标签:local 解析 代码 字符串匹配算法 mangle number iptable this nbsp
主要使用iptables的string扩展模块,使用string参数阻止访问特定网站的http/https服务,使用hex-string参数阻止对特定域名进行DNS解析。
比如,阻止访问baidu.com的http/https服务。其中--string参数指定需要屏蔽的网站地址中包含的字符串关键字, --algo指定字符串匹配算法,支持bm和kmp两种算法。
#disable some http/https request iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m string --string "baidu.com" --algo bm -j DROP iptables -A INPUT -p tcp -m multiport --dports 80,443 -m string --string "baidu.com" --algo bm -j DROP iptables -A FORWARD -p tcp -m multiport --dports 80,443 -m string --string "baidu.com" --algo bm -j DROP
阻止对包含baidu.com的域名进行解析的代码如下。其中--hex-string参数中的05和03表示字符串的长度。
#disable some dns query. iptables -A OUTPUT -p tcp -m multiport --dports 53 -m string --hex-string "|05|baidu|03|com" --algo bm -j DROP iptables -A INPUT -p tcp -m multiport --dports 53 -m string --hex-string "|05|baidu|03|com" --algo bm -j DROP iptables -A FORWARD -p tcp -m multiport --dports 53 -m string --hex-string "|05|baidu|03|com" --algo bm -j DROP iptables -A OUTPUT -p udp -m multiport --dports 53 -m string --hex-string "|05|baidu|03|com" --algo bm -j DROP iptables -A INPUT -p udp -m multiport --dports 53 -m string --hex-string "|05|baidu|03|com" --algo bm -j DROP iptables -A FORWARD -p udp -m multiport --dports 53 -m string --hex-string "|05|baidu|03|com" --algo bm -j DROP
完整代码如下:
iptables -F iptables -X iptables -Z iptables -t nat -F iptables -t nat -X iptables -t nat -Z iptables -t mangle -F iptables -t mangle -X iptables -t mangle -Z iptables -t raw -F iptables -t raw -X iptables -t raw -Z iptables -t security -F iptables -t security -X iptables -t security -Z if [ "$1" = "stop" ] then echo "WARNING:iptables stopped." iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -t nat -P INPUT ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t mangle -P OUTPUT ACCEPT iptables -t mangle -P PREROUTING ACCEPT iptables -t raw -P PREROUTING ACCEPT iptables -t raw -P OUTPUT ACCEPT iptables -t security -P INPUT ACCEPT iptables -t security -P OUTPUT ACCEPT iptables -t security -P FORWARD ACCEPT iptables -L -n -v --line-numbers exit fi iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -t mangle -P OUTPUT ACCEPT iptables -t mangle -P PREROUTING ACCEPT iptables -t raw -P PREROUTING ACCEPT iptables -t raw -P OUTPUT ACCEPT iptables -t security -P INPUT ACCEPT iptables -t security -P OUTPUT ACCEPT iptables -t security -P FORWARD ACCEPT #localhost iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT iptables -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT iptables -A INPUT -s ${IP_WAN} -d ${IP_WAN} -j ACCEPT iptables -A OUTPUT -s ${IP_WAN} -d ${IP_WAN} -j ACCEPT iptables -A INPUT -s ${IP_LAN} -d ${IP_LAN} -j ACCEPT iptables -A OUTPUT -s ${IP_LAN} -d ${IP_LAN} -j ACCEPT #inside subnet. iptables -A INPUT -s ${IP_INSIDE} -j REJECT iptables -A OUTPUT -d ${IP_INSIDE} -j REJECT #disable some http/https request iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m string --string "baidu.com" --algo bm -j DROP iptables -A INPUT -p tcp -m multiport --dports 80,443 -m string --string "baidu.com" --algo bm -j DROP iptables -A FORWARD -p tcp -m multiport --dports 80,443 -m string --string "baidu.com" --algo bm -j DROP #disable some dns query. iptables -A OUTPUT -p tcp -m multiport --dports 53 -m string --hex-string "|05|baidu|03|com" --algo bm -j DROP iptables -A INPUT -p tcp -m multiport --dports 53 -m string --hex-string "|05|baidu|03|com" --algo bm -j DROP iptables -A FORWARD -p tcp -m multiport --dports 53 -m string --hex-string "|05|baidu|03|com" --algo bm -j DROP iptables -A OUTPUT -p udp -m multiport --dports 53 -m string --hex-string "|05|baidu|03|com" --algo bm -j DROP iptables -A INPUT -p udp -m multiport --dports 53 -m string --hex-string "|05|baidu|03|com" --algo bm -j DROP iptables -A FORWARD -p udp -m multiport --dports 53 -m string --hex-string "|05|baidu|03|com" --algo bm -j DROP iptables -A OUTPUT -p tcp -m multiport --dports 53 -m string --hex-string "|03|163|03|com" --algo bm -j DROP iptables -A INPUT -p tcp -m multiport --dports 53 -m string --hex-string "|03|163|03|com" --algo bm -j DROP iptables -A FORWARD -p tcp -m multiport --dports 53 -m string --hex-string "|03|163|03|com" --algo bm -j DROP iptables -A OUTPUT -p udp -m multiport --dports 53 -m string --hex-string "|03|163|03|com" --algo bm -j DROP iptables -A INPUT -p udp -m multiport --dports 53 -m string --hex-string "|03|163|03|com" --algo bm -j DROP iptables -A FORWARD -p udp -m multiport --dports 53 -m string --hex-string "|03|163|03|com" --algo bm -j DROP #ping xxx iptables -A OUTPUT -o ${ETH_WAN} -p icmp -s ${THIS_SERVER} -j ACCEPT iptables -A INPUT -i ${ETH_WAN} -p icmp -d ${THIS_SERVER} -j ACCEPT #dns lookup iptables -A OUTPUT -o ${ETH_WAN} -p udp -s ${THIS_SERVER} -d ${DNS_SERVER} --dport ${DNS_PORT} -j ACCEPT iptables -A INPUT -i ${ETH_WAN} -p udp -s ${DNS_SERVER} --sport ${DNS_PORT} -d ${THIS_SERVER} -j ACCEPT iptables -A OUTPUT -o ${ETH_WAN} -p tcp -s ${THIS_SERVER} -d ${DNS_SERVER} --dport ${DNS_PORT} -j ACCEPT iptables -A INPUT -i ${ETH_WAN} -p tcp -s ${DNS_SERVER} --sport ${DNS_PORT} -d ${THIS_SERVER} -m state --state RELATED,ESTABLISHED -j ACCEPT #http browser iptables -A OUTPUT -o ${ETH_WAN} -p tcp --match multiport --dports ${HTTP_PORT} -j ACCEPT iptables -A INPUT -i ${ETH_WAN} -p tcp --match multiport --sports ${HTTP_PORT} -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -j LOG --log-prefix "iptables" iptables-save > /etc/sysconfig/iptables
标签:local 解析 代码 字符串匹配算法 mangle number iptable this nbsp
原文地址:https://www.cnblogs.com/coe2coe/p/9060092.html