对于iptables 的一点理解

这是无意中在stackoverflow上看到的,以前还真没有注意到.

Question:

I was trying to block an ip of ( network stresser tool – a ddos websites selling ddos bots by seconds online ) the first one i was trying to block with iptables :

iptables -A INPUT -d 173.193.26.73 -j DROP
iptables -A INPUT -s 173.193.26.73 -j DROP
however i still see the ip and bandwidth still up on iftop. also still see the ip going on tcpdump.

is that normal? what’s the problem in here?

 

Answer: 

Yes, it’s normal. iptables doesn’t stop inbound traffic turning up on your physical interface, thus notching up your iftop counts, and it doesn’t stop the kernel seeing that it’s there, hence the tcpdump output. It does, however, stop the kernel passing the traffic on to anything that might be listening for it.

If you see any output traffic in response to those input packets, something’s wrong. But otherwise, no, that’s normal.

iptables 工作在5个链上, prerouting, input, forward, output, postrouting

prerouting 和 postrouting 一般是在NAT上使用,所以traffic 会流经CPU,也即是说iptables 无法阻止真实网卡的流入流量, 因此itfop 和 tcpdump 都能看到流入的流量,但是在用iptables block了这个IP的情况下,是不会有流出的流量的.