# iptable與NAT路由器 進入Router機器 建立防火牆 測試ssh連線
讓Router能ping別人,外面無法ping自己 ``` echo "Flush nat table ......" echo # Flush nat $IPTABLES -F -t nat $IPTABLES -t nat -X ###-----------------------------------------------------### # 設定 filter table 的預設政策 ###-----------------------------------------------------### $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT #建立ICMP chain $IPTABLES -N ICMP #進行紀錄 $IPTABLES -A ICMP -p icmp --icmp-type 8 -j LOG --log-prefix 'Ping Request:' --log-level alert #Debug $IPTABLES -A ICMP -p icmp --icmp-type 8 -j ACCEPT #ICMP chain 的規則 :DROP封包 $IPTABLES -A ICMP -p icmp --icmp-type 8 -j DROP #針對INPUT chain的icmp封包跳到 ICMP chain $IPTABLES -A INPUT -p icmp -j ICMP ``` ### icmp flood 攻擊測試 ![](/files/-M0Lxdec5CT5TROhAYxl) ### 建立ssh的連線限制 ``` #2.建立SSH chain $IPTABLES -N SSH #進行紀錄 $IPTABLES -A SSH -p tcp --dport 22 -j LOG --log-prefix 'SSH login:' --log-level alert #Debug:允許ssh(利用iptables 規則 first match 機制) #$IPTABLES -A SSH -p tcp --dport 22 -j ACCEPT #SSH chain 的規則 :DROP封包 $IPTABLES -A SSH -s 192.168.168.0/24 -p tcp --dport 22 -j DROP #針對INPUT chain的ssh封包跳到 SSH chain $IPTABLES -A INPUT -p tcp --dport 22 -j SSH ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kawsing.gitbook.io/opensystem/andoid-shou-ji/wang-lu-da-xiao-shi/xi-tong-an-quan/untitled-1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.