这是一个创建于 47 天前的主题,其中的信息可能已经有所发展或是发生改变。
边学边问,下面代码是网上来的,有个问题就是除了 443 和 ssh ( 6522 ) ,加入的其他端口( 80 ,6500 )都不通。如何修复?
flush ruleset
table inet my_table {
set blackhole {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 1d
}
chain my_input {
type filter hook input priority 0;
iif lo accept
ip saddr @blackhole counter set update ip saddr @blackhole counter drop
icmp type echo-request limit rate over 1/second counter drop
icmp type echo-request counter accept
icmpv6 type {echo-request, nd-neighbor-solicit} limit rate over 1/second counter drop
icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query,destination-unreachable,packet-too-big,time-exceeded,parameter-problem} counter accept
ct state {established, related} counter accept
ct state invalid counter drop
tcp dport {80, 443, 6500, 6522} counter accept
udp dport {http, https, 6500, 6522} counter accept
tcp flags syn tcp dport ssh meter aaameter { ip saddr ct count over 20 } add @blackhole { ip saddr } counter drop
tcp flags syn tcp dport ssh meter bbbmeter { ip saddr limit rate over 20/hour } add @blackhole { ip saddr } counter drop
tcp dport ssh ct state new limit rate 20/minute counter accept
counter drop
}
chain my_forward {
type filter hook forward priority 0;
ip daddr @blackhole counter reject
counter accept
}
chain my_output {
type filter hook output priority 0;
ip daddr @blackhole counter reject
counter accept
}
}
目前尚无回复
Select Language