--tcp-flags
用于匹配报文的tcp头的标志位
iptables -t filter -I INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,ACK,FIN,RST,URG,PSH SYN -j REJECT
iptables -t filter -I OUTPUT -p tcp -m tcp --sport 22 --tcp-flags SYN,ACK,FIN,RST,URG,PSH SYN,ACK -j REJECT
iptables -t filter -I INPUT -p tcp -m tcp --dport 22 --tcp-flags ALL SYN -j REJECT
iptables -t filter -I OUTPUT -p tcp -m tcp --sport 22 --tcp-flags ALL SYN,ACK -j REJECT
--syn
用于匹配tcp新建连接的请求报文,相当于“--tcp-flags SYN,RST,ACK,FIN SYN”
iptables -t filter -I INPUT -p tcp -m tcp --dport 22 --syn -j REJECT
udp
--sport 匹配udp报文的源地址
--dsport 匹配udp报文的目标地址
iptables -t filter -I INPUT -p udp -m udp --dport 137 -j ACCEPT
iptables -t filter -I INPUT -p udp -m udp --dport 137:157 -j ACCEPT
#可以结合multiport模块指定多个离散的端口
icmp
--icmp-type 匹配icmp报文的具体类型
iptables -t filter -I INPUT -p icmp -m icmp --icmp-type 8/0 -j REJECT
iptables -t filter -I INPUT -p icmp --icmp-type 8 -j REJECT
iptables -t filter -I OUTPUT -p icmp -m icmp --icmp-type 0/0 -j REJECT
iptables -t filter -I OUTPUT -p icmp --icmp-type 0 -j REJECT
iptables -t filter -I INPUT -p icmp --icmp-type "echo-request" -j REJECT
state
- NEW
- ESTABLISHED
- RELATED
- INVALID
- UNTRACKED
iptables -F
iptables -t filter -I -m state --state RELATED,ESTABLISHED -j ACCEPET
iptables -t filter -A INPUT -j REJECT