iptables 규칙을 추가할 수 없는 이유는 무엇입니까?
root@ROUTER:~# iptables -L INPUT -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6934 685K ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 DROP udp -- ppp0 any anywhere anywhere udp dpt:route
0 0 DROP udp -- br0 any anywhere anywhere udp dpt:route
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:route
2 120 logaccept tcp -- any any anywhere ROUTER tcp dpt:22
0 0 DROP icmp -- ppp0 any anywhere anywhere
0 0 DROP igmp -- any any anywhere anywhere
5 350 ACCEPT 0 -- lo any anywhere anywhere state NEW
568 35947 logaccept 0 -- br0 any anywhere anywhere state NEW
339 38020 DROP 0 -- any any anywhere anywhere
그런 다음 규칙을 추가하려고 합니다.
root@ROUTER:~# /usr/sbin/iptables -I INPUT -i ppp0 -m multiport --dport 21,22,23,53,67,80,443 -j DROP
그러나 목록에 추가되지는 않습니다.
root@ROUTER:~# iptables -L INPUT -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6992 690K ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 DROP udp -- ppp0 any anywhere anywhere udp dpt:route
0 0 DROP udp -- br0 any anywhere anywhere udp dpt:route
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:route
2 120 logaccept tcp -- any any anywhere ROUTER tcp dpt:22
0 0 DROP icmp -- ppp0 any anywhere anywhere
0 0 DROP igmp -- any any anywhere anywhere
5 350 ACCEPT 0 -- lo any anywhere anywhere state NEW
569 36007 logaccept 0 -- br0 any anywhere anywhere state NEW
343 38428 DROP 0 -- any any anywhere anywhere
규칙을 다시 추가해 보았습니다.
root@ROUTER:~# /usr/sbin/iptables -I INPUT -i ppp0 --dport 21 -j DROP
변경된 사항이 있는지 확인하세요.
root@ROUTER:~# iptables -L INPUT -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7142 704K ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 DROP udp -- ppp0 any anywhere anywhere udp dpt:route
0 0 DROP udp -- br0 any anywhere anywhere udp dpt:route
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:route
2 120 logaccept tcp -- any any anywhere ROUTER tcp dpt:22
0 0 DROP icmp -- ppp0 any anywhere anywhere
0 0 DROP igmp -- any any anywhere anywhere
5 350 ACCEPT 0 -- lo any anywhere anywhere state NEW
574 36309 logaccept 0 -- br0 any anywhere anywhere state NEW
346 38780 DROP 0 -- any any anywhere anywhere
하지만 아니죠.. :D
버전 정보:
root@ROUTER:~# iptables -V
iptables v1.3.7
왜?
펌웨어: DD-WRT v24-sp2(08/07/10) 표준
답변1
iptables -I INPUT -i ppp0 --dport 21 -j DROP구문적으로 잘못되었으므로(프로토콜 사양이 부족함) 조용히 실패한다고 가정할 수 있습니다. 이것은 정확합니다:
iptables -I INPUT -i ppp0 --dport 21 -j DROP -p tcp
그러니 한번 시도해 보세요.