iptables中,target/jump決定了符合條件的包到何處去,語法是--jump target或-j target。
通過-N參數創建自定義鏈:
iptables -N BLOCK
之後將BLOCK鏈作爲jump的目標:
iptables -I INPUT 6 -p tcp --dport 80 -i p3p1 -j BLOCK
如下:
- [root@cz ~]# iptables -vnL
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 230K 118M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 2939 247K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
- 4882 293K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
- 24 1432 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
- 0 0 BLOCK tcp -- p3p1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
- 38897 3908K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain OUTPUT (policy ACCEPT 17 packets, 1604 bytes)
- pkts bytes target prot opt in out source destination
- Chain BLOCK (1 references)
- pkts bytes target prot opt in out source destination
這樣從INPUT鏈中匹配規則6的包都會跳入BLOCK鏈中,若到達了BLOCK鏈的結尾(即未被鏈中的規則匹配),則會回到INPUT鏈的下一條規則。如果在子鏈中被ACCEPT了,則就相當於在父鏈中被ACCEPT了,那麼它不會再經過父鏈中的其他規則。但要注意這個包能被其他表的鏈匹配;
爲BLOCK鏈增加規則:
iptables -A BLOCK -p tcp -s 10.1.1.92/32 -i p3p1 --dport 80 -j DROP
查看如下:
- Chain BLOCK (1 references)
- pkts bytes target prot opt in out source destination
- 18 912 DROP tcp -- p3p1 * 10.1.1.92 0.0.0.0/0 tcp dpt:80
這樣就配置完成,可驗證訪問;
參考:http://man.chinaunix.net/network/iptables-tutorial-cn-1.1.19.html