT (policy ACCEPT 592packets, 55783 bytes)

Pkts bytes target prot opt in out source destination

8 672 DROP icmp-- * * 0.0.0.0 DROP icmp 0 0.0.0.0 icmp type 8

At this point, the machine that sent the PING packet showed that the PING packet stopped.

At this time, add iptables-An INPUT-p icmp--icmp-type 8-s 0-j ACCEPT to the PING machine.

Then use iptables-nvL INPUT to see the following:

Chain INPUT (policy ACCEPT 678 packets, 62701 bytes)

Pkts bytes target prot opt in out source destination

21 1764 DROP icmp-- * 0.0.0.0 icmp type 0 0.0.0.0 icmp type 8

0 0 ACCEPT icmp-- * * 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 icmp type 8

It shows that a rule has been appended to iptables, but the PING packet displayed by the machine that sent the PING packet still stops, which proves that the newly added rule cannot release the PING packet.

Add iptables-I INPUT-p icmp--icmp-type 8-s 0-j ACCEPT to the PING machine

Then use iptables-nvL INPUT to see the following:

Chain INPUT (policy ACCEPT 770 packets, 70223 bytes)

Pkts bytes target prot opt in out source destination

2 168 ACCEPT icmp-- * * 0.0.0.0 icmp type 0 0.0.0.0 icmp type 8

31 2604 DROP icmp-- * 0.0.0.0 icmp type 0 0.0.0.0 icmp type 8

0 0 ACCEPT icmp-- * * 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 icmp type 8

Show that a new rule has been added to iptables, and the PING packet displayed by the machine that sent the PING packet beats again, proving that the newly added rule can release the PING packet.

The difference between the two rule release rules is that-An and-I,-An append rules after DROP rules, and-I add rules before DROP rules.

Iptables matches the rules from top to bottom, and the release rule can only take effect before the prohibition rule.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report