# Generated by iptables-save v1.3.1 on Sun Apr 23 05:32:09 2006 *filter :INPUT ACCEPT [273:55355] :FORWARD ACCEPT [0:0] :LOGNDROP - [0:0] :OUTPUT ACCEPT [92376:20668252] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j LOGNDROP -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied TCP: " --log-level 7 -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied UDP: " --log-level 7 -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied ICMP: " --log-level 7 -A LOGNDROP -j DROP COMMIT # Completed on Sun Apr 23 05:32:09 2006
請注意 一個名為 LOGNDROP的鏈在文件頂部。而且,INPUT鏈底部標準的DROP被替換成了LOGNDROP,同時添加了協(xié)議描述so it makes sense looking at the log。最後我們在LOGNDROP鏈尾部丟棄了這些流量。下面的行告訴我們發(fā)生了什么:
* --limit 設置記錄相同規(guī)則到syslog中的次數(shù) * --log-prefix "Denied..." 添加一個前綴使得在syslog中查找更easy * --log-level 7 設置syslog的消息級別 (see man syslog for more detail, but you can probably leave this)