linux下iptables lay7配置下
ts 22,25,80 -j DROP v connlimit v [!] --connlimit-above n 最大连接数 ü Allows you to restrict the number of parallel connections to a server per client IP address (or client address block). ü Example: ? iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 2 -j REJECT ? Allow 2 ssh connections per client host 限制外网的最大连接数是2 [root@station93 ~]# iptables -A OUTPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 2 -j REJECT v String ü 有两种算法:bm kmp 拥有帝国一切,皆有可能。欢迎访问phome.net ü This modules matches a given string by using some pattern matching strategy. ü It requires a linux kernel >= 2.6.14. ü [!] --string pattern ? Matches the given pattern. ü --algo {bm|kmp} ? Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) ü Examples: ? iptables –A OUTPUT –p udp --dport 53 -m string --string “verycd” --algo bm -j DROP ? iptables -A OUTPUT -p tcp --dport 80 -m string --string “***” --algo kmp -j DROP 限制内网浏览外网上包含secert 字符串的网页: [root@3 html]# echo "secert" >> index2.html [root@3 html]# cat index2.html secret this is the second test secret [root@station93 ~]# iptables -A FORWARD -s 10.0.2.100 -d 10.0.3.100 -p tcp --sport 80 -m string --string "secert" --algo bm -j DROP v time ü This matches if the packet arrival time/date is within a given range. ü --datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]] ü --datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]] ? Only match during the given time, The possible time range is 1970-01-01 T00:00:00 to 2038-01-19 T04:17:07 ü --timestart hh:mm[:ss] ü --timestop hh:mm[:ss] ? The possible time range is 00:00:00 to 23:59:59. ? Leading zeroes are allowed. v time ü [!] --monthdays day[,day...] ? Only match on the given days of the month. Possible values are 1 to 31. ü [!] --weekdays day[,day...] ? Only match on the given weekdays. Possible values are Mon, Tue, Wed, Thu, Fri, Sat, Sun, or values from 1 to 7, respectively. ü Examples: ? -m time --weekdays Sa,Su ? -m time --timestart 12:30 --timestop 13:30 [root@station93 ~]# iptables -A FORWARD -m time --timestart 00:00 --timestop 8:00 -j DROP v -j LOG ü --log-level 拥有帝国一切,皆有可能。欢迎访问phome.netlevel ? Level of logging ü --log-prefix prefix ? Prefix log messages with the specified prefix; up to 29 letters long, and useful for distinguishing messages in the logs. ü --log-tcp-options ? Log options from the TCP packet header. ü --log-ip-options ? Log options from the IP packet header. [root@station93 ~]# iptables -A FORWARD -s 10.0.3.100 –d 10.0.2.100 –p tcp –dport -j LOG --log-prefix "abc" 基于l7layer的规则则十分类似,在其内部已经为我们定义好,我们只需要调用其就行了. 例如:禁止内网用户在上班时间使用qq [root@station93 ~]# iptables -A FORWARD -s 10.0.2.100 -d 10.0.3.100 -p tcp --dport 80 -m time --timestart 8:00 --timestop 18:00 -m layer7 --l7proto qq |
凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务,公司网站:http://www.lingzhong.cn 为了给广大客户了解更多的技术信息,本技术文章收集来源于网络,凌众科技尊重文章作者的版权,如果有涉及你的版权有必要删除你的文章,请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢! |