iptables -A INPUT -p tcp -m tcp --dport 9191 -j DROP
我真的需要“-m tcp”吗?我已经在使用“-p tcp”了,所以我应该使用“-m tcp”来更安全吗?
请参阅iptables man page以获得更好的理解和比较:
-p,–protocol [!] protocol
The protocol of the rule or of the packet to check. The specified
protocol
can be one of tcp,udp,icmp,or all, or it can be a numeric
value,representing one of these protocols or a different one. A
protocol name from /etc/protocols is also allowed. A “!” argument
before the protocol inverts the test. The number zero is equivalent to
all. Protocol all will match with all protocols and is taken as
default when this option is omitted.
…
Match Extensions
iptables can use extended packet matching modules. These are loaded in
two ways: implicitly,when -p or –protocol is specified,or with the
-m or –match options,followed by the matching module name; after
these,varIoUs extra command line options become available,depending
on the specific module. You can specify multiple extended match
modules in one line,and you can use the -h or –help options after
the module has been specified to receive help specific to that module.
有关-p tcp的可用选项列表,请参见此处:
http://ipset.netfilter.org/iptables-extensions.man.html#lbCF
如上所述,通过使用-m选项,可以添加扩展模块,然后可以使用更多匹配选项.例如cpu module:
[!] –cpu number
Match cpu handling this packet. cpus are numbered from 0 to NR_cpuS-1 Can be used in combination with RPS (Remote Packet Steering)
or multiqueue NICs to spread network traffic on different queues.Example:
iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 -j
REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 -j
REDIRECT --to-port 8081Available since Linux 2.6.36.
OP的其他问题:我不明白-m匹配是什么.什么字符串? -m tcp匹配什么?它试图找到“tcp”这个词在哪里?
答:-m用于匹配模块名称而不是字符串.通过使用特定模块,您可以获得某些匹配选项.请参阅上面的cpu模块示例.使用-m tcp加载模块tcp. tcp模块允许某些选项: – dport,–sport,– tcp-flags,– syn,– tcp-option在iptables规则中使用.但是使用-p tcp已经启用了tcp模块,这就是为什么即使不使用-m tcp也可以使用这些选项.希望它能清除你所有的困惑.
