{"id":6504,"date":"2022-03-01T22:28:50","date_gmt":"2022-03-02T06:28:50","guid":{"rendered":"https:\/\/www.xh86.me\/?p=6504"},"modified":"2022-03-01T22:28:50","modified_gmt":"2022-03-02T06:28:50","slug":"%e8%bf%90%e7%bb%b4%e5%b7%a5%e7%a8%8b%e5%b8%88%ef%bc%9a%e9%85%8d%e7%bd%aeiptables%e9%98%b2%e7%81%ab%e5%a2%99%e5%9f%ba%e7%a1%80","status":"publish","type":"post","link":"https:\/\/www.xh86.me\/?p=6504","title":{"rendered":"\u8fd0\u7ef4\u5de5\u7a0b\u5e08\uff1a\u914d\u7f6eiptables\u9632\u706b\u5899\u57fa\u7840"},"content":{"rendered":"
\n
\n
\n
<\/div><\/section>\n<\/section>\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n

\u76ee\u5f55<\/strong><\/p>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n

\n
\n
\n
\n
\n
\n
\n
<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
\n

\u4e00\uff1a<\/span>iptables\u5e38\u89c1\u6982\u5ff5<\/strong><\/p>\n<\/section>\n<\/section>\n

\n
\n

\u4e8c\uff1a iptables\u670d\u52a1\u5668\u5b89\u88c5\u53ca\u76f8\u5173\u914d\u7f6e\u6587\u4ef6<\/span><\/span><\/strong><\/p>\n<\/section>\n<\/section>\n

\n
\n

\u4e09\uff1a<\/strong><\/span> \u5b9e\u6218\uff1aiptables\u4f7f\u7528\u65b9\u6cd5<\/strong><\/p>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n

\n

\n

\u8bf4\u660e:<\/strong><\/p>\n

Centos7.X \u5f00\u59cb,\u7cfb\u7edf\u81ea\u5e26\u7684\u9632\u706b\u5899\u7ba1\u7406\u5de5\u5177\u662ffirewalld\uff0c\u4f46\u662f\u4e5f\u540c\u6837\u652f\u6301iptables\uff0c\u672c\u8282\u8bfe\u6211\u4eec\u4ecd\u7136\u7528iptables\u6765\u4f5c\u4e3a\u9632\u706b\u5899\u6765\u4e3b\u8bb2\uff0c\u4e0b\u6b21\u8bfe\u6211\u4eec\u4e5f\u4f1a\u7ed9\u5927\u5bb6\u8be6\u7ec6\u8bb2\u89e3firewalld\u7684\u5e38\u7528\u914d\u7f6e\u3002<\/p>\n

\n

iptables\u670d\u52a1\u7aef\uff1axuegod63 \u00a0\u00a0IP\uff1a192.168.1.63<\/p>\n

iptables\u5ba2\u6237\u7aef\uff1axuegod64\u00a0\u00a0\u00a0IP\uff1a192.168.1.64<\/p>\n

\n<\/section>\n

\n
\n
\n
\n
\n
\n
\n
\n

No.1<\/strong><\/span><\/p>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n

\n
\n

iptables\u5e38\u89c1\u6982\u5ff5<\/strong><\/p>\n<\/section>\n<\/section>\n

\n
\n
\n
\n

\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n

\n

\n

netfilter\/iptables\u662f\u96c6\u6210\u5728\u5185\u6838\u4e2d\u7684\u5305\u8fc7\u6ee4\u9632\u706b\u5899\u7cfb\u7edf\u3002\u8be5\u67b6\u6784\u53ef\u4ee5\u5b9e\u73b0\u6570\u636e\u5305\u8fc7\u6ee4\uff0c\u7f51\u7edc\u5730\u5740\u8f6c\u6362\u4ee5\u53ca\u6570\u636e\u5305\u7ba1\u7406\u529f\u80fd\u3002linux\u4e2d\u9632\u706b\u5899\u5206\u4e3a\u4e24\u90e8\u5206\uff1anetfilter\u548ciptables\u3002netfilter\u4f4d\u4e8e\u5185\u6838\u7a7a\u95f4\uff0c\u76ee\u524d\u662fLinux\u5185\u6838\u7684\u7ec4\u6210\u90e8\u5206\u3002netfilter\u53ef\u4ee5\u5bf9\u672c\u673a\u6240\u6709\u6d41\u5165\uff0c\u6d41\u51fa\uff0c\u8f6c\u53d1\u7684\u6570\u636e\u5305\u8fdb\u884c\u67e5\u770b\uff0c\u4fee\u6539\uff0c\u4e22\u5f03\uff0c\u62d2\u7edd\u7b49\u64cd\u4f5c\u3002netfilter\u4f4d\u4e8e\u5185\u6838\u7a7a\u95f4\u4e2d\uff0c\u7528\u6237\u65e0\u6cd5\u63a5\u89e6\u5185\u6838\u548c\u4fee\u6539\u5185\u6838\uff0c\u9700\u8981\u4f7f\u7528iptables\u6216Firewalld\u7b49\u5de5\u5177\u6765\u8fdb\u884c\u7ba1\u7406\u3002<\/p>\n

\n<\/section>\n

\n
\n
\n
\n

1.1 \u00a0iptables\u6982\u8ff0<\/strong><\/p>\n<\/section>\n<\/section>\n

\n
\n
\n
\n
\n
\n
<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
\n
\n
\n
\n
\n
<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n

\n<\/section>\n

\n

netfilter\/iptables\uff1aIP\u4fe1\u606f\u5305\u8fc7\u6ee4\u7cfb\u7edf\uff0c\u5b83\u5b9e\u9645\u4e0a\u7531\u4e24\u4e2a\u7ec4\u4ef6netfilter \u548c iptables \u7ec4\u6210\u3002<\/p>\n

\n

netfilter\/iptables \u5173\u7cfb\uff1a<\/strong><\/p>\n

netfilter \u7ec4\u4ef6\u4e5f\u79f0\u4e3a\u5185\u6838\u7a7a\u95f4\uff08kernelspace\uff09\uff0c\u662f\u5185\u6838\u7684\u4e00\u90e8\u5206\uff0c\u7531\u4e00\u4e9b\u4fe1\u606f\u5305\u8fc7\u6ee4\u8868\u7ec4\u6210\uff0c\u8fd9\u4e9b\u8868\u5305\u542b\u5185\u6838\u7528\u6765\u63a7\u5236\u4fe1\u606f\u5305\u8fc7\u6ee4\u5904\u7406\u7684\u89c4\u5219\u96c6\u3002<\/p>\n

\n

iptables \u7ec4\u4ef6\u662f\u4e00\u79cd\u5de5\u5177\uff0c\u4e5f\u79f0\u4e3a\u7528\u6237\u7a7a\u95f4\uff08userspace\uff09\uff0c\u5b83\u4f7f\u63d2\u5165\u3001\u4fee\u6539\u548c\u9664\u53bb\u4fe1\u606f\u5305\u8fc7\u6ee4\u8868\u4e2d\u7684\u89c4\u5219\u53d8\u5f97\u5bb9\u6613\u3002<\/p>\n

\n

netfilter\/iptables \u540e\u671f\u7b80\u79f0\u4e3a\uff1aiptables<\/span><\/strong>\u3002 iptables\u662f\u57fa\u4e8e\u5185\u6838\u7684\u9632\u706b\u5899\uff0c\u529f\u80fd\u975e\u5e38\u5f3a\u5927\uff0ciptables\u5185\u7f6e\u4e86filter\uff0cnat\u548cmangle\u3001raw\u56db\u5f20\u8868\u3002\u6240\u6709\u89c4\u5219\u914d\u7f6e\u540e\uff0c\u7acb\u5373\u751f\u6548\uff0c\u4e0d\u9700\u8981\u91cd\u542f\u670d\u52a1\u3002<\/p>\n

\n<\/section>\n

\n
\n
\n
\n

1.2 \u00a0\u56db\u5f20\u8868\u4ecb\u7ecd<\/strong><\/p>\n<\/section>\n<\/section>\n

\n
\n
\n
\n
\n
\n
<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
\n
\n
\n
\n
\n
<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n

\n<\/section>\n

\n

filter\u8d1f\u8d23\u8fc7\u6ee4\u6570\u636e\u5305\uff0c\u5305\u62ec\u7684\u89c4\u5219\u94fe\u6709\uff0cinput\uff0coutput\u548cforward\uff1b<\/p>\n

\n

nat\u5219\u6d89\u53ca\u5230\u7f51\u7edc\u5730\u5740\u8f6c\u6362\uff0c\u5305\u62ec\u7684\u89c4\u5219\u94fe\u6709\uff0cprerouting\uff0cpostrouting\u548coutput\uff1b<\/p>\n

\n

mangle\u8868\u5219\u4e3b\u8981\u5e94\u7528\u5728\u4fee\u6539\u6570\u636e\u5305\u5185\u5bb9\u4e0a\uff0c\u7528\u6765\u505a\u6d41\u91cf\u6574\u5f62\u7684\uff0c\u7ed9\u6570\u636e\u5305\u6253\u4e2a\u6807\u8bc6\uff0c\u9ed8\u8ba4\u7684\u89c4\u5219\u94fe\u6709\uff1aINPUT\uff0cOUTPUT\u3001\u00a0forward\uff0cPOSTROUTING\uff0cPREROUTING\uff1b<\/p>\n

\n

raw\u8868\u4f18\u5148\u7ea7\u6700\u9ad8\uff08\u4e0d\u5e38\u7528\uff09\uff0c\u53ea\u4f7f\u7528\u5728PREROUTING\u94fe\u548cOUTPUT\u94fe\u4e0a\uff0c\u4f1a\u8df3\u8fc7NAT\u8868\u3002<\/p>\n

\n<\/section>\n

\n
\n
\n
\n

1.3 \u00a0iptables\u7684\u4e94\u4e2a\u94fe<\/strong><\/p>\n<\/section>\n<\/section>\n

\n
\n
\n
\n
\n
\n
<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
\n
\n
\n
\n
\n
<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n

\n<\/section>\n

\n

input\uff1a\u5339\u914d\u76ee\u6807IP\u662f\u672c\u673a\u7684\u6570\u636e\u5305\u3002<\/p>\n

output\uff1a\u51fa\u53e3\u6570\u636e\u5305\uff0c\u4e00\u822c\u4e0d\u5728\u6b64\u94fe\u4e0a\u505a\u914d\u7f6e<\/p>\n

forward\uff1a\u5339\u914d\u6d41\u7ecf\u672c\u673a\u7684\u6570\u636e\u5305\uff0c<\/p>\n

prerouting\uff1a\u7528\u6765\u4fee\u6539\u76ee\u7684\u5730\u5740\uff0c\u7528\u6765\u505aDNAT\u3002<\/p>\n

\u5982\uff1a\u628a\u5185\u7f51\u4e2d\u768480\u7aef\u53e3\u6620\u5c04\u5230\u8def\u7531\u5668\u5916\u7f51\u7aef\u53e3\u4e0a<\/p>\n

postrouting\u7528\u6765\u4fee\u6539\u6e90\u5730\u5740\u7528\u6765\u505aSNAT\u3002<\/p>\n

\u5982\uff1a\u5185\u7f51\u901a\u8fc7\u8def\u7531\u5668NAT\u8f6c\u6362\u529f\u80fd\u5b9e\u73b0\u5185\u7f51PC\u673a\u901a\u8fc7\u4e00\u4e2a\u516c\u7f51IP\u5730\u5740\u4e0a\u7f51<\/p>\n

\n

1. iptables\u56db\u4e2a\u8868\uff0c5\u4e2a\u94fe\u63a5\uff0c\u7ed3\u6784\u5982\u56fe\uff1a<\/p>\n<\/section>\n

\n
<\/div><\/section>\n<\/section>\n
\n

\n<\/section>\n

\n

raw \u8868\uff1a\u7528\u4e8e\u5904\u7406\u5f02\u5e38\uff0c\u5305\u62ec\u7684\u89c4\u5219\u94fe\u6709\uff0cprerouting\uff0coutput\uff1b \u4e00\u822c\u4f7f\u7528\u4e0d\u5230\uff0craw\u5728\u6574\u4e2a\u9632\u706b\u5899\u4f53\u7cfb\u4f18\u5148\u7ea7\u6700\u9ad8\uff0c\u5982\u679c\u542f\u52a8\u7528raw\u8868\uff0c\u6570\u636e\u5c06\u4f1a\u8df3\u8fc7conntrack\uff08\u8fde\u63a5\u8ddf\u8e2a\u673a\u5236\uff09<\/p>\n

\n

\u4f8b\uff1a\u67e5\u770braw\u8868\u4e2d\u7684\u5185\u5bb9\uff1a<\/p>\n<\/section>\n

\n
\n
[root@xuegod63 ~]# iptables -t raw -L<\/span><\/span><\/code>Chain PREROUTING<\/span> (policy ACCEPT)<\/span><\/span><\/span><\/code>target \u00a0 \u00a0 prot opt source \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination \u00a0 \u00a0 \u00a0 \u00a0 <\/span><\/code>Chain OUTPUT<\/span> (policy ACCEPT)<\/span><\/span><\/code>target \u00a0 \u00a0 prot opt source \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination <\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
\n
\n
2. Iptables\u8fc7\u6ee4\u5c01\u5305\u6d41\u7a0b\uff0c\u8868->\u94fe->\u89c4\u5219<\/p>\n
\u6570\u636e\u8d70\u5411\uff1a<\/p>\n
\u5916\u90e8\u8bbf\u95ee\u672c\u673a<\/p>\n
\u672c\u673a\u8bbf\u95ee\u5916\u90e8<\/p>\n
\u672c\u673a\u8d1f\u8d23\u8f6c\u53d1<\/p>\n
\n<\/section>\n
\n
<\/div><\/section>\n<\/section>\n
\n
\n
3. \u6574\u4f53\u6570\u636e\u5305\u5206\u4e24\u7c7b\uff1a\u53d1\u7ed9\u9632\u706b\u5899\u672c\u8eab\u7684\u6570\u636e\u5305\uff0c\u548c\u9700\u8981\u7ecf\u8fc7\u9632\u706b\u5899\u7684\u6570\u636e\u5305\u3002<\/p>\n
\n
\u5f53\u4e00\u4e2a\u6570\u636e\u5305\u8fdb\u5165\u7f51\u5361\u65f6\uff0c\u5b83\u9996\u5148\u8fdb\u5165PREROUTING\u94fe\uff0c\u5185\u6838\u6839\u636e\u6570\u636e\u5305\u76ee\u7684IP\u5224\u65ad\u662f\u5426\u9700\u8981\u8f6c\u9001\u51fa\u53bb\u3002<\/p>\n
\n
\u5982\u679c\u6570\u636e\u5305\u5c31\u662f\u8fdb\u5165\u672c\u673a\u7684\uff0c\u5b83\u5c31\u4f1a\u6cbf\u7740\u56fe\u5411\u4e0b\u79fb\u52a8\uff0c\u5230\u8fbeINPUT\u94fe\u3002\u6570\u636e\u5305\u5230\u4e86INPUT\u94fe\u540e\uff0c\u4efb\u4f55\u8fdb\u7a0b\u90fd\u4f1a\u6536\u5230\u5b83\u3002<\/p>\n
\n
\u672c\u673a\u4e0a\u8fd0\u884c\u7684\u7a0b\u5e8f\u53ef\u4ee5\u53d1\u9001\u6570\u636e\u5305\uff0c\u8fd9\u4e9b\u6570\u636e\u5305\u4f1a\u7ecf\u8fc7OUTPUT\u94fe\uff0c\u7136\u540e\u5230\u8fbePOSTROUTING\u94fe\u8f93\u51fa\u3002<\/p>\n
\n
\u5982\u679c\u6570\u636e\u5305\u662f\u8981\u8f6c\u53d1\u51fa\u53bb\u7684\uff0c\u4e14\u5185\u6838\u5141\u8bb8\u8f6c\u53d1\uff0c\u6570\u636e\u5305\u5c31\u4f1a\u5982\u56fe\u6240\u793a\u5411\u53f3\u79fb\u52a8\uff0c\u7ecf\u8fc7FORWARD\u94fe\uff0c\u7136\u540e\u5230\u8fbePOSTROUTING\u94fe\u8f93\u51fa\u3002<\/p>\n
\n
4. \u8868\u3001\u94fe\u3001\u89c4\u5219\u5904\u7406\u7684\u987a\u5e8f<\/p>\n
\u8868\u95f4\u7684\u4f18\u5148\u987a\u5e8f<\/p>\n
raw > mangle > nat > filter<\/p>\n
\n
\u94fe\u95f4\u7684\u5339\u914d\u987a\u5e8f<\/p>\n
\u5165\u7ad9\u6570\u636e\uff1aPREROUTING\u3001INPUT<\/p>\n
\u51fa\u7ad9\u6570\u636e\uff1aOUTPUT\u3001POSTROUTING<\/p>\n
\u8f6c\u53d1\u6570\u636e\uff1aPREROUTING\u3001FORWARD\u3001POSTROUTING<\/p>\n
\n
\u94fe\u5185\u7684\u5339\u914d\u987a\u5e8f\uff1a<\/p>\n
\u81ea\u4e0a\u5411\u4e0b\u6309\u987a\u5e8f\u4f9d\u6b21\u8fdb\u884c\u68c0\u67e5\uff0c\u627e\u5230\u76f8\u5339\u914d\u7684\u89c4\u5219\u5373\u505c\u6b62<\/p>\n
\u82e5\u5728\u8be5\u94fe\u5185\u627e\u4e0d\u5230\u7684\u76f8\u5339\u914d\u7684\u89c4\u5219\uff0c\u5219\u6309\u8be5\u94fe\u7684\u9ed8\u8ba4\u7b56\u7565\u5904\u7406\uff08\u672a\u4fee\u6539\u7684\u60c5\u51b5\u4e0b\uff0c\u9ed8\u8ba4\u7b56\u7565\u4e3a\u5141\u8bb8\uff09<\/p>\n
\n
\u6ce8\u610f\uff1a\u89c4\u5219\u7684\u6b21\u5e8f\u975e\u5e38\u5173\u952e\uff0c\u8c01\u7684\u89c4\u5219\u8d8a\u4e25\u683c\uff0c\u5e94\u8be5\u653e\u7684\u8d8a\u9760\u524d\uff0c\u800c\u68c0\u67e5\u89c4\u5219\u7684\u65f6\u5019\uff0c\u662f\u6309\u7167\u4ece\u4e0a\u5f80\u4e0b\u7684\u65b9\u5f0f\u8fdb\u884c\u68c0\u67e5\u7684\u3002<\/p>\n
\n<\/section>\n
\n
\n
\n
\n
\n
\n
\n
\n
No.2<\/strong><\/span><\/p>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
\n
\u00a0iptables\u670d\u52a1\u5668\u5b89\u88c5\u53ca\u76f8\u5173\u914d\u7f6e\u6587\u4ef6<\/strong><\/p>\n<\/section>\n<\/section>\n
\n
\n
\n
\n
\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
\n<\/section>\n
\n
Iptables\u90e8\u7f72<\/p>\n
Iptables\u662f\u903b\u8f91\u6027\u6bd4\u8f83\u5f3a\u7684\u670d\u52a1\uff0c\u6240\u4ee5\u6211\u4eec\u4e00\u4e2a\u4e00\u4e2a\u7684\u5b9e\u9a8c\u758f\u901a\u3002<\/p>\n
\n<\/section>\n
\n
\n
\n
\n
2.1 \u00a0\u5b89\u88c5iptables<\/strong><\/p>\n<\/section>\n<\/section>\n
\n
\n
\n
\n
\n
\n
<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
\n
\n
\n
\n
\n
<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
\n<\/section>\n
\n
\u5173\u95edfirewall<\/p>\n<\/section>\n
\n
\n
[root@xuegod63 \u00a0~]# systemctl stop firewalld.service \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 #\u505c\u6b62firewall<\/span><\/span><\/code>\r\n<\/span><\/code>[root@xuegod63 \u00a0~]# systemctl disable firewalld.service \u00a0 \u00a0 \u00a0 \u00a0#\u7981\u6b62firewall\u5f00\u673a\u542f\u52a8<\/span><\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
\n
\n
\u5b89\u88c5\u5b89\u88c5iptables\u9632\u706b\u5899\uff1a<\/p>\n<\/section>\n
\n
\n
[root@xuegod63 \u00a0~]# yum install iptables-services \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 #\u5b89\u88c5<\/span><\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
\n
\n<\/section>\n
\n
\n
\n
\n
2.2 \u00a0iptables\u914d\u7f6e\u6587\u4ef6\u4f4d\u7f6e<\/strong><\/p>\n<\/section>\n<\/section>\n
\n
\n
\n
\n
\n
\n
<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
\n
\n
\n
<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
\n<\/section>\n
\n
\n
[root@xuegod63 ~]# ls \/etc\/sysconfig\/iptables<\/span><\/span><\/code>\/etc\/sysconfig\/iptables<\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
\n
\n<\/section>\n
\n
\n
\n
\n
2.3 \u00a0\u542f\u52a8\u670d\u52a1<\/strong><\/p>\n<\/section>\n<\/section>\n
\n
\n
\n
\n
\n
\n
<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
\n
\n
\n
\n
\n
<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
\n<\/section>\n
\n
\n
[root@xuegod63 ~]# systemctl start iptables.service<\/span><\/span><\/code>[root@xuegod63 ~]# systemctl enable iptables.service<\/span><\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
\n
\n<\/section>\n
\n
\n
\n
\n
\n
\n
\n
\n
No.3<\/strong><\/span><\/p>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
\n
\u00a0\u5b9e\u6218\uff1aiptables\u4f7f\u7528\u65b9\u6cd5<\/strong><\/p>\n<\/section>\n<\/section>\n
\n
\n
\n
\n
\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
\n<\/section>\n
\n
iptables\u547d\u4ee4\u7684\u8bed\u6cd5\u683c\u5f0f<\/p>\n
Iptables [-t \u8868\u540d] \u7ba1\u7406\u9009\u9879 [\u94fe\u540d] [\u6761\u4ef6\u5339\u914d] [-j \u76ee\u6807\u52a8\u4f5c\u6216\u8df3\u8f6c]<\/p>\n
\n
\u6ce8\u610f\u4e8b\u9879<\/p>\n
\u4e0d\u6307\u5b9a\u8868\u540d\u65f6\uff0c\u9ed8\u8ba4\u8868\u793afilter\u8868<\/p>\n
\u4e0d\u6307\u5b9a\u94fe\u540d\u65f6\uff0c\u9ed8\u8ba4\u8868\u793a\u8be5\u8868\u5185\u6240\u6709\u94fe<\/p>\n
\u9664\u975e\u8bbe\u7f6e\u89c4\u5219\u94fe\u7684\u7f3a\u7701\u7b56\u7565\uff0c\u5426\u5219\u9700\u8981\u6307\u5b9a\u5339\u914d\u6761\u4ef6<\/p>\n
\n
iptables\u8bed\u6cd5\u603b\u7ed3\uff1a<\/p>\n
\n<\/section>\n
\n
<\/div><\/section>\n<\/section>\n
\n
\n<\/section>\n
\n
\n
\n
\n
3.1 \u00a0iptables\u547d\u4ee4\u4f7f\u7528\u65b9\u6cd5<\/strong><\/p>\n<\/section>\n<\/section>\n
\n
\n
\n
\n
\n
\n
<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
\n
\n
\n
\n
\n
<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
\n<\/section>\n
\n
iptables [-t \u8981\u64cd\u4f5c\u7684\u8868]<\/span><\/strong><\/p>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\u64cd\u4f5c\u547d\u4ee4><\/p>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0[\u8981\u64cd\u4f5c\u7684\u94fe]<\/p>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0[\u89c4\u5219\u53f7\u7801]<\/p>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0[\u5339\u914d\u6761\u4ef6]<\/p>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0[-j \u5339\u914d\u5230\u4ee5\u540e\u7684\u52a8\u4f5c]<\/p>\n
\n
\u64cd\u4f5c\u547d\u4ee4<\/span><\/strong><\/p>\n
-A \u00a0\u6dfb\u52a0\u89c4\u5219<\/p>\n
-I\u00a0num \u63d2\u5165\uff0c\u628a\u5f53\u524d\u89c4\u5219\u63d2\u5165\u4e3a\u7b2c\u51e0\u6761<\/p>\n
-D\u00a0num \u5220\u9664\uff0c\u660e\u786e\u6307\u5b9a\u5220\u9664\u7b2c\u51e0\u6761\u89c4\u5219<\/p>\n
-P \u00a0\u8bbe\u7f6e\u9ed8\u8ba4\u7b56\u7565\u7684<\/p>\n
-F \u00a0\u6e05\u7a7a\u89c4\u5219\u94fe\u7684<\/p>\n
\n
\u67e5\u770b\u547d\u4ee4<\/span><\/strong><\/p>\n
-[vn]L<\/p>\n
-L\u5217\u51fa\u89c4\u5219<\/p>\n
-n\u4ee5\u6570\u5b57\u683c\u5f0f\u663e\u793aip\u548cport\uff0c\u9700\u8981\u914d\u5408-L\u9009\u9879\u4f7f\u7528<\/p>\n
-v \u00a0\u663e\u793a\u4fe1\u606f\uff0c\u4ee5\u8be6\u7ec6\u4fe1\u606f\u663e\u793a<\/p>\n
-A <\u94fe\u540d> \u00a0\u00a0\u00a0APPEND\uff0c\u8ffd\u52a0\u4e00\u6761\u89c4\u5219\uff08\u653e\u5230\u6700\u540e\uff09<\/p>\n
\n
\u4f8b\u5982\uff1a<\/p>\n<\/section>\n
\n
\n
    \n
  • <\/li>\n<\/ul>\n
    [root@xuegod63 ~]# iptables -t filter -A INPUT -j DROP \u00a0 \u00a0 #\u62d2\u7edd\u6240\u6709\u4eba\u8bbf\u95ee\u670d\u52a1\u5668<\/span><\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
    \n
    \n
    \u5728 filter \u8868\u7684 INPUT \u94fe\u91cc\u8ffd\u52a0\u4e00\u6761\u89c4\u5219\uff08\u4f5c\u4e3a\u6700\u540e\u4e00\u6761\u89c4\u5219\uff09<\/p>\n
    \u5339\u914d\u6240\u6709\u8bbf\u95ee\u672c\u673a IP \u7684\u6570\u636e\u5305\uff0c\u5339\u914d\u5230\u7684\u4e22\u5f03<\/p>\n
    \n
    iptables \u00a0-L -n \u00a0\u00a0\u00a0\u67e5\u770b<\/p>\n
    iptables \u00a0-Ln \u00a0\u4e0d\u751f\u6548\uff0c\u4f46\u662fiptables \u00a0-nL\u53ef\u4ee5<\/p>\n
    -I <\u94fe\u540d> [\u89c4\u5219\u53f7\u7801] \u00a0\u00a0\u00a0\u00a0INSERT\uff0c\u63d2\u5165\u4e00\u6761\u89c4\u5219<\/p>\n
    \n<\/section>\n
    \n
    \n
    [root@xuegod63 ~]# iptables -I INPUT -j DROP<\/span><\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
    \n
    \n<\/section>\n
    \n
    \u5728 filter \u8868\u7684 INPUT \u94fe\u91cc\u63d2\u5165\u4e00\u6761\u89c4\u5219\uff08\u63d2\u5165\u6210\u7b2c 1 \u6761\uff09\u7acb\u5373\u751f\u6548\uff0cxshell\u4f1a\u65ad\u5f00\u3002<\/p>\n
    iptables -I INPUT 5\u00a0-j DROP<\/p>\n
    \n
    \u5728 filter \u8868\u7684 INPUT \u94fe\u91cc\u63d2\u5165\u4e00\u6761\u89c4\u5219\uff08\u63d2\u5165\u6210\u7b2c 5\u00a0\u6761\uff09<\/p>\n
    \u6ce8\u610f\uff1a<\/p>\n
    -t filter \u53ef\u4e0d\u5199\uff0c\u4e0d\u5199\u5219\u81ea\u52a8\u9ed8\u8ba4\u662f filter \u8868<\/p>\n
    -I \u94fe\u540d [\u89c4\u5219\u53f7\u7801]\uff0c\u5982\u679c\u4e0d\u5199\u89c4\u5219\u53f7\u7801\uff0c\u5219\u9ed8\u8ba4\u662f 1<\/p>\n
    \u786e\u4fdd\u89c4\u5219\u53f7\u7801 \u2264 \uff08\u5df2\u6709\u89c4\u5219\u6570 + 1\uff09\uff0c\u5426\u5219\u62a5\u9519<\/p>\n
    -R num\uff1aReplays\u66ff\u6362\/\u4fee\u6539\u7b2c\u51e0\u6761\u89c4\u5219<\/p>\n
    \u683c\u5f0f\uff1aiptables \u2013t filter -R INPUT 3 \u2026\u2026\u2026 \u4fee\u6539filter\u7684INPUT\u94fe\u7b2c\u4e09\u6761\u89c4\u5219<\/p>\n
    iptables -R INPUT 5 -j ACCEPT<\/p>\n
    -D <\u94fe\u540d> <\u89c4\u5219\u53f7\u7801 | \u5177\u4f53\u89c4\u5219\u5185\u5bb9> \u00a0\u00a0\u00a0DELETE\uff0c\u5220\u9664\u4e00\u6761\u89c4\u5219<\/p>\n
    \n
    \u4f8b\u5982\uff1a<\/p>\n
    iptables -D INPUT 1\uff08\u6309\u53f7\u7801\u5339\u914d\uff09<\/p>\n
    \u5220\u9664 filter \u8868 INPUT \u94fe\u4e2d\u7684\u7b2c1\u6761\u89c4\u5219<\/p>\n<\/section>\n
    \n
    \n
    [root@xuegod63 ~]# iptables -L<\/span><\/span><\/code>Chain INPUT<\/span> (policy ACCEPT)<\/span><\/span><\/span><\/code>target \u00a0 \u00a0 prot opt source \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination \u00a0 \u00a0 \u00a0 \u00a0 <\/span><\/code>[root@xuegod63 ~]# iptables -D INPUT -j DROP \u00a0 \u00a0#\u6309\u5185\u5bb9\u5339\u914d\u3002<\/span><\/span><\/code>iptables -D INPUT -s 192.168.0.1 -j DROP<\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
    \n
    \n
    \u5220\u9664 filter \u8868 INPUT \u94fe\u4e2d\u5185\u5bb9\u4e3a\u201c-s 192.168.0.1 -j DROP\u201d\u7684\u89c4\u5219(\u4e0d\u7ba1\u5176\u4f4d\u7f6e\u5728\u54ea\u91cc\uff09<\/p>\n
    \n
    \u6ce8\u610f\uff1a<\/p>\n
    \u82e5\u89c4\u5219\u5217\u8868\u4e2d\u6709\u591a\u6761\u76f8\u540c\u7684\u89c4\u5219\u65f6\uff0c\u6309\u5185\u5bb9\u5339\u914d\u53ea\u5220\u9664\u5e8f\u53f7\u6700\u5c0f\u7684\u4e00\u6761<\/p>\n
    \u6309\u53f7\u7801\u5339\u914d\u5220\u9664\u65f6\uff0c\u786e\u4fdd\u89c4\u5219\u53f7\u7801 \u2264 \u5df2\u6709\u89c4\u5219\u6570\uff0c\u5426\u5219\u62a5\u9519<\/p>\n
    \u6309\u5185\u5bb9\u5339\u914d\u5220\u9664\u65f6\uff0c\u786e\u4fdd\u89c4\u5219\u5b58\u5728\uff0c\u5426\u5219\u62a5\u9519<\/p>\n
    \n
    -P <\u94fe\u540d> <\u52a8\u4f5c> \u00a0\u00a0\u00a0POLICY\uff0c\u8bbe\u7f6e\u67d0\u4e2a\u94fe\u7684\u9ed8\u8ba4\u89c4\u5219<\/p>\n<\/section>\n
    \n
    \n
    [root@xuegod63 ~]# iptables -L \u00a0 #\u67e5\u770b\u9ed8\u8ba4\u89c4\u5219\u662fACCEPT<\/span><\/span><\/code>Chain INPUT<\/span> (policy ACCEPT)<\/span><\/span><\/span><\/code>target \u00a0 \u00a0 prot opt source \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 des ation \u00a0tin<\/span><\/code>[root@xuegod63 ~]# iptables -P INPUT DROP<\/span><\/span><\/code>\u8bbe\u7f6e filter \u8868 INPUT \u94fe\u7684\u9ed8\u8ba4\u89c4\u5219\u662f DROP<\/span><\/code>[root@xuegod63 ~]# iptables -L \u00a0 #\u67e5\u770b\u5df2\u7ecf\u53d8\u4e3aDROP<\/span><\/span><\/code>Chain INPUT<\/span> (policy DROP)<\/span><\/span><\/code>target \u00a0 \u00a0 prot opt source \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination \u00a0 <\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
    \n
    \n
    \u00a0\u6ce8\u610f\uff1a<\/p>\n
    \u5f53\u6570\u636e\u5305\u6ca1\u6709\u88ab\u89c4\u5219\u5217\u8868\u91cc\u7684\u4efb\u4f55\u89c4\u5219\u5339\u914d\u5230\u65f6\uff0c\u6309\u6b64\u9ed8\u8ba4\u89c4\u5219\u5904\u7406\u3002\u52a8\u4f5c\u524d\u9762\u4e0d\u80fd\u52a0 \u2013j\uff0c\u8fd9\u4e5f\u662f\u552f\u4e00 \u4e00\u79cd\u5339\u914d\u52a8\u4f5c\u524d\u9762\u4e0d\u52a0 \u2013j \u7684\u60c5\u51b5\u3002<\/p>\n
    \u00a0-F [\u94fe\u540d] \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0FLUSH\uff0c\u6e05\u7a7a\u89c4\u5219<\/p>\n
    \n
    \u6dfb\u52a0\u89c4\u5219\uff1a<\/p>\n<\/section>\n
    \n
    \n
    iptables -P INPUT \u00a0ACCEPT<\/span>(\u9632\u6b62xshell\u65ad\u5f00)<\/span><\/span><\/span><\/code>[root@xuegod63 ~]# iptables -t filter -A INPUT -j DROP<\/span><\/span><\/code>[root@xuegod63 ~]# iptables -F INPUT \u00a0 \u00a0#\u6e05\u9664INPUT\u94fe\u4e0a\u7684\u89c4\u5219<\/span><\/span><\/code>[root@xuegod63 ~]# iptables -F \u00a0 \u00a0#\u6e05\u9664filter\u8868\u4e2d\u6240\u6709\u94fe\u4e0a\u7684\u89c4\u5219<\/span><\/span><\/code>\u7acb\u5373\u751f\u6548\uff0cxshell\u4f1a\u65ad\u5f00<\/span><\/code>[root@xuegod63 ~]# iptables -t nat -F \u00a0 #\u6e05\u7a7aNAT\u8868\u4e2d\u6240\u6709\u94fe\u4e0a\u7684\u89c4\u5219<\/span><\/span><\/code>[root@xuegod63 ~]# iptables -t nat -F PREROUTING \u00a0 #\u6e05\u7a7aNAT\u8868\u4e2dPREROUTING\u94fe\u4e0a\u7684\u89c4\u5219<\/span><\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
    \n
    \n
    \u6ce8\u610f\uff1a<\/p>\n
    -F \u4ec5\u4ec5\u662f\u6e05\u7a7a\u94fe\u4e2d\u89c4\u5219\uff0c\u5e76\u4e0d\u5f71\u54cd -P \u8bbe\u7f6e\u7684\u9ed8\u8ba4\u89c4\u5219\u3002<\/p>\n<\/section>\n
    \n
    \n
    [root@xuegod63 ~]# iptables -P INPUT ACCEPT<\/span><\/span><\/code> \u00a0 \u00a0-P \u8bbe\u7f6e\u4e86 DROP \u540e\uff0c\u4f7f\u7528 -F \u4e00\u5b9a\u8981\u5c0f\u5fc3\uff01\uff01<\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
    \n
    \n
    #\u5728\u751f\u4ea7\u73af\u5883\u4e2d\uff0c\u4f7f\u7528-P DROP \u8fd9\u6761\u89c4\u5219\uff0c\u4e00\u5b9a\u8981\u5c0f\u5fc3\uff0c\u8bbe\u7f6e\u4e4b\u524d\u6700\u597d\u914d\u7f6e\u4e0b\u9762\u4e24\u4e2a\u4efb\u52a1\u8ba1\u5212\uff0c\u5426\u5219\u5bb9\u6613\u628a\u81ea\u5df1drop\u6389\uff0c\u94fe\u63a5\u4e0d\u4e0a\u8fdc\u7a0b\u4e3b\u673a\u3002<\/p>\n
    \n
    \u914d\u7f6ecrontab :<\/strong><\/p>\n<\/section>\n
    \n
    \n
    *\/15<\/span> * * * * \u00a0iptables -P INPUT ACCEPT<\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
    \n
    \n
    -Z \u00a0\u00a0\u5c06\u5c01\u5305\u8ba1\u6570\u5668\u5f52\u96f6\uff0c\u5c01\u5305\u8ba1\u6570\u5668\u662f\u7528\u6765\u8ba1\u7b97\u540c\u4e00\u5c01\u5305\u51fa\u73b0\u6b21\u6570<\/p>\n<\/section>\n
    \n
    \n
    [root@xuegod63 ~]# iptables -Z INPUT<\/span><\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
    \n
    \n
    -L [\u94fe\u540d] \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0LIST\uff0c\u5217\u51fa\u89c4\u5219<\/p>\n
    v\uff1a\u663e\u793a\u8be6\u7ec6\u4fe1\u606f\uff0c\u5305\u62ec\u6bcf\u6761\u89c4\u5219\u7684\u5339\u914d\u5305\u6570\u91cf\u548c\u5339\u914d\u5b57\u8282\u6570<\/p>\n
    x\uff1a\u5728 v \u7684\u57fa\u7840\u4e0a\uff0c\u7981\u6b62\u81ea\u52a8\u5355\u4f4d\u6362\u7b97\uff08K\u3001M\uff09<\/p>\n
    n\uff1a\u53ea\u663e\u793a IP \u5730\u5740\u548c\u7aef\u53e3\u53f7\u7801\uff0c\u4e0d\u663e\u793a\u57df\u540d\u548c\u670d\u52a1\u540d\u79f0<\/p>\n
    –line-number\uff1a\u53ef\u4ee5\u67e5\u770b\u5230\u89c4\u5219\u53f7<\/p>\n
    \n
    \u4f8b\u5982\uff1a<\/p>\n
    iptables -L<\/span><\/p>\n
    \u7c97\u7565\u5217\u51fa filter \u8868\u6240\u6709\u94fe\u53ca\u6240\u6709\u89c4\u5219<\/p>\n
    iptables -t nat -vnL<\/span><\/p>\n
    \u7528\u8be6\u7ec6\u65b9\u5f0f\u5217\u51fa nat \u8868\u6240\u6709\u94fe\u7684\u6240\u6709\u89c4\u5219\uff0c\u53ea\u663e\u793a IP \u5730\u5740\u548c\u7aef\u53e3\u53f7<\/p>\n
    iptables -t nat -vxnL PREROUTING<\/span><\/p>\n
    \u7528\u8be6\u7ec6\u65b9\u5f0f\u5217\u51fa nat \u8868 PREROUTING \u94fe\u7684\u6240\u6709\u89c4\u5219\u4ee5\u53ca\u8be6\u7ec6\u6570\u5b57\uff0c\u4e0d\u53cd\u89e3<\/p>\n
    iptables -t nat -xvnL –line-number<\/span><\/p>\n
    \n<\/section>\n
    \n
    \n
    \n
    \n
    3.2 \u00a0iptables\u5339\u914d\u6761\u4ef6<\/strong><\/p>\n<\/section>\n<\/section>\n
    \n
    \n
    \n
    \n
    \n
    \n
    <\/section>\n<\/section>\n<\/section>\n<\/section>\n
    \n
    \n
    \n
    \n
    \n
    \n
    <\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n
    \n
    \n<\/section>\n
    \n
    \u6d41\u5165\u3001\u6d41\u51fa\u63a5\u53e3\uff08-i\u3001-o\uff09<\/p>\n
    \u6765\u6e90\u3001\u76ee\u7684\u5730\u5740\uff08-s\u3001-d\uff09<\/p>\n
    \u534f\u8bae\u7c7b\u578b \u00a0\u00a0\u00a0\u00a0\u00a0\uff08-p\uff09<\/p>\n
    \u6765\u6e90\u3001\u76ee\u7684\u7aef\u53e3\uff08–sport\u3001–dport\uff09<\/p>\n
    \n
    1. \u6309\u7f51\u7edc\u63a5\u53e3\u5339\u914d<\/p>\n
    -i <\u5339\u914d\u6570\u636e\u8fdb\u5165\u7684\u7f51\u7edc\u63a5\u53e3><\/p>\n
    #\u6b64\u53c2\u6570\u4e3b\u8981\u5e94\u7528\u4e8enat\u8868\uff0c\u4f8b\u5982\u76ee\u6807\u5730\u5740\u8f6c\u6362<\/p>\n
    \n
    \u4f8b\u5982\uff1a<\/p>\n
    -i ens33\u00a0\u00a0<\/span><\/p>\n
    \u5339\u914d\u662f\u5426\u4ece\u7f51\u7edc\u63a5\u53e3 ens33\u00a0\u8fdb\u6765<\/p>\n
    -i ppp0<\/span><\/p>\n
    \u5339\u914d\u662f\u5426\u4ece\u7f51\u7edc\u63a5\u53e3 ppp0 \u8fdb\u6765<\/p>\n
    -o \u00a0\u5339\u914d\u6570\u636e\u6d41\u51fa\u7684\u7f51\u7edc\u63a5\u53e3<\/p>\n
    \n
    \u4f8b\u5982\uff1a<\/p>\n
    -o ens33<\/span><\/p>\n
    -o ppp0<\/span><\/p>\n
    \n
    2. \u6309\u6765\u6e90\u76ee\u7684\u5730\u5740\u5339\u914d<\/p>\n
    -s <\u5339\u914d\u6765\u6e90\u5730\u5740><\/span><\/p>\n
    \u53ef\u4ee5\u662f IP\u3001\u00a0\u7f51\u6bb5\u3001\u57df\u540d\uff0c\u4e5f\u53ef\u7a7a\uff08\u4efb\u4f55\u5730\u5740\uff09<\/p>\n
    \n
    \u4f8b\u5982\uff1a<\/p>\n
    -s 192.168.0.1 \u00a0\u00a0\u00a0\u00a0\u5339\u914d\u6765\u81ea 192.168.0.1 \u7684\u6570\u636e\u5305<\/p>\n
    -s 192.168.1.0\/24 \u00a0\u5339\u914d\u6765\u81ea 192.168.1.0\/24 \u7f51\u7edc\u7684\u6570\u636e\u5305<\/p>\n
    -s 192.168.0.0\/16 \u00a0\u5339\u914d\u6765\u81ea 192.168.0.0\/16 \u7f51\u7edc\u7684\u6570\u636e\u5305<\/p>\n
    \n
    \u4f8b\uff1aiptables -A INPUT -s 192.168.0.1 -j DROP<\/p>\n
    \u67e5\u770b\uff1aiptables -vnL<\/p>\n
    -d <\u5339\u914d\u76ee\u7684\u5730\u5740><\/p>\n
    \u53ef\u4ee5\u662f IP\u3001\u00a0\u7f51\u6bb5\u3001\u57df\u540d\uff0c\u4e5f\u53ef\u4ee5\u7a7a<\/p>\n
    \n
    \u4f8b\u5982\uff1a<\/p>\n
    -d 202.106.0.20<\/span>\uff0c\u5339\u914d\u53bb202.106.0.20 \u7684\u6570\u636e\u5305<\/p>\n
    -d 202.106.0.0\/16<\/span>\uff0c\u5339\u914d\u53bb202.106.0.0\/16 \u7f51\u7edc\u7684\u6570\u636e\u5305<\/p>\n
    -d www.abc.com<\/span>\uff0c\u5339\u914d\u53bb\u57df\u540d www.abc.com \u7684\u6570\u636e\u5305<\/p>\n
    \n
    \u4f8b\uff1aiptables -A INPUT -d 202.106.0.20 -j DROP<\/span><\/p>\n
    \u67e5\u770b\uff1a<\/span>iptables -vnL<\/span><\/p>\n
    \n
    3. \u6309\u534f\u8bae\u7c7b\u578b\u5339\u914d<\/p>\n
    -p <\u5339\u914d\u534f\u8bae\u7c7b\u578b><\/p>\n
    \u53ef\u4ee5\u662f TCP\u3001UDP\u3001ICMP \u7b49\uff0c\u4e5f\u53ef\u4e3a\u7a7a<\/p>\n
    \n
    \u4f8b\u5982\uff1a<\/p>\n
    -p tcp<\/span><\/p>\n
    -p udp<\/span><\/p>\n
    -p icmp –icmp-type \u00a0\u7c7b\u578b<\/span><\/p>\n
    ping: type 8 \u00a0\u00a0\u00a0\u00a0\u00a0pong: type 0<\/span><\/p>\n
    \n
    4. \u6309\u6765\u6e90\u76ee\u7684\u7aef\u53e3\u5339\u914d<\/p>\n
    –sport <\u5339\u914d\u6e90\u7aef\u53e3><\/p>\n
    \u53ef\u4ee5\u662f\u4e2a\u522b\u7aef\u53e3\uff0c\u53ef\u4ee5\u662f\u7aef\u53e3\u8303\u56f4<\/p>\n
    \n
    \u4f8b\u5982\uff1a<\/p>\n
    –sport 1000\uff1a\u5339\u914d\u6e90\u7aef\u53e3\u662f 1000 \u7684\u6570\u636e\u5305<\/p>\n
    –sport 1000:3000\uff1a\u5339\u914d\u6e90\u7aef\u53e3\u662f 1000-3000 \u7684\u6570\u636e\u5305\uff08\u542b1000\u30013000\uff09<\/p>\n
    –sport :3000\uff1a\u5339\u914d\u6e90\u7aef\u53e3\u662f 3000 \u4ee5\u4e0b\u7684\u6570\u636e\u5305\uff08\u542b 3000\uff09<\/p>\n
    –sport 1000:\u5339\u914d\u6e90\u7aef\u53e3\u662f 1000 \u4ee5\u4e0a\u7684\u6570\u636e\u5305\uff08\u542b 1000\uff09<\/p>\n
    –dport <\u5339\u914d\u76ee\u7684\u7aef\u53e3>\u53ef\u4ee5\u662f\u4e2a\u522b\u7aef\u53e3\uff0c\u53ef\u4ee5\u662f\u7aef\u53e3\u8303\u56f4<\/p>\n
    \n
    \u4f8b\u5982\uff1a<\/p>\n
    –dport 80\uff1a\u5339\u914d\u76ee\u7684\u7aef\u53e3\u662f 80 \u7684\u6570\u636e\u5305<\/p>\n
    –dport 6000:8000\uff1a\u5339\u914d\u76ee\u7684\u7aef\u53e3\u662f 6000-8000 \u7684\u6570\u636e\u5305\uff08\u542b6000\u30018000\uff09<\/p>\n
    –dport :3000\uff1a\u5339\u914d\u76ee\u7684\u7aef\u53e3\u662f 3000 \u4ee5\u4e0b\u7684\u6570\u636e\u5305\uff08\u542b 3000\uff09<\/p>\n
    –dport 1000:\u5339\u914d\u76ee\u7684\u7aef\u53e3\u662f 1000 \u4ee5\u4e0a\u7684\u6570\u636e\u5305\uff08\u542b 1000\uff09<\/p>\n
    \u6ce8\u610f\uff1a–sport \u548c –dport \u5fc5\u987b\u914d\u5408 -p \u53c2\u6570\u4f7f\u7528<\/p>\n
    \n
    5. \u5339\u914d\u5e94\u7528\u4e3e\u4f8b<\/p>\n
    \u7aef\u53e3\u5339\u914d<\/p>\n
    -p udp –dport 53<\/p>\n
    \u5339\u914d\u7f51\u7edc\u4e2d\u76ee\u7684\u7aef\u53e3\u662f 53 \u7684 UDP \u534f\u8bae\u6570\u636e\u5305<\/p>\n
    \n
    \u5730\u5740\u5339\u914d\uff1a<\/p>\n
    -s 10.1.0.0\/24 -d 172.17.0.0\/16<\/span><\/p>\n
    \u5339\u914d\u6765\u81ea 10.1.0.0\/24 \u53bb\u5f80 172.17.0.0\/16 \u7684\u6240\u6709\u6570\u636e\u5305<\/p>\n
    \n
    \u7aef\u53e3\u548c\u5730\u5740\u8054\u5408\u5339\u914d<\/p>\n
    -s 192.168.0.1 -d www.abc.com -p tcp –dport 80<\/span><\/p>\n
    \u5339\u914d\u6765\u81ea 192.168.0.1\uff0c\u53bb\u5f80 www.abc.com \u7684 80 \u7aef\u53e3\u7684 TCP \u534f\u8bae\u6570\u636e\u5305<\/p>\n
    \n<\/section>\n
    \n
    <\/div><\/section>\n<\/section>\n
    \n
    \n
    \u6ce8\u610f\uff1a<\/p>\n
    –sport\u3001–dport \u5fc5\u987b\u8054\u5408 -p \u4f7f\u7528\uff0c\u5fc5\u987b\u6307\u660e\u534f\u8bae\u7c7b\u578b\u662f\u4ec0\u4e48<\/p>\n
    \u6761\u4ef6\u5199\u7684\u8d8a\u591a\uff0c\u5339\u914d\u8d8a\u7ec6\u81f4\uff0c\u5339\u914d\u8303\u56f4\u8d8a\u5c0f<\/p>\n
    \n<\/section>\n
    \n
    \n
    \n
    \n
    3.3 \u00a0iptables\u52a8\u4f5c\uff08\u5904\u7406\u65b9\u5f0f\uff09<\/strong><\/p>\n<\/section>\n<\/section>\n
    \n
    \n
    \n
    \n
    \n
    \n
    <\/section>\n<\/section>\n<\/section>\n<\/section>\n
    \n
    \n
    \n
    \n
    \n
    \n
    <\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n
    \n
    \n<\/section>\n
    \n
    ACCEPT<\/span><\/p>\n
    DROP<\/span><\/p>\n
    REJECT<\/span><\/p>\n
    SNAT<\/span><\/p>\n
    DNAT<\/span><\/p>\n
    MASQUERADE<\/span><\/p>\n
    -j ACCEPT<\/span><\/p>\n
    \u901a\u8fc7\uff0c\u5141\u8bb8\u6570\u636e\u5305\u901a\u8fc7\u672c\u94fe\u800c\u4e0d\u62e6\u622a\u5b83<\/p>\n
    \u4f8b\u5982\uff1a<\/p>\n
    iptables -A INPUT -j ACCEPT<\/span><\/p>\n
    \u5141\u8bb8\u6240\u6709\u8bbf\u95ee\u672c\u673a IP \u7684\u6570\u636e\u5305\u901a\u8fc7<\/p>\n
    -j DROP<\/span><\/p>\n
    \u4e22\u5f03\uff0c\u963b\u6b62\u6570\u636e\u5305\u901a\u8fc7\u672c\u94fe\u800c\u4e22\u5f03\u5b83<\/p>\n
    \n
    \u4f8b\u5982\uff1a<\/p>\n
    iptables -A FORWARD -s 192.168.80.39 -j DROP<\/span><\/p>\n
    \u963b\u6b62\u6765\u6e90\u5730\u5740\u4e3a 192.168.80.39 \u7684\u6570\u636e\u5305\u901a\u8fc7\u672c\u673a<\/p>\n
    \n
    -j SNAT –to IP[-IP][:\u7aef\u53e3-\u7aef\u53e3]\uff08nat \u8868\u7684 POSTROUTING \u94fe\uff09<\/span><\/p>\n
    \u6e90\u5730\u5740\u8f6c\u6362\uff0cSNAT \u652f\u6301\u8f6c\u6362\u4e3a\u5355 IP\uff0c\u4e5f\u652f\u6301\u8f6c\u6362\u5230 IP \u5730\u5740\u6c60\uff08\u4e00\u7ec4\u8fde\u7eed\u7684 IP \u5730\u5740\uff09<\/p>\n
    \n
    \u4f8b\u5982\uff1a<\/p>\n<\/section>\n
    \n
    \n
    [root@xuegod63 ~]# iptables -t nat -A POSTROUTING -s 192.168.0.0\/24 -j SNAT --to 1.1.1.1<\/span><\/span><\/code> #\u5c06\u5185\u7f51 192.168<\/span>.0<\/span>.0<\/span>\/24<\/span> \u7684\u539f\u5730\u5740\u4fee\u6539\u4e3a 1.1<\/span>.1<\/span>.1<\/span>\uff0c\u7528\u4e8e NAT<\/span><\/code>iptables -t nat -A POSTROUTING -s 192.168<\/span>.0<\/span>.0<\/span>\/24<\/span> \u00a0-j SNAT --to 1.1<\/span>.1<\/span>.1<\/span>-1.1<\/span>.1<\/span>.10<\/span><\/span><\/code>\u540c\u4e0a\uff0c\u53ea\u4e0d\u8fc7\u4fee\u6539\u6210\u4e00\u4e2a\u5730\u5740\u6c60\u91cc\u7684 IP<\/span><\/code>-j DNAT --to IP[-IP][:\u7aef\u53e3-\u7aef\u53e3]\uff08nat \u8868\u7684 PREROUTING \u94fe\uff09<\/span><\/code>\u76ee\u7684\u5730\u5740\u8f6c\u6362\uff0cDNAT \u652f\u6301\u8f6c\u6362\u4e3a\u5355 IP\uff0c\u4e5f\u652f\u6301\u8f6c\u6362\u5230 IP \u5730\u5740\u6c60\uff08\u4e00\u7ec4\u8fde\u7eed\u7684 IP \u5730\u5740\uff09<\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
    \n
    \n
    \u4f8b\u5982\uff1a<\/p>\n
    \u8868\u8fbe\u65b9\u5f0f1\uff1a<\/strong><\/p>\n
    \u628a\u4ece ens33 \u8fdb\u6765\u7684\u8981\u8bbf\u95ee TCP\/80 \u7684\u6570\u636e\u5305\u76ee\u7684\u5730\u5740\u6539\u4e3a 192.168.0.1.<\/p>\n<\/section>\n
    \n
    \n
    [root@xuegod63 ~]# iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j DNAT --to 192.168.0.1<\/span><\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
    \n
    \n
    \u8868\u8fbe\u65b9\u5f0f2\uff1a<\/strong><\/p>\n<\/section>\n
    \n
    \n
    [root@xuegod63 ~]# iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 81 -j DNAT --to 192.168.0.1:81<\/span><\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
    \n
    \n
    \u8868\u8fbe\u65b9\u5f0f3\uff1a<\/strong><\/p>\n
    \u628a\u4ece ens33 \u8fdb\u6765\u7684\u8981\u8bbf\u95ee TCP\/80 \u7684\u6570\u636e\u5305\u76ee\u7684\u5730\u5740\u6539\u4e3a192.168.0.1-192.169.0.10<\/p>\n<\/section>\n
    \n
    \n
    [root@xuegod63 ~]# iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j DNAT --to 192.168.0.1-192.169.0.10 <\/span><\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
    \n
    \n
    -j MASQUERADE \u00a0\u00a0\u00a0\u4f2a\u88c5<\/p>\n
    \u52a8\u6001\u6e90\u5730\u5740\u8f6c\u6362\uff08\u52a8\u6001 IP \u7684\u60c5\u51b5\u4e0b\u4f7f\u7528\uff09<\/p>\n
    \n
    \u4f8b\u5982\uff1a<\/p>\n<\/section>\n
    \n
    \n
    [root@xuegod63 ~]# iptables -t nat -A POSTROUTING -s 192.168.0.0\/24 -o ens33 -j MASQUERADE<\/span><\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
    \n
    \u5c06\u6e90\u5730\u5740\u662f 192.168.0.0\/24 \u7684\u6570\u636e\u5305\u8fdb\u884c\u5730\u5740\u4f2a\u88c5\uff0c\u8f6c\u6362\u6210ens33\u4e0a\u7684IP\u5730\u5740\u3002ens33\u4e3a\u8def\u7531\u5668\u5916\u7f51\u51fa\u53e3IP\u5730\u5740<\/p>\n
    \n<\/section>\n
    \n
    \n
    \n
    \n
    3.4 \u00a0\u6269\u5c55\uff1a\u9644\u52a0\u6a21\u5757<\/strong><\/p>\n<\/section>\n<\/section>\n
    \n
    \n
    \n
    \n
    \n
    \n
    <\/section>\n<\/section>\n<\/section>\n<\/section>\n
    \n
    \n
    \n
    \n
    \n
    \n
    <\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n<\/section>\n
    \n
    \n<\/section>\n
    \n
    \u6309\u5305\u72b6\u6001\u5339\u914d\uff1a\uff08state\uff09<\/p>\n
    \u6309\u6765\u6e90 MAC \u5339\u914d\uff1a\uff08mac\uff09<\/p>\n
    \u6309\u5305\u901f\u7387\u5339\u914d\uff1a\uff08limit\uff09<\/p>\n
    \u6309\u591a\u7aef\u53e3\u5339\u914d\uff1a\uff08multiport\uff09<\/p>\n
    \u6309\u5305\u72b6\u6001\u5339\u914d\uff1a\uff08state\uff09<\/p>\n
    \n
    -m state –state \u72b6\u6001<\/span><\/strong><\/p>\n
    \u72b6\u6001\uff1aNEW\u3001RELATED\u3001ESTABLISHED\u3001INVALID<\/strong><\/p>\n
    \u00a0<\/strong><\/p>\n
    NEW\uff1a<\/span><\/strong>\u6709\u522b\u4e8e tcp \u7684 syn \u00a0\u00a0#\u5982\u679c\u6211\u4eec\u53d1\u9001\u4e00\u4e2a\u6d41\u7684\u521d\u59cb\u5316\u5305\uff0c\u72b6\u6001\u5c31\u4f1a\u5728OUTPUT\u94fe \u91cc\u88ab\u8bbe\u7f6e\u4e3aNEW\uff0c\u5f53\u6211\u4eec\u6536\u5230\u56de\u5e94\u7684\u5305\u65f6\uff0c\u72b6\u6001\u5c31\u4f1a\u5728PREROUTING\u94fe\u91cc\u88ab\u8bbe\u7f6e\u4e3aESTABLISHED\u3002\u5982\u679c\u7b2c\u4e00\u4e2a\u5305\u4e0d\u662f\u672c\u5730\u4ea7\u751f\u7684\uff0c\u90a3\u5c31\u4f1a\u5728PREROUTING\u94fe\u91cc\u88ab\u8bbe\u7f6e\u4e3aNEW\u72b6 \u6001\u3002<\/p>\n
    ESTABLISHED\uff1a<\/strong><\/span>\u8fde\u63a5\u6001<\/p>\n
    RELATED\uff1a<\/strong><\/span>\u884d\u751f\u6001\uff0c\u4e0e conntrack \u5173\u8054\uff08FTP\uff09<\/p>\n
    INVALID\uff1a<\/span><\/strong>\u4e0d\u80fd\u88ab\u8bc6\u522b\u5c5e\u4e8e\u54ea\u4e2a\u8fde\u63a5\u6216\u6ca1\u6709\u4efb\u4f55\u72b6\u6001<\/p>\n
    \n
    \u4f8b\u5982\uff1a<\/p>\n<\/section>\n
    \n
    \n
    iptables -A INPUT -m state --state RELATED,ESTABLISHED \u00a0-j ACCEPT<\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
    \n
    \n
    \u56db\u4e2a\u72b6\u6001\u8be6\u89e3\uff1a<\/p>\n<\/section>\n
    \n
    <\/div><\/section>\n<\/section>\n
    \n
    \n
    \u8fd9\u4e9b\u72b6\u6001\u53ef\u4ee5\u4e00\u8d77\u4f7f\u7528\uff0c\u4ee5\u4fbf\u5339\u914d\u6570\u636e\u5305\u3002\u8fd9\u53ef\u4ee5\u4f7f\u6211\u4eec\u7684\u9632\u706b\u5899\u975e\u5e38\u5f3a\u58ee\u548c\u6709\u6548\u3002\u4ee5\u524d\uff0c\u6211\u4eec\u7ecf\u5e38\u6253 \u5f001024\u4ee5\u4e0a\u7684\u6240\u6709\u7aef\u53e3\u6765\u653e\u884c\u5e94\u7b54\u7684\u6570\u636e\u3002\u73b0\u5728\uff0c\u6709\u4e86\u72b6\u6001\u673a\u5236\uff0c\u5c31\u4e0d\u9700\u518d\u8fd9\u6837\u4e86\u3002\u56e0\u4e3a\u6211\u4eec\u53ef\u4ee5\u53ea\u5f00\u653e\u90a3\u4e9b\u6709\u5e94\u7b54\u6570\u636e\u7684\u7aef\u53e3\uff0c\u5176\u4ed6\u7684\u90fd\u53ef\u4ee5\u5173\u95ed\u3002\u8fd9\u6837\u5c31\u5b89\u5168\u591a\u4e86\u3002<\/p>\n
    \n
    \u6309\u6765\u6e90 MAC \u5339\u914d\uff08mac\uff09<\/p>\n
    -m mac –mac-source MAC<\/p>\n
    \u5339\u914d\u67d0\u4e2a MAC \u5730\u5740<\/p>\n
    \n
    \u4f8b\u5982\uff1a<\/p>\n<\/section>\n
    \n
    \n
      \n
    • <\/li>\n<\/ul>\n
      iptables -A FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP<\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
      \n
      \u963b\u65ad\u6765\u81ea\u67d0 MAC \u5730\u5740\u7684\u6570\u636e\u5305\u901a\u8fc7\u672c\u673a<\/p>\n
      \n
      \u6ce8\u610f\uff1a<\/p>\n
      \u62a5\u6587\u7ecf\u8fc7\u8def\u7531\u540e\uff0c\u6570\u636e\u5305\u4e2d\u539f\u6709\u7684 mac \u4fe1\u606f\u4f1a\u88ab\u66ff\u6362\uff0c\u6240\u4ee5\u5728\u8def\u7531\u540e\u7684 iptables \u4e2d\u4f7f\u7528 mac \u6a21\u5757\u662f\u6ca1\u6709\u610f\u4e49\u7684<\/p>\n
      \n
      \u6309\u5305\u901f\u7387\u5339\u914d\uff08limit\uff09<\/p>\n
      -m limit –limit \u5339\u914d\u901f\u7387 [–burst \u7f13\u51b2\u6570\u91cf]<\/p>\n
      \u7528\u4e00\u5b9a\u901f\u7387\u53bb\u5339\u914d\u6570\u636e\u5305<\/p>\n
      \n
      \u4f8b\u5982\uff1a<\/p>\n<\/section>\n
      \n
      \n
      iptables -A FORWARD -d 192.168<\/span>.0<\/span>.1<\/span> -m limit --limit 50<\/span>\/s \u00a0-j ACCEPT<\/span><\/code>iptables -A FORWARD -d 192.168<\/span>.0<\/span>.1<\/span> -j DROP<\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
      \n
      \n
      \u6ce8\u610f\uff1a<\/p>\n
      limit \u82f1\u8bed\u4e0a\u770b\u662f\u9650\u5236\u7684\u610f\u601d\uff0c\u4f46\u5b9e\u9645\u4e0a\u53ea\u662f\u6309\u4e00\u5b9a\u901f\u7387\u53bb\u5339\u914d\u800c\u5df2\uff0c50\/s\u8868\u793a1\u79d2\u4e2d\u8f6c\u53d150\u4e2a\u6570\u636e\u5305\uff0c\u8981\u60f3\u9650\u5236\u7684\u8bdd\u540e\u9762\u8981\u518d\u8ddf\u4e00\u6761 DROP<\/p>\n
      \n
      \u591a\u7aef\u53e3\u5339\u914d\uff08multiport\uff09<\/p>\n
      -m multiport <–sports|–dports|–ports> \u7aef\u53e31[,\u7aef\u53e32,..,\u7aef\u53e3n]<\/p>\n
      \u4e00\u6b21\u6027\u5339\u914d\u591a\u4e2a\u7aef\u53e3\uff0c\u53ef\u4ee5\u533a\u5206\u6e90\u7aef\u53e3\uff0c\u76ee\u7684\u7aef\u53e3\u6216\u4e0d\u6307\u5b9a\u7aef\u53e3<\/p>\n
      \n
      \u4f8b\u5982\uff1a<\/p>\n<\/section>\n
      \n
      \n
      iptables -A INPUT -p tcp -m multiport --dports 21<\/span>,22<\/span>,25<\/span>,80<\/span>,110<\/span> -j ACCEPT<\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
      \n
      \u6ce8\u610f\uff1a\u5fc5\u987b\u4e0e -p \u53c2\u6570\u4e00\u8d77\u4f7f\u7528<\/p>\n
      \n
      \u4fdd\u5b58\u5230\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n
      \u5148\u770b\u4e00\u4e0b\/etc\/sysconfig\/iptables\u5185\u5bb9<\/p>\n<\/section>\n
      \n
      \n
      [root@xuegod63 ~]# service iptables save<\/span><\/span><\/code>iptables: Saving firewall rules to \/etc\/sysconfig\/iptables:[ \u00a0\u786e\u5b9a \u00a0]<\/span><\/code><\/pre>\n<\/section>\n<\/section>\n
      \n
      \u4fdd\u5b58\u540e\u5bf9\u6bd4\/etc\/sysconfig\/iptables\u4e4b\u524d\u5185\u5bb9<\/p>\n<\/section>\n<\/section>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
      \u76ee\u5f55 \u4e00\uff1aiptables\u5e38\u89c1\u6982\u5ff5 \u4e8c\uff1a iptables\u670d\u52a1\u5668\u5b89\u88c5\u53ca\u76f8\u5173\u914d\u7f6e\u6587\u4ef6 \u4e09\uff1a \u5b9e\u6218\uff1aiptable […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"class_list":["post-6504","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/6504","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6504"}],"version-history":[{"count":1,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/6504\/revisions"}],"predecessor-version":[{"id":6568,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/6504\/revisions\/6568"}],"wp:attachment":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6504"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6504"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6504"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}