# 系統安全:iptables與 ip6tables ## iptables簡單測試:以kvm 架設虛擬機,進行測試 ![](/files/-M0KkNssxOXljl0kRldo) 在虛擬機中,加入以下規則,進行 192.168.122.247 ``` #!/bin/bash #清理規則 iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT #建立ICMP chain iptables -N ICMP #進行紀錄 iptables -A ICMP -p icmp -j LOG --log-prefix 'Ping:' --log-level alert #ICMP chain 的規則 :DROP封包 iptables -A ICMP -p icmp -j DROP #針對INPUT chain的icmp封包跳到 ICMP chain iptables -A INPUT -p icmp -j ICMP ``` 此時由於任何ping封包都被禁止,所以當由192.168.122.247 ping 192.168.122.1也不通 改善: ``` 要禁止的只有type=8,code=0 改指令: #!/bin/bash #清理規則 iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT #建立ICMP chain iptables -N ICMP #進行紀錄 iptables -A ICMP -p icmp --icmp-type 8 -j LOG --log-prefix 'Ping Request:' --log-level alert #ICMP chain 的規則 :DROP封包 iptables -A ICMP -p icmp --icmp-type 8 -j DROP #針對INPUT chain的icmp封包跳到 ICMP chain iptables -A INPUT -p icmp -j ICMP ``` ## 觀察 #### cat /var/log/syslog | grep ICMP Feb 18 08:34:19 pi-pc kernel: \[ 253.444190] Ping:IN=enp1s0 OUT= MAC=**52:54:00:5d:71:e6**(目的MAC):**52:54:00:a0:9d:cf**(來源MAC):08:00 SRC=192.168.122.1 DST=192.168.122.247 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=9022 DF PROTO=ICMP TYPE=8 CODE=0 ID=3 SEQ=1 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kawsing.gitbook.io/opensystem/andoid-shou-ji/wang-lu-da-xiao-shi/xi-tong-an-quan.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.