在严格情况下配置 iptables 时是否需要同时设置 filter, mangle, nat, raw, and security 为 DROP?
Hi,
在严格情况下配置 iptables 时是否需要同时设置 filter, mangle, nat, raw, and security 为 DROP?
发现 filter, mangle, raw, security 可以将 chain 设置为 DROP ,但是 nat 不能设置为 DROP,提示说 nat 不是用来做 filtering??
实际项目上有没设置过 nat 为 DROP 或 REJECT 的?谢谢。
# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
# iptables -t nat -P OUTPUT DROP
iptables v1.4.21:
The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.
Try `iptables -h' or 'iptables --help' for more information.
#