1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
外网ip a.x 内ip c.x
内网ip b.x
# Generated by iptables-save v1.4.7
*
nat
:PREROUTING ACCEPT [
240124
:
15466097
]
:POSTROUTING ACCEPT [
12190495
:
633906308
]
:OUTPUT ACCEPT [
12190519
:
633907556
]
-
A PREROUTING
-
d a.x
/
32
-
p tcp
-
m tcp
-
-
dport
3310
-
j DNAT
-
-
to
-
destination b.x:
3306
-
A PREROUTING
-
p tcp
-
m tcp
-
-
dport
2222
-
j DNAT
-
-
to
-
destination b.x:
22
-
A POSTROUTING
-
d b.x.
1
/
32
-
p tcp
-
m tcp
-
-
dport
22
-
j SNAT
-
-
to
-
source a.x
-
A POSTROUTING
-
d b.x.
2
/
32
-
p tcp
-
m tcp
-
-
dport
3306
-
j SNAT
-
-
to
-
source a.x
-
A POSTROUTING
-
d b.x.
3
/
32
-
p tcp
-
m tcp
-
-
dport
22
-
j SNAT
-
-
to
-
source a.x
-
A POSTROUTING
-
d b.x.
4
/
32
-
p tcp
-
m tcp
-
-
dport
22
-
j SNAT
-
-
to
-
source a.x
-
A POSTROUTING
-
d b.x.
5
/
32
-
p tcp
-
m tcp
-
-
dport
22
-
j SNAT
-
-
to
-
source a.x
-
A POSTROUTING
-
d b.x.
6
/
32
-
p tcp
-
m tcp
-
-
dport
22
-
j SNAT
-
-
to
-
source a.x
COMMIT
# Completed on Fri Apr 21 17:18:20 2017
# Generated by iptables-save v1.4.7
*
filter
:
INPUT
ACCEPT [
180932
:
11563176
]
:FORWARD ACCEPT [
280525
:
60883714
]
:OUTPUT ACCEPT [
24489274
:
1959801503
]
:syn
-
flood
-
[
0
:
0
]
-
A
INPUT
-
s
10.0
.
0.0
/
8
-
j ACCEPT
-
A
INPUT
-
d
10.0
.
0.0
/
8
-
j ACCEPT
-
A
INPUT
-
p tcp
-
m tcp
-
-
dport
80
-
j ACCEPT
-
A
INPUT
-
p icmp
-
j ACCEPT
-
A
INPUT
-
i lo
-
j ACCEPT
-
A
INPUT
-
p tcp
-
m state
-
-
state NEW
-
m tcp
-
-
dport
22
-
j ACCEPT
-
A
INPUT
-
p tcp
-
m tcp
-
-
dport
80
-
m connlimit
-
-
connlimit
-
above
50
-
-
connlimit
-
mask
32
-
j REJECT
-
-
reject
-
with icmp
-
port
-
unreachable
-
A
INPUT
-
p tcp
-
m tcp
-
-
tcp
-
flags FIN,SYN,RST,ACK SYN
-
j syn
-
flood
-
A
INPUT
-
i eth1
-
p tcp
-
m tcp
-
-
tcp
-
flags FIN,SYN,RST,ACK SYN
-
m connlimit
-
-
connlimit
-
above
30
-
-
connlimit
-
mask
32
-
j DROP
-
A
INPUT
-
p tcp
-
m state
-
-
state RELATED,ESTABLISHED
-
j ACCEPT
-
A
INPUT
-
p tcp
-
m tcp
-
-
dport
80
-
m recent
-
-
update
-
-
seconds
60
-
-
hitcount
30
-
-
name BAD_HTTP_ACCESS
-
-
rsource
-
j REJECT
-
-
reject
-
with icmp
-
port
-
unreachable
-
A
INPUT
-
p tcp
-
m tcp
-
-
dport
80
-
m recent
-
-
set
-
-
name BAD_HTTP_ACCESS
-
-
rsource
-
j ACCEPT
-
A syn
-
flood
-
p tcp
-
m limit
-
-
limit
10
/
sec
-
-
limit
-
burst
20
-
j RETURN
-
A syn
-
flood
-
j REJECT
-
-
reject
-
with icmp
-
port
-
unreachable
COMMIT
# Completed on Fri Apr 21 17:18:20 2017
|
最好用上fail2ban-0.9.0限制ssh
本文转自 liqius 51CTO博客,原文链接:http://blog.51cto.com/szgb17/1918295,如需转载请自行联系原作者