Iptables
iptables -s 和 iptables-save 有什麼區別
iptables -S列印一組規則,但iptables-save列印帶有一堆附加規則的超集。有什麼區別?為什麼不iptables -S列印附加規則?例如,
iptables -S不列印通過 Wireguard 介面 (wg0) (-A POSTROUTING -o wg0 -j SNAT --to-source 10.0.0.2) 更改 SMTP(埠 25)數據包源地址的規則,但iptables-save列印該規則?我猜想iptables -S可能只列印一條鏈,但iptables -h說:--list-rules -S [chain [rulenum]] Print the rules in a chain or all chains…這似乎意味著當沒有給對外連結參數時它將列印所有鏈。
# Generated by iptables-save v1.8.4 on Sat Jan 30 06:47:36 2021 *mangle :PREROUTING ACCEPT [175762948:152635787911] :INPUT ACCEPT [85129338:67722036020] :FORWARD ACCEPT [90631707:84913651708] :OUTPUT ACCEPT [43631301:2479371699] :POSTROUTING ACCEPT [134263118:87393032790] -A OUTPUT -p tcp -m tcp --dport 465 -j MARK --set-xmark 0x2/0xffffffff -A OUTPUT -p tcp -m tcp --dport 25 -j MARK --set-xmark 0x2/0xffffffff COMMIT # Completed on Sat Jan 30 06:47:36 2021 # Generated by iptables-save v1.8.4 on Sat Jan 30 06:47:36 2021 *filter :INPUT ACCEPT [367:62684] :FORWARD ACCEPT [10426:4247532] :OUTPUT ACCEPT [50809:2739507] :f2b-sshd - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -A INPUT -i lo -j ACCEPT -A INPUT -i enp2s0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i enp2s0 -j DROP -A FORWARD -i enxa0cec802c711 -o enp2s0 -j DROP -A f2b-sshd -s 200.140.81.94/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 177.92.35.201/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 94.43.219.173/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 14.228.195.50/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 66.96.232.50/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 71.217.140.138/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 14.249.54.134/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 201.209.161.174/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 174.30.109.183/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 71.217.167.42/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 116.193.139.76/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 41.89.234.2/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 182.71.223.194/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 173.202.19.15/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 180.112.138.132/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -j RETURN COMMIT # Completed on Sat Jan 30 06:47:36 2021 # Generated by iptables-save v1.8.4 on Sat Jan 30 06:47:36 2021 *nat :PREROUTING ACCEPT [444244:60896263] :INPUT ACCEPT [168098:15673985] :OUTPUT ACCEPT [120570:8875499] :POSTROUTING ACCEPT [113904:8359713] -A POSTROUTING -o enp2s0 -j MASQUERADE -A POSTROUTING -o wg0 -j SNAT --to-source 10.0.0.2 COMMIT # Completed on Sat Jan 30 06:47:36 2021對比
iptables v1.8.4 (legacy): option "-s" requires an argument Try `iptables -h' or 'iptables --help' for more information. root@sputnik:/home/nathan# iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N f2b-sshd -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -A INPUT -i lo -j ACCEPT -A INPUT -i enp2s0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i enp2s0 -j DROP -A FORWARD -i enxa0cec802c711 -o enp2s0 -j DROP -A f2b-sshd -s 200.140.81.94/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 177.92.35.201/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 94.43.219.173/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 14.228.195.50/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 66.96.232.50/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 71.217.140.138/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 14.249.54.134/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 201.209.161.174/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 174.30.109.183/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 71.217.167.42/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 116.193.139.76/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 41.89.234.2/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 182.71.223.194/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 173.202.19.15/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -s 180.112.138.132/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -j RETURN
RTFM(閱讀精美手冊):
man iptables:-S,–列表規則
$$ chain $$ 列印所選鏈中的所有規則。如果沒有選擇鏈,所有鏈都像 iptables-save 一樣列印。像所有其他 iptables 命令一樣,它適用於指定的表(過濾器是預設設置)。:
所以重點似乎是輸出僅限於過濾器表。
而iptable-save以適合經典配置文件的格式轉儲整套規則。
man iptable-save-t, --table tablenamerestrict output to only one table. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there. If not specified, output includes all available tables.請注意此處所有可用的表作為預設設置。
我在 CentOS 7 上查到了這個。