国产一级a片免费看高清,亚洲熟女中文字幕在线视频,黄三级高清在线播放,免费黄色视频在线看

 

這里將載有Openwrt的WR841N的路由表dump出來分析一下。

這個是dump出iptables的命令

root@OpenWrt:/etc/config# iptables-save

 

這里分為4部分：

1.NAT表

*nat:PREROUTING ACCEPT [37930:3638072]:INPUT ACCEPT [440:34479]:OUTPUT ACCEPT [1004:101848]:POSTROUTING ACCEPT [149:36868]:MINIUPNPD - [0:0]:delegate_postrouting - [0:0]:delegate_prerouting - [0:0]:postrouting_lan_rule - [0:0]:postrouting_rule - [0:0]:postrouting_wan_rule - [0:0]:prerouting_lan_rule - [0:0]:prerouting_rule - [0:0]:prerouting_wan_rule - [0:0]:zone_lan_postrouting - [0:0]:zone_lan_prerouting - [0:0]:zone_wan_postrouting - [0:0]:zone_wan_prerouting - [0:0]-A PREROUTING -j delegate_prerouting -A POSTROUTING -j delegate_postrouting -A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule -A delegate_postrouting -o br-lan -j zone_lan_postrouting -A delegate_postrouting -o eth0 -j zone_wan_postrouting -A delegate_postrouting -o pppoe-wan -j zone_wan_postrouting -A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule -A delegate_prerouting -i br-lan -j zone_lan_prerouting -A delegate_prerouting -i eth0 -j zone_wan_prerouting -A delegate_prerouting -i pppoe-wan -j zone_wan_prerouting -A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule -A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule -A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule -A zone_wan_postrouting -j MASQUERADE -A zone_wan_prerouting -j MINIUPNPD -A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule COMMIT

其中方括號里面的數(shù)據(jù)是當(dāng)前所使用的流量（數(shù)據(jù)包數(shù)和byte數(shù)）。

 

總結(jié)為下圖：

 

其中從LAN口流入的流量遞交給了miniupnpd處理，這個工具有益于P2P下載。

往WAN口去的流量使用了MASQUERADE，是SNAT的增強(qiáng)型，可以轉(zhuǎn)換源IP地址，這樣的話就可以發(fā)揮路由器的NAT功能了，同時

支持多個客戶端。

 

2.RAW表

*raw:PREROUTING ACCEPT [3358190:2718603756]:OUTPUT ACCEPT [14202:1858213]:notrack - [0:0]-A PREROUTING -j notrack COMMIT

 

這里基本上沒有做什么，不進(jìn)行分析

 

 

3.MANGLE表

*mangle:PREROUTING ACCEPT [3358190:2718603756]:INPUT ACCEPT [14538:1853317]:FORWARD ACCEPT [3342456:2716312729]:OUTPUT ACCEPT [14202:1858213]:POSTROUTING ACCEPT [3356900:2718229627]:ASSIGNOUT - [0:0]:NWANOUT - [0:0]:NWANPOS - [0:0]:NWANPRE - [0:0]:fwmark - [0:0]:mssfix - [0:0]-A PREROUTING -j ASSIGNOUT -A PREROUTING -j NWANPRE -A PREROUTING -j fwmark -A FORWARD -j mssfix -A OUTPUT -j NWANOUT -A POSTROUTING -j NWANPOS -A ASSIGNOUT -m state --state RELATED,ESTABLISHED -j RETURN -A NWANOUT -m conntrack --ctstate RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff -A NWANPOS -o pppoe-wan -m state --state NEW -j CONNMARK --set-xmark 0xa/0xffffffff -A NWANPRE -i pppoe-wan -m state --state NEW -j CONNMARK --set-xmark 0xa/0xffffffff -A NWANPRE -i br-lan -m conntrack --ctstate RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff -A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu -A mssfix -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu COMMIT

 

 

這里在prerouting，output和postrouting的時候做了CONNMRK，用于連接管理，比如做QOS管理。在轉(zhuǎn)發(fā)的時候修改了MSS。

 

4.FILTER表

*filter:INPUT ACCEPT [0:0]:FORWARD DROP [0:0]:OUTPUT ACCEPT [0:0]:MINIUPNPD - [0:0]:delegate_forward - [0:0]:delegate_input - [0:0]:delegate_output - [0:0]:forwarding_lan_rule - [0:0]:forwarding_rule - [0:0]:forwarding_wan_rule - [0:0]:input_lan_rule - [0:0]:input_rule - [0:0]:input_wan_rule - [0:0]:output_lan_rule - [0:0]:output_rule - [0:0]:output_wan_rule - [0:0]:reject - [0:0]:syn_flood - [0:0]:zone_lan_dest_ACCEPT - [0:0]:zone_lan_forward - [0:0]:zone_lan_input - [0:0]:zone_lan_output - [0:0]:zone_lan_src_ACCEPT - [0:0]:zone_lan_src_REJECT - [0:0]:zone_wan_dest_ACCEPT - [0:0]:zone_wan_forward - [0:0]:zone_wan_input - [0:0]:zone_wan_output - [0:0]:zone_wan_src_REJECT - [0:0]-A INPUT -j delegate_input -A FORWARD -j delegate_forward -A OUTPUT -j delegate_output -A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A delegate_forward -i br-lan -j zone_lan_forward -A delegate_forward -i eth0 -j zone_wan_forward -A delegate_forward -i pppoe-wan -j zone_wan_forward -A delegate_forward -j reject -A delegate_input -i lo -j ACCEPT -A delegate_input -m comment --comment "user chain for input" -j input_rule -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood -A delegate_input -i br-lan -j zone_lan_input -A delegate_input -i eth0 -j zone_wan_input -A delegate_input -i pppoe-wan -j zone_wan_input -A delegate_output -o lo -j ACCEPT -A delegate_output -m comment --comment "user chain for output" -j output_rule -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A delegate_output -o br-lan -j zone_lan_output -A delegate_output -o eth0 -j zone_wan_output -A delegate_output -o pppoe-wan -j zone_wan_output -A reject -p tcp -j REJECT --reject-with tcp-reset -A reject -j REJECT --reject-with icmp-port-unreachable -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN -A syn_flood -j DROP -A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT -A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule -A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT -A zone_lan_forward -j zone_lan_src_REJECT -A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule -A zone_lan_input -j zone_lan_src_ACCEPT -A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule -A zone_lan_output -j zone_lan_dest_ACCEPT -A zone_lan_src_ACCEPT -i br-lan -j ACCEPT -A zone_lan_src_REJECT -i br-lan -j reject -A zone_wan_dest_ACCEPT -o eth0 -j ACCEPT -A zone_wan_dest_ACCEPT -o pppoe-wan -j ACCEPT -A zone_wan_forward -j MINIUPNPD -A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule -A zone_wan_forward -j zone_wan_src_REJECT -A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule -A zone_wan_input -p tcp -m tcp --dport 51413 -m comment --comment "51413" -j ACCEPT -A zone_wan_input -p udp -m udp --dport 51413 -m comment --comment "51413" -j ACCEPT -A zone_wan_input -p tcp -m tcp --dport 9091 -m comment --comment "9091" -j ACCEPT -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "Allow-DHCP-Renew" -j ACCEPT -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "Allow-Ping" -j ACCEPT -A zone_wan_input -j zone_wan_src_REJECT -A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule -A zone_wan_output -j zone_wan_dest_ACCEPT -A zone_wan_src_REJECT -i eth0 -j reject -A zone_wan_src_REJECT -i pppoe-wan -j reject COMMIT

 

 

這里先不考慮eth0，從WAN口輸入的數(shù)據(jù)要重點(diǎn)過濾，因?yàn)椴荒茏宨nternet的電腦隨意攻擊路由器，這里允許了ICMP，

51413、9091端口和transmission下載工具有關(guān)，68端口和DHCP服務(wù)有關(guān)。

對于FORWARD的流量，這里基本上已經(jīng)全部屏蔽了。

對于王WAN口發(fā)送的流量全部放行。

 

5.總結(jié)

 

總的來說，這里做了SNAT實(shí)現(xiàn)路由器的基本功能，對連接跟蹤可以管理各個連接。另外的一些策略有助于下載工具的運(yùn)行。