5\u672c\u306e\u9396\uff08\u30c1\u30a7\u30fc\u30f3\uff09\uff1a<\/p>\n
- \n
- - PREROUTING: \u5b9b\u5148\u30a2\u30c9\u30ec\u30b9\u304c\u30ed\u30fc\u30ab\u30eb\u3067\u3042\u308b\u30d1\u30b1\u30c3\u30c8\u306e\u51e6\u7406\uff1b<\/li>\n
- - INPUT\uff1a\u30de\u30b7\u30f3\u306b\u5165\u3063\u3066\u304d\u3066\u30ed\u30fc\u30ab\u30eb\u306b\u30eb\u30fc\u30c6\u30a3\u30f3\u30b0\u3055\u308c\u308b\u30d1\u30b1\u30c3\u30c8\u306e\u51e6\u7406\uff1b<\/li>\n
- - FORWARD\uff1a\u3059\u3079\u3066\u306e\u8ee2\u9001\u30d1\u30b1\u30c3\u30c8\uff1b<\/li>\n
- - OUTPUT\uff1a\u30ed\u30fc\u30ab\u30eb\u3067\u751f\u6210\u3055\u308c\u305f\u9001\u4fe1\u30d1\u30b1\u30c3\u30c8\u306e\u51e6\u7406\uff1b<\/li>\n
- - POSTROUTING\uff1a\u30de\u30b7\u30f3\u304b\u3089\u51fa\u308b\u30d1\u30b1\u30c3\u30c8\u306e\u51e6\u7406\u3002<\/li>\n<\/ul>\n
4\u3064\u306e\u30c6\u30fc\u30d6\u30eb\u306e\u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u9806\u5e8f\u306f\u3001raw -> mangle -> nat -> filter\u3067\u3042\u308b\u3002
\n\u7565\u79f0\uff1armnf->guidance\uff085\u30b9\u30c8\u30ed\u30fc\u30af\u30b3\u30fc\u30c9\uff09<\/p>\n![\"\"](\"https:\/\/www.08host.com\/wp-content\/uploads\/2025\/06\/40e9add5bbc0fd84d35af7a8421ff24c.png\")
![\"\"](\"https:\/\/www.08host.com\/wp-content\/uploads\/2025\/06\/5debdac631187b8a43fa50dcdfa7f002.png\")
<\/p>\n\u30a4\u30f3\u30d0\u30a6\u30f3\u30c9\u30eb\u30fc\u30c6\u30a3\u30f3\u30b0\u306e\u30d7\u30ec\u30eb\u30fc\u30c6\u30a3\u30f3\u30b0\u30d5\u30a7\u30fc\u30ba (PREROUTING)<\/h4>\n
\u5916\u90e8\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e\u6d41\u5165 \u2192 \u251c\u2500 raw\u30c6\u30fc\u30d6\u30eb\uff08\u512a\u5148\u5ea61\uff09\uff1a\u30b3\u30cd\u30af\u30b7\u30e7\u30f3\u30fb\u30c8\u30e9\u30c3\u30ad\u30f3\u30b0\u306e\u4f8b\u5916\u51e6\u7406 \u251c\u2500 mangle\u30c6\u30fc\u30d6\u30eb\uff08\u512a\u5148\u5ea62\uff09\uff1aTOS\/TTL\u306a\u3069\u306e\u30d1\u30b1\u30c3\u30c8\u30fb\u30d8\u30c3\u30c0\u306e\u5909\u66f4 \u2514\u2500 nat\u30c6\u30fc\u30d6\u30eb\uff08\u512a\u5148\u5ea63\uff09\uff1aDNAT\u306b\u3088\u308b\u5b9b\u5148\u30a2\u30c9\u30ec\u30b9\u5909\u63db\u306e\u5b9f\u884c \u9806\u5e8f\uff1a123<\/pre>\n
\u30eb\u30fc\u30c6\u30a3\u30f3\u30b0\u6c7a\u5b9a\u6bb5\u968e<\/h4>\n
mangle table (priority 2): \u8907\u96d1\u306a\u30d1\u30b1\u30c3\u30c8\u5909\u66f4\u3092\u30b5\u30dd\u30fc\u30c8 \u2514\u2500 filter table (priority 4): \u8ee2\u9001\u30dd\u30ea\u30b7\u30fc\u3092\u5b9a\u7fa9 (default deny) \u2502 \u2514\u2500 filter table (priority 4): \u8ee2\u9001\u30dd\u30ea\u30b7\u30fc\u3092\u5b9a\u7fa9 (default deny) \u2502 \u2514\u2500 order: 24<\/pre>\n
\u30ed\u30fc\u30ab\u30eb\u767a\u4fe1\u30d5\u30a7\u30fc\u30ba (OUTPUT)<\/h4>\n
\u30ed\u30fc\u30ab\u30eb\u30d7\u30ed\u30bb\u30b9\u304c\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u751f\u6210 \u2192 \u251c\u2500 raw\u30c6\u30fc\u30d6\u30eb\uff08\u512a\u5148\u5ea61\uff09\uff1a\u30a2\u30a6\u30c8\u30d0\u30a6\u30f3\u30c9\u306e\u30b3\u30cd\u30af\u30b7\u30e7\u30f3\u30fb\u30c8\u30e9\u30c3\u30ad\u30f3\u30b0\u4f8b\u5916 \u251c\u2500 mangle\u30c6\u30fc\u30d6\u30eb\uff08\u512a\u5148\u5ea62\uff09\uff1a\u30a2\u30a6\u30c8\u30d0\u30a6\u30f3\u30c9\u306e\u30d1\u30b1\u30c3\u30c8\u30fb\u30d8\u30c3\u30c0\u3092\u5909\u66f4 \u251c\u2500 nat\u30c6\u30fc\u30d6\u30eb\uff08\u512a\u5148\u5ea63\uff09\uff1aSNAT\u30bd\u30fc\u30b9\u30fb\u30a2\u30c9\u30ec\u30b9\u5909\u63db\u3092\u5b9f\u884c \u2514\u2500 filter\u30c6\u30fc\u30d6\u30eb\uff08\u512a\u5148\u5ea64\uff09\uff1a\u30a2\u30a6\u30c8\u30d0\u30a6\u30f3\u30c9\u306e\u6700\u7d42\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u9806\u5e8f\u306f1234<\/pre>\n
\u30dd\u30b9\u30c8\u30a2\u30a6\u30c8\u30d0\u30a6\u30f3\u30c9\u30eb\u30fc\u30c6\u30a3\u30f3\u30b0\u30d5\u30a7\u30fc\u30ba(POSTROUTING)<\/h4>\n
\u30de\u30b7\u30f3\u304b\u3089\u96e2\u308c\u308b\u6e96\u5099 \u2192 \u251c\u2500 mangle\u30c6\u30fc\u30d6\u30eb\uff08\u512a\u5148\u5ea62\uff09\uff1a\u6700\u5f8c\u306e\u4fee\u6b63\u30c1\u30e3\u30f3\u30b9\uff08TTL\u306a\u3069\uff09 \u2514\u2500 nat\u30c6\u30fc\u30d6\u30eb\uff08\u512a\u5148\u5ea63\uff09\uff1aSNAT\/MASQUERADE\u30aa\u30fc\u30c0\u30fc\u5b8c\u4e86 23<\/pre>\n
iptables \u30b3\u30de\u30f3\u30c9\u5f62\u5f0f<\/h3>\n
iptables -t table-name [-A|-D|-F|-L|-Z|-N|-X|-P|-E|-I] chain-name [match-criteria] [-j process-action].<\/pre>\n
- \n
- - \u30c6\u30fc\u30d6\u30eb\u540d\n
- \n
- -t: -table, \u64cd\u4f5c\u3059\u308b\u30c6\u30fc\u30d6\u30eb\u3092\u6307\u5b9a\u3059\u308b\u3002\u6307\u5b9a\u3057\u306a\u3044\u5834\u5408\u3001\u30c7\u30d5\u30a9\u30eb\u30c8\u306f\u30d5\u30a3\u30eb\u30bf\u30fc\u30fb\u30c6\u30fc\u30d6\u30eb\u3068\u306a\u308b\u3002<\/li>\n<\/ul>\n<\/li>\n
- - \u30b3\u30de\u30f3\u30c9\n
- \n
- -A: -append\u3001\u6307\u5b9a\u3057\u305f\u30c1\u30a7\u30fc\u30f3\u306b\u30eb\u30fc\u30eb\u3092\u8ffd\u52a0\u3059\u308b\u3002<\/li>\n
- -D: -delete\u3001\u6307\u5b9a\u3057\u305f\u30c1\u30a7\u30fc\u30f3\u304b\u3089\u30eb\u30fc\u30eb\u3092\u524a\u9664\u3059\u308b\u3002<\/li>\n
- -F: -flush, \u6307\u5b9a\u3055\u308c\u305f\u30c1\u30a7\u30fc\u30f3\u306e\u3059\u3079\u3066\u306e\u30eb\u30fc\u30eb\u3092\u30af\u30ea\u30a2\u3059\u308b\u3002<\/li>\n
- -L: -list, \u6307\u5b9a\u3055\u308c\u305f\u30c1\u30a7\u30fc\u30f3\u306e\u3059\u3079\u3066\u306e\u30eb\u30fc\u30eb\u3092\u30ea\u30b9\u30c8\u3059\u308b\u3002<\/li>\n
- -Z: -\u30bc\u30ed\u3001\u6307\u5b9a\u3057\u305f\u30c1\u30a7\u30fc\u30f3\u306e\u30ab\u30a6\u30f3\u30bf\u30fc\u3092\u30af\u30ea\u30a2\u3059\u308b\u3002<\/li>\n
- -N: -new-chain, \u65b0\u3057\u3044\u30c1\u30a7\u30fc\u30f3\u3092\u4f5c\u308b\u3002<\/li>\n
- -X: -delete-chain, \u30ab\u30b9\u30bf\u30e0\u30fb\u30c1\u30a7\u30fc\u30f3\u3092\u524a\u9664\u3059\u308b\u3002<\/li>\n
- -P: -policy \u30c1\u30a7\u30fc\u30f3\u306e\u30c7\u30d5\u30a9\u30eb\u30c8\u30dd\u30ea\u30b7\u30fc\u3092\u8a2d\u5b9a\u3057\u307e\u3059\u3002<\/li>\n
- -E: -rename-chain \u30c1\u30a7\u30fc\u30f3\u306e\u540d\u524d\u3092\u5909\u66f4\u3059\u308b\u3002<\/li>\n
- -I: -insert, \u6307\u5b9a\u3057\u305f\u30c1\u30a7\u30fc\u30f3\u306b\u30eb\u30fc\u30eb\u3092\u633f\u5165\u3059\u308b\u3002<\/li>\n<\/ul>\n<\/li>\n
- - \u30de\u30c3\u30c1\u30b3\u30f3\u30c7\u30a3\u30b7\u30e7\u30f3\n
- \n
- -p: -protocol, \u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u7a2e\u985e\u3092\u6307\u5b9a\u3059\u308b\u3002 \u4f8b\u3048\u3070\u3001-p tcp\u306f\u3001TCP\u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u30d1\u30b1\u30c3\u30c8\u3060\u3051\u304c\u30de\u30c3\u30c1\u3059\u308b\u3053\u3068\u3092\u793a\u3059\u3002<\/li>\n
- -s: -source\u3001\u9001\u4fe1\u5143IP\u30a2\u30c9\u30ec\u30b9\u3092\u6307\u5b9a\u3059\u308b\u3002\u4f8b\u3048\u3070\u3001-s 192.168.1.100\u306f\u3001\u305d\u306eIP\u304b\u3089\u306e\u30d1\u30b1\u30c3\u30c8\u306e\u307f\u306b\u30de\u30c3\u30c1\u3059\u308b\u3053\u3068\u3092\u610f\u5473\u3059\u308b\u3002<\/li>\n
- -d: -destination\u3001\u5b9b\u5148IP\u30a2\u30c9\u30ec\u30b9\u3092\u6307\u5b9a\u3059\u308b\u3002\u4f8b\u3048\u3070\u3001-d 192.168.1.100\u306f\u3001\u305d\u306eIP\u5b9b\u306e\u30d1\u30b1\u30c3\u30c8\u306b\u306e\u307f\u30de\u30c3\u30c1\u3059\u308b\u3053\u3068\u3092\u610f\u5473\u3059\u308b\u3002<\/li>\n
- -i: -in-interface\u3001\u30de\u30b7\u30f3\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30fb\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u3092\u6307\u5b9a\u3059\u308b\u3002\u4f8b\u3048\u3070\u3001-i eth0\u306f\u3001\u305d\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u3092\u901a\u904e\u3059\u308b\u30d1\u30b1\u30c3\u30c8\u306e\u307f\u306b\u30de\u30c3\u30c1\u3059\u308b\u3053\u3068\u3092\u610f\u5473\u3059\u308b\u3002<\/li>\n
- -o: -out-interface\u306f\u3001\u30de\u30b7\u30f3\u3092\u96e2\u308c\u308b\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30fb\u30a4\u30f3\u30bf\u30d5\u30a7\u30fc\u30b9\u3092\u6307\u5b9a\u3059\u308b\u3002\u4f8b\u3048\u3070\u3001-o eth0\u306f\u3001\u305d\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u3092\u901a\u904e\u3059\u308b\u30d1\u30b1\u30c3\u30c8\u306e\u307f\u306b\u30de\u30c3\u30c1\u3059\u308b\u3053\u3068\u3092\u610f\u5473\u3059\u308b\u3002<\/li>\n
- -sport\u3001-sport\uff1a\u9001\u4fe1\u5143\u30dd\u30fc\u30c8\u3092\u6307\u5b9a\u3059\u308b\u3002\u4f8b\u3048\u3070\u3001-sport 80\u306f\u3001\u305d\u306e\u30dd\u30fc\u30c8\u304b\u3089\u306eTCP\u30d1\u30b1\u30c3\u30c8\u306b\u306e\u307f\u30de\u30c3\u30c1\u3059\u308b\u3053\u3068\u3092\u610f\u5473\u3059\u308b\u3002<\/li>\n
- -dport, -dport: \u5b9b\u5148\u30dd\u30fc\u30c8\u3092\u6307\u5b9a\u3059\u308b\u3002\u4f8b\u3048\u3070\u3001-dport 80\u306f\u3001\u305d\u306e\u30dd\u30fc\u30c8\u3078\u306eTCP\u30d1\u30b1\u30c3\u30c8\u306e\u307f\u304c\u30de\u30c3\u30c1\u3059\u308b\u3053\u3068\u3092\u610f\u5473\u3059\u308b\u3002<\/li>\n<\/ul>\n<\/li>\n
- - \u51e6\u7406\u30a2\u30af\u30b7\u30e7\u30f3\n
- \n
- -j: -jump, \u51e6\u7406\u52d5\u4f5c\u3092\u6307\u5b9a\u3059\u308b\u3002\u4f8b\u3048\u3070\u3001-j ACCEPT\u306f\u30d1\u30b1\u30c3\u30c8\u3092\u53d7\u3051\u5165\u308c\u308b\u3053\u3068\u3092\u610f\u5473\u3057\u3001-j DROP\u306f\u30d1\u30b1\u30c3\u30c8\u3092\u30c9\u30ed\u30c3\u30d7\u3059\u308b\u3053\u3068\u3092\u610f\u5473\u3059\u308b\u3002-j LOG\u306f\u30ed\u30ae\u30f3\u30b0\u3092\u610f\u5473\u3059\u308b\u3002-j RETURN\u306f\u3001\u5f8c\u7d9a\u306e\u30eb\u30fc\u30eb\u306b\u30de\u30c3\u30c1\u3057\u7d9a\u3051\u305a\u306b\u623b\u308b\u3053\u3068\u3092\u610f\u5473\u3059\u308b\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
iptables \u5171\u901a\u30b3\u30de\u30f3\u30c9<\/h3>\n
- \n
- - iptables\u30eb\u30fc\u30eb\u306e\u8868\u793a\n
- \n
- - \u5168\u30c1\u30a7\u30fc\u30f3\u306e\u30eb\u30fc\u30eb\u3092\u8868\u793a (-L \u30c1\u30a7\u30fc\u30f3\u306a\u3057\u306f\u5168\u30c1\u30a7\u30fc\u30f3\u306e\u30eb\u30fc\u30eb\u3001-t \u306a\u3057\u306f\u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u30d5\u30a3\u30eb\u30bf\u30c6\u30fc\u30d6\u30eb)\n
iptables -L<\/pre>\n<\/li>\n
- - \u6307\u5b9a\u3057\u305f\u30c6\u30fc\u30d6\u30eb\u306e\u30eb\u30fc\u30eb\u3092\u8868\u793a\u3059\u308b\n
iptables -t nat -L<\/pre>\n<\/li>\n
- - \u6307\u5b9a\u3055\u308c\u305f\u30c1\u30a7\u30fc\u30f3\u306e\u30eb\u30fc\u30eb\u3092\u8868\u793a\u3059\u308b\n
iptables -L INPUT<\/pre>\n<\/li>\n
- - \u6307\u5b9a\u3057\u305f\u30c1\u30a7\u30fc\u30f3\u306e\u30eb\u30fc\u30eb\u756a\u53f7\u3092\u8868\u793a\n
iptables -L INPUT --\u884c\u756a\u53f7<\/pre>\n<\/li>\n
- - \u6307\u5b9a\u3057\u305f\u30c1\u30a7\u30fc\u30f3\u306e\u30eb\u30fc\u30eb\u756a\u53f7\u3068\u30ab\u30a6\u30f3\u30bf\u30fc\u3092\u898b\u308b\n
iptables -L INPUT --line-numbers --verbose<\/pre>\n<\/li>\n
- - \u6307\u5b9a\u3057\u305f\u30c1\u30a7\u30fc\u30f3\u306e\u30eb\u30fc\u30eb\u756a\u53f7\u3068\u30ab\u30a6\u30f3\u30bf\u30fc\u3092\u8868\u793a\u3057\u3001\u30c4\u30ea\u30fc\u3068\u3057\u3066\u8868\u793a\u3059\u308b\u3002\n
iptables -L INPUT --line-numbers --verbose --list<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\u30b9\u30af\u30ea\u30d7\u30c8<\/h2>\n
\u81a8\u5927\u306aiptables\u30eb\u30fc\u30eb\u304c\u3082\u305f\u3089\u3059\u30c8\u30e9\u30d6\u30eb\u30b7\u30e5\u30fc\u30c6\u30a3\u30f3\u30b0\u306e\u30b8\u30ec\u30f3\u30de\u306b\u76f4\u9762\u3057\u3066\u3001\u5f93\u6765\u306e\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u30c4\u30fc\u30eb\u306f3\u3064\u306e\u6838\u5fc3\u7684\u6b20\u9665\u3092\u9732\u5448\u3057\u305f\uff1a<\/p>\n
- \n
- - \u60c5\u5831\u904e\u591a\u306e\u554f\u984c\uff1a\u4f55\u5343\u3082\u306e\u30eb\u30fc\u30eb\u304c\u76f4\u7dda\u7684\u306a\u30c6\u30ad\u30b9\u30c8\u3067\u63d0\u793a\u3055\u308c\u3001\u30c1\u30a7\u30fc\u30f3\u9593\u306e\u30b8\u30e3\u30f3\u30d7\u306e\u30ed\u30b8\u30c3\u30af\u3092\u8ffd\u8de1\u3059\u308b\u306e\u306f\u96e3\u3057\u3044\u3002<\/li>\n
- - \u610f\u5473\u7684\u65ad\u7d76\uff1a -j KUBE-SERVICES\u306e\u3088\u3046\u306a\u30bf\u30fc\u30b2\u30c3\u30c8\u30c1\u30a7\u30fc\u30f3\u306e\u6587\u8108\u7684\u89e3\u91c8\u306e\u6b20\u5982\u3002<\/li>\n
- - \u5909\u66f4\u306e\u30ea\u30b9\u30af\uff1a\u751f\u7523\u30eb\u30fc\u30eb\u306e\u76f4\u63a5\u7de8\u96c6\u306f\u3001\u30b5\u30fc\u30d3\u30b9\u306e\u4e2d\u65ad\u306b\u3064\u306a\u304c\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002<\/li>\n
- \u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3001\u30c4\u30ea\u30fc\u306e\u8996\u899a\u5316\u3068\u30ab\u30e9\u30fc\u30de\u30fc\u30ad\u30f3\u30b0\u3001\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30c8\u306a\u5faa\u74b0 \u53c2\u7167\u306e\u691c\u51fa\u3001\u5bfe\u8a71\u7684\u9078\u629e\u306e\u30b5\u30dd\u30fc\u30c8\u3001\u8907\u6570\u306e\u74b0\u5883\u3068\u306e\u4e92\u63db\u6027\u3001\u4e00\u6642\u30d5\u30a1\u30a4\u30eb\u306e \u81ea\u52d5\u30af\u30ea\u30fc\u30f3\u30a2\u30c3\u30d7\u306a\u3069\u3092\u901a\u3058\u3066\u3001iptables\u30eb\u30fc\u30eb\u30c1\u30a7\u30c3\u30af\u306e\u52b9\u7387\u3092\u5927\u5e45\u306b\u5411 \u4e0a\u3055\u305b\u308b\u3088\u3046\u306b\u8a2d\u8a08\u3055\u308c\u3066\u3044\u308b\u3002
\n\u4ee5\u4e0b\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3001centos 7.6 (3.10.0-957.el7.x86_64)\u4e0a\u3067\u306e\u307f\u5b9f\u9a13\u7684\u306b\u30d1\u30b9\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u5185\u5bb9<\/h3>\n
vim show_iptables.sh #<\/span>!\/bin\/bash #<\/span>\u6307\u5b9a\u3057\u305fiptables\u30c6\u30fc\u30d6\u30eb\u306e\u9023\u9396\u3092\u52d5\u7684\u306b\u89e3\u6790\u3057\u3001\u30c4\u30ea\u30fc\u69cb\u9020\u3067\u8868\u793a\u3059\u308b\u30b9\u30af\u30ea\u30d7\u30c8 #<\/span>\u30bb\u30c3\u30c8<\/span>-x #<\/span>\u8272\u3092\u5b9a\u7fa9\u3059\u308b\uff08\u3088\u308a\u591a\u304f\u306e\u7aef\u5b50\u306b\u5bfe\u5fdc\uff09 RED=$' \\033[31m' GREEN=$'\u02f6033[32m' YELLOW=$'\u02f6033[33m' BLUE=$'\u02f6033[34m' PURPLE=$'\u02f6033[35m' CYAN=$'\u02f6033[36m' GRAY=$'\u02f6033[90m' NC=$'\u02f6033[0m'033[36m' GRAY=$' \\033[90m' NC=$' \\033[0m' #<\/span>\u4e00\u6642\u30d5\u30a1\u30a4\u30eb TEMP_FILE=\"\/tmp\/iptables_rules.txt\" #<\/span>\u30b0\u30ed\u30fc\u30d0\u30eb\u9023\u60f3\u914d\u5217\uff08\u660e\u793a\u7684\u306b\u5ba3\u8a00\uff09 declare -A VISITED_CHAINS #<\/span>\u5229\u7528\u53ef\u80fd\u306a\u3059\u3079\u3066\u306e\u30c6\u30fc\u30d6\u30eb\u3092\u53d6\u5f97 get_tables() { if [[ -f \/proc\/net\/ip_tables_names ]]; then cat \/proc\/net\/ip_tables_names 2>\/dev\/null else # \u53e4\u3044\u30b7\u30b9\u30c6\u30e0\u3067\u4e92\u63db iptables -L -n 2>\/dev\/null | grep -Po 'Table: \\Kw+' | sort -u fi }. #<\/span>\u30c1\u30a7\u30fc\u30f3\u540d\u306e\u62bd\u51fa\uff08\u30d5\u30a3\u30eb\u30bf\u3092\u8ffd\u52a0\uff09 extract_chains() { grep -E \"^:[A-Za-z0-9_-]+ \" \"$TEMP_FILE\" | cut -d ' -f 1 | tr -d ':' | grep -v '^$' }. #<\/span>\u30c1\u30a7\u30fc\u30f3\u306e\u30eb\u30fc\u30eb\u3092\u53d6\u5f97\u3059\u308b\uff08\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u306e\u5f37\u5316\uff09 find_rules_for_chain() { local chain=$1 [[ -z \"$chain\" ] ] && return grep -E \"^-A $chain \" \"$TEMP_FILE\" | sed '\/^#\/d'.} #<\/span>target chain (strict checksum) extract_targets( { local rule=$1 echo \"$rule\" | grep -oP '\\s-(j|g)\\s+K[^s]+' | grep -E '^[A-Za-z0-9_-]+$' } }. #<\/span>\u30eb\u30fc\u30eb\u306e\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\uff08\u9632\u5fa1\u51e6\u7406\uff09 format_rule() { local rule=$1 # \u30c1\u30a7\u30fc\u30f3\u5ba3\u8a00\u3068\u30b3\u30e1\u30f3\u30c8\u3092\u524a\u9664 rule=$(echo \"$rule\" | sed -E 's\/^-A [^ ]* \/\/; s\/(--comment \"[^\"]*\")\/\/g') #\u91cd\u8981\u306a\u8981\u7d20\u3092\u30cf\u30a4\u30e9\u30a4\u30c8 echo \"$rule\" | sed -E -e \"s\/(-j |-g )([^ ]+)\/${RED}1${YELLOW}2${NC}\/g\" \uffe4 \"s\/(-[pm] |--(src|dport|sport|destination| match|)match))\/${CYAN}\\1${NC}\/g\" } #<\/span>\u30c4\u30ea\u30fc\u5370\u5237 (\u91cd\u5927\u306a\u4fee\u6b63) print_tree() { local chain=$1 local prefix=$2 local visited=$3 local depth=$4 # \u30cc\u30eb\u30c1\u30a7\u30fc\u30f3\u540d\u306e\u9632\u5fa1 if [[ -z \"$chain\" ]]; thenecho -e \"${prefix}${RED} Invalid null link name ${NC}\" return fi # \u30eb\u30fc\u30d7\u691c\u51fa if [[ \"$visited\" == *\"|$chain|\"* ]]; then echo -e \"${prefix}${RED} \u2514\u2500\u2500 Circular reference: $chain${NC}\" return fi # \u6df1\u5ea6\u5236\u9650 if (( depth > 15 )); then echo -e \"${prefix}${YELLOW} \u2514\u2500\u2500 Maximum depth reached ${NC}\" return fi# \u30a2\u30af\u30bb\u30b9\u30c1\u30a7\u30fc\u30f3\u306e\u8a18\u9332\uff08\u5b89\u5168\u306a\u66f8\u304d\u8fbc\u307f\uff09 if [[ -n \"$chain\" ]]; then VISITED_CHAINS[\"$chain\"]=1 fi # \u30eb\u30fc\u30eb\u306e\u53d6\u5f97 local rules=() while IFS= read -r rule; do rules+=(\")$rule\") done <<< "$(find_rules_for_chain "$chain")" # \u30b5\u30d6\u30c1\u30a7\u30fc\u30f3\u3092\u53d6\u308a\u51fa\u3059 local targets=() for rule in "${rules[@]}"; do while IFS= read -rtarget; do if [[ -n "$target" && \uff01 " ${targets[*]} " =~ " $arget " ]]; then targets+=("$arget") fi done <<< "$(extract_targets "$rule")" done # print current chain localcolor case $((depth % 6)) in 0) color=$BLUE;; 1) color=$GREEN;; 2) color=$PURPLE;; 3) color=$CYAN;; 4) color=$YELLOW.\u30ab\u30e9\u30fc=$YELLOW;; esac echo -e "${prefix}${colour}\u251c\u2500 ${chain}${NC}" # \u5370\u5237\u30eb\u30fc\u30eb local rule_prefix="\u2502 " for rule in "${rules[@]}"; do echo -e "${prefix}${rule_prefix}${GRAY}\u251c\u2500\u2500 \u25aa ${NC}$(format_rule "$rule")" done # \u30b5\u30d6\u30c1\u30a7\u30fc\u30f3\u3092\u8868\u793a local total=${#targets[@]} for i in "${!targets[@]}"; do local target=${targets[$i]} if (( i == total - 1 )); then print_tree "$target" "${prefix} \u2514\u2500\u2500 " "${visited}|$chain|" $((depth + 1)) else print_tree "$target" "${prefix} \u251c\u2500\u2500 " "${visited}|$chain|"$((depth + 1)) fi done }. #<\/span>main( { echo -e \"${GREEN} \u25aa iptables \u30c1\u30a7\u30fc\u30f3\u95a2\u4fc2\u30c8\u30dd\u30ed\u30b8(\u30eb\u30fc\u30eb\u30a4\u30f3\u30e9\u30a4\u30f3\u8868\u793a) \u25aa ${NC}\" echo -e \"${YELLOW} description:\" echo -e \" ${GRAY} \u25aa \u30eb\u30fc\u30eb${NC}\u306e\u30b0\u30ec\u30fc\u30a8\u30f3\u30c8\u30ea\" echo -e \"${RED} \u8d64 ${NC} \u30b8\u30e3\u30f3\u30d7\u5bfe\u8c61\u3092\u793a\u3059\" echo -e \" ${CYAN} \u30b7\u30a2\u30f3 ${NC} \u4e00\u81f4\u6761\u4ef6\u3092\u793a\u3059\" echo -e \"${BLUE} \u258f\u30c1\u30a7\u30fc\u30f3 [${selected_chain}] \u30c8\u30dd\u30ed\u30b8: ${NC}\" print_jptree \"$selected_chain\" \"\" 0 echo \"\" }. #<\/span>\u5b9f\u65bd\u30d7\u30ed\u30bb\u30b9 #<\/span>1. select \u30c6\u30fc\u30d6\u30eb tables=($(get_tables)) if [[ ${#tables[@]} -eq 0 ]]; then echo -e \"${RED} error: no iptables table ${NC} found\" exit 1 fi echo \"\u5229\u7528\u53ef\u80fd\u306aiptables \u30c6\u30fc\u30d6\u30eb:\" select selected_table in \"${tables[@]}\"; do if [[ -n \"$selected_table\" ]]; then break else echo -e \"${RED} \u7121\u52b9\u306a\u9078\u629e\u3067\u3059\u3002NC}\" fi done #<\/span>2. select_chains iptables-save -t \"$selected_table\" > \"$TEMP_FILE\" chains=($(extract_chains)) if [[ ${#chains[@]} -eq 0 ]]; then echo -e\"${RED} error: no chain ${NC} found in table ${selected_table}\" rm -f \"$TEMP_FILE\" exit 1 fi echo \"Chains available in table ${selected_table}:\" selected_chain in \"${#{#chains[@]} -eq 0]]; then echo -echain in \"${chains[@]}\"; do if [[ -n \"$selected_chain\" ]]; then break else echo -e \"${RED} is not validly selected, please re-enter ${NC}\" fi done #<\/span>3.\u5b9f\u884c\u89e3\u6790\u30e1\u30a4\u30f3 rm -f \"$TEMP_FILE\"<\/pre>\n\u8a66\u9a13<\/h3>\n
- \n
- - \u51fa\u529b\u3092\u898b\u308b\u305f\u3081\u306b2\u3064\u306e\u30eb\u30fc\u30eb\u3092\u751f\u6210\u3059\u308b<\/li>\n<\/ul>\n
#<\/span>\u30d5\u30a3\u30eb\u30bf\u30fc\u30c6\u30fc\u30d6\u30eb\u306eINPUT\u30c1\u30a7\u30fc\u30f3\u306b\u30c6\u30b9\u30c8\u30eb\u30fc\u30eb\u3092\u4f5c\u6210\u3059\u308b sudo iptables -t filter -A INPUT -p tcp --sport 12345 -j LOG --log-prefix \"FILTER_TEST \" #<\/span>sudo iptables -t filter -A cali-INPUT -p tcp --sport 65535 -j LOG --log-prefix \"CALI_TEST_RULE \" \u30c6\u30b9\u30c8\u30eb\u30fc\u30eb\u3092\u4f5c\u6210\u3059\u308b\u3002<\/pre>\n- \n
- - \u5b9f\u884c\u30b9\u30af\u30ea\u30d7\u30c8<\/li>\n<\/ul>\n
.\/show_iptables.sh \u5229\u7528\u53ef\u80fd\u306a iptables \u30c6\u30fc\u30d6\u30eb: 1) raw 2) mangle 3) filter 4) nat #<\/span>? 3 \u30c6\u30fc\u30d6\u30eb\u30d5\u30a3\u30eb\u30bf\u3067\u4f7f\u7528\u53ef\u80fd\u306a\u30c1\u30a7\u30fc\u30f3: 1) INPUT 19) cali-from-hep-forward 2) FORWARD 20) cali-from-host-endpoint 3) OUTPUT 21) cali-from-wl-dispatch 4) DOCKER 22) cali-fwcali163c2dd037c 5) DOCKER-ISOLATION-STAGE-1 23) cali-fw-caliceb7f36db92 6) DOCKER-ISOLATION-STAGE-2 24) cali-pri-_56duOTW9GxmBnwvgZx 7)DOCKER-USER 25) cali-pri-_RRPF6JYgiXDfvzOhm- 8) KUBE-EXTERNAL-SERVICES 26) cali-pri-_pJvVwNIJS_Hgp2My 9) KUBE-FIREWALL 27) cali-pro_56duOTW9GxmBnwvgZx 10) KUBE-FORWARD 28) cali-pro-_RRPF6JYgiXDfvzOhm- 11) KUBE-KUBELET-CANARY 29) cali-pro-_pJvVwNmnIJS_Hgp2My 12) KUBE-NODEPORTS 30) cali-to-hep-forward 13) KUBE-PROXY-CANARY 31) cali-to-host-endpoint 14) KUBE-SERVICES 32) cali-to-wl-dispatch 15) cali-FORWARD 33) cali-tw-cali163c2dd037c 16) cali-INPUT 34) cali-tw-caliceb7f36db92 17) cali-OUTPUT 35) cali-wl-to-host 18) cali-cidr-block #<\/span>\u30c1\u30a7\u30fc\u30f3 [INPUT] \u30c8\u30dd\u30ed\u30b8\u30fc\uff1a \u30fb\u30b0\u30ec\u30fc\u306e\u30a8\u30f3\u30c8\u30ea\u30fc\u306f\u30eb\u30fc\u30eb m conntrack --ctstate NEW -m comment -j KUBE-EXTERNAL-SERVICES \u2502 \u251c\u2500\u2500 \u25aa -j KUBE-FIREWALL \u2502 \u251c\u2500\u2500 \u25aa -p tcp -m tcp --sport 12345 -j LOG --log-prefix \"FILTER_TEST \"\u251c\u2500\u2500 \u251c\u2500\u2500 \u251c\u2500\u2500 \u2502 \u251c\u2500\u2500 \u25aa -p ipv4 -m comment -m comment -m set --match-set cali40all-hosts-net src -m addrtype --dst-type LOCAL -j ACCEPT \u251c\u2500\u2500 \u2502 \u251c\u2500\u2500 \u25aa -pipv4 -m comment -m comment -j DROP \u251c\u2500 \u2502 \u251c\u2500 \u25aa -i cali+ -m comment -g cali-wl-to-host \u251c\u2500 \u2502 \u251c\u2500 \u25aa -m comment -m mark --mark 0x10000\/0x10000 -j ACCEPT \u251c\u2500 \u2502 \u251c\u2500 \u25aa -mcomment -j mark --set-xmark 0x0\/0xf0000 \u251c\u2500 \u2502 \u251c\u2500 \u25aa -m comment -j cali-from-host-endpoint \u251c\u2500 \u2502 \u251c\u2500 \u25aa -m comment -m mark --mark 0x10000\/0x10000 -jACCEPT \u251c\u2500 \u2502 \u251c\u2500 \u25aa -p tcp -m tcp --sport 65535 -j LOG --log-prefix \"CALI_TEST_RULE \"<\/pre>\n- \n
- - \u30af\u30ea\u30a2\u30e9\u30f3\u30b9\u30fb\u30c6\u30b9\u30c8\u898f\u5b9a<\/li>\n<\/ul>\n
sudo iptables -t filter -D INPUT -p tcp --sport 12345 -j LOG --log-prefix \"FILTER_TEST \" sudo iptables -t filter -D cali-INPUT -p tcp --sport 65535 -j LOG --\u30ed\u30b0\u63a5\u982d\u8f9e \"CALI_TEST_RULE \"<\/pre>\n
\u4e0a\u8a18\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u4f7f\u7528\u3059\u308b\u3068\u3001iptables\u30eb\u30fc\u30eb\u306e\u30c8\u30dd\u30ed\u30b8\u30ab\u30eb\u306a\u95a2\u4fc2\u3092\u3059\u3070\u3084\u304f\u8868\u793a\u3067\u304d\u3001\u7406\u89e3\u3084\u30c7\u30d0\u30c3\u30b0\u304c\u5bb9\u6613\u306b\u306a\u308b\u3002<\/p>","protected":false},"excerpt":{"rendered":"
K8s\u306e\u30c8\u30e9\u30d6\u30eb\u30b7\u30e5\u30fc\u30c6\u30a3\u30f3\u30b0\u304b\u3089iptables\u306e\u8a73\u7d30\u5206\u6790\u307e\u3067\uff1aLinux\u306e\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u30eb\u30fc\u30eb\u3092\u5f04\u308b\u65b9\u6cd5\u3092\u30cf\u30f3\u30ba\u30aa\u30f3\u3067\u4f1d\u6388 \u80cc\u666f \u6628\u65e5Kubernetes\u30af\u30e9\u30b9\u30bf\u306e\u969c\u5bb3\u306b\u5bfe\u51e6\u3057\u305f\u969b\u3001\u6280\u8853\u30c1\u30fc\u30e0\u306f\u5178\u578b\u7684\u306a\u8ab2\u984c\u306b\u906d\u9047\u3057\u305f\u3002<\/p>","protected":false},"author":1,"featured_media":11014,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-11013","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.08host.com\/ja\/wp-json\/wp\/v2\/posts\/11013","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.08host.com\/ja\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.08host.com\/ja\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.08host.com\/ja\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.08host.com\/ja\/wp-json\/wp\/v2\/comments?post=11013"}],"version-history":[{"count":2,"href":"https:\/\/www.08host.com\/ja\/wp-json\/wp\/v2\/posts\/11013\/revisions"}],"predecessor-version":[{"id":11017,"href":"https:\/\/www.08host.com\/ja\/wp-json\/wp\/v2\/posts\/11013\/revisions\/11017"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.08host.com\/ja\/wp-json\/wp\/v2\/media\/11014"}],"wp:attachment":[{"href":"https:\/\/www.08host.com\/ja\/wp-json\/wp\/v2\/media?parent=11013"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.08host.com\/ja\/wp-json\/wp\/v2\/categories?post=11013"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.08host.com\/ja\/wp-json\/wp\/v2\/tags?post=11013"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- - \u30af\u30ea\u30a2\u30e9\u30f3\u30b9\u30fb\u30c6\u30b9\u30c8\u898f\u5b9a<\/li>\n<\/ul>\n
- - \u5b9f\u884c\u30b9\u30af\u30ea\u30d7\u30c8<\/li>\n<\/ul>\n
- - \u51fa\u529b\u3092\u898b\u308b\u305f\u3081\u306b2\u3064\u306e\u30eb\u30fc\u30eb\u3092\u751f\u6210\u3059\u308b<\/li>\n<\/ul>\n
- - \u5168\u30c1\u30a7\u30fc\u30f3\u306e\u30eb\u30fc\u30eb\u3092\u8868\u793a (-L \u30c1\u30a7\u30fc\u30f3\u306a\u3057\u306f\u5168\u30c1\u30a7\u30fc\u30f3\u306e\u30eb\u30fc\u30eb\u3001-t \u306a\u3057\u306f\u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u30d5\u30a3\u30eb\u30bf\u30c6\u30fc\u30d6\u30eb)\n
- - iptables\u30eb\u30fc\u30eb\u306e\u8868\u793a\n
- -j: -jump, \u51e6\u7406\u52d5\u4f5c\u3092\u6307\u5b9a\u3059\u308b\u3002\u4f8b\u3048\u3070\u3001-j ACCEPT\u306f\u30d1\u30b1\u30c3\u30c8\u3092\u53d7\u3051\u5165\u308c\u308b\u3053\u3068\u3092\u610f\u5473\u3057\u3001-j DROP\u306f\u30d1\u30b1\u30c3\u30c8\u3092\u30c9\u30ed\u30c3\u30d7\u3059\u308b\u3053\u3068\u3092\u610f\u5473\u3059\u308b\u3002-j LOG\u306f\u30ed\u30ae\u30f3\u30b0\u3092\u610f\u5473\u3059\u308b\u3002-j RETURN\u306f\u3001\u5f8c\u7d9a\u306e\u30eb\u30fc\u30eb\u306b\u30de\u30c3\u30c1\u3057\u7d9a\u3051\u305a\u306b\u623b\u308b\u3053\u3068\u3092\u610f\u5473\u3059\u308b\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- - \u30c6\u30fc\u30d6\u30eb\u540d\n