看到一篇这样的文档https://yq.aliyun.com/articles/44619
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:syn-flood - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A syn-flood -p tcp -m limit --limit 3/sec --limit-burst 6 -j RETURN
-A syn-flood -j REJECT --reject-with icmp-port-unreachable
COMMIT
请问下如下这些规则怎么理解?
-A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A syn-flood -p tcp -m limit --limit 3/sec --limit-burst 6 -j RETURN
-A syn-flood -j REJECT --reject-with icmp-port-unreachable
另外,AliYunDun的运行端口是固定的吗?我如果做iptables规则,对AliYunDun有什么影响?
-A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
添加允许入规则 类型icmp 限速100次每秒。突发100
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
添加允许入规则 类型ICMP 限速 1次每秒 突发100
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
添加允许入规则,类型TCP TCP下属的FIN SYN RST CSK SYN
-A INPUT -j REJECT --reject-with icmp-host-prohibited
添加拒绝入规则,拒绝列表来自icmp-host-prohibited
-A syn-flood -p tcp -m limit --limit 3/sec --limit-burst 6 -j RETURN
添加syn-flood 限制,限制3次/秒,突发6次。
-A syn-flood -j REJECT --reject-with icmp-port-unreachable
添加syn-flood拒绝规则,拒绝类型为ICMP端口无法到达