Shulou(Shulou.com)06/01 Report--

The FORWARD chain in iptables's filter table is used in conjunction with the nat table. It is responsible for checking the rules of ip address forwarding on the nat table. If you have a route to forward, you should strictly manage the FORWARD chain (for more information on the specific use of the nat table, please see http://jim123.blog.51cto.com/4763600/1842202). Take servers that have deployed open*** as an example (for more information on open*** deployment, please see the relevant articles on http://jim123.blog.51cto.com/4763600/1840776)

IP address forwarding has been done in our nat table.

* nat:PREROUTING ACCEPT [19POSTROUTING 2584]: POSTROUTING ACCEPT [1:92]: OUTPUT ACCEPT [1:92]-A POSTROUTING-s 10.8.0.0amp 255.255.255.0-o eth0-j SNAT-- to-source 192.168.168.253 COMMIT

Then the FORWARD chain in the filter table will release two rules

* filter:INPUT ACCEPT [0:0]: FORWARD ACCEPT [0:0]: OUTPUT ACCEPT [0:0]-An INPUT-s 192.168.168.253-I eth0-p tcp-m state-- state NEW-m tcp-- dport 22-j ACCEPT-An INPUT-I eth0-p udp-m state-state NEW-m udp-dport 1194-j ACCEPT-An INPUT-j REJECT-reject-with icmp-host-prohibited-A FORWARD-s 10 .8.0.0 / 24-I tap0-j ACCEPT# release of ip-A FORWARD-s 192.168.168.0 ACCEPT# of 10.8.0.0ax 24 segment ip-A FORWARD-j REJECT-- reject-with icmp-host-prohibited#FORWARD of 192.168.168.0 Universe 24 network segment does not reject all of the above rules-An OUTPUT-m state-- state INVALID-j DROP

Here again, the rules of iptables are read from top to bottom in the same chain, so your rules must be written first.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.