今天是: 收藏本站 设为主页
网站首页 >  技术专栏  >  linux  > 

Ubuntu 服务器版 Iptables 基本设置指南

日期:2011-03-16  点击率:3095



More detailed Logging 关于日志记录的更多细节
For further detail in your syslog you may want create an additional Chain. This will be a very brief example of my /etc/iptables.up.rules showing how I setup my iptables to log to syslog:

您可以创建额外的规则链,以便在syslog中作更加详细的记录。以下是我/etc/iptables.up.rules文件中的一个简单例子:

# Generated by iptables-save v1.3.1 on Sun Apr 23 05:32:09 2006*filter:INPUT ACCEPT [273:55355]:FORWARD ACCEPT [0:0]:LOGNDROP - [0:0]:OUTPUT ACCEPT [92376:20668252]-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -j LOGNDROP-A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied TCP: " --log-level 7-A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied UDP: " --log-level 7-A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied ICMP: " --log-level 7-A LOGNDROP -j DROPCOMMIT# Completed on Sun Apr 23 05:32:09 2006
Note a new CHAIN called LOGNDROP at the top of the file. Also, the standard DROP at the bottom of the INPUT chain is replaceed with LOGNDROP and add protocol descriptions so it makes sense looking at the log. Lastly we drop the traffic at the end of the LOGNDROP chain. The following gives some idea of what is happening:

--limit sets the number of times to log the same rule to syslog
--log-prefix "Denied..." adds a prefix to make finding in the syslog easier
--log-level 7 sets the syslog level to informational (see man syslog for more detail, but you can probably leave this)
可以看到,文件前面多了一条名为LOGNDROP的规则链。此外,INPUT链最后一条规则中的DROP被LONGDROP替代。并且在后面我添加了一些内容来描述报文所使用的协议,这可以让记录更容易理解。最后,在LOGNDROP链的末尾,报文被丢弃。

--limit 对由此规则引发的记录事件的频率进行限制。
--log-prefix "Denied..." 在每条记录前加上一个前缀,以便查找。
--log-level 7 将记录的详细程度设为“informational”等级(详情请见man syslog,您也可以直接使用此处的设置)。
Disabling the firewall 禁用防火墙
If you need to disable the firewall temporarily, you can flush all the rules using

可以通过清除所有规则来暂时停止防火墙: (警告:这只适合在没有配置防火墙的环境中,如果已经配置过默认规则为deny的环境,此步骤将使系统的所有网络访问中断)

# sudo iptables -F




下一篇:谈PHP生成静态页面    上一篇:mysql套接字和tcpip连接方式