十一
23
1

Linux杀手锏之无效路由_route-add-or-del-host-ip-reject


昨天在iptables入门学习之iptables的INPUT,OUTPUT,FORWARD 这篇文章里提到用iptables来封锁一个IP的数据包的进或出。但是如果数据量很大的话,iptables就会随着数据量增大而增加机器的负担。其实对付大流量的攻击,国外的ISP在网络层上直接就block掉,直译为“无效路由”命令是: route add -host ip或者域名 reject
查看路由表,不解析成域名或机器名,只显示IP, 等价于netstat -rn
指定的规则将在重启后失效

  1. debian:~# route -n
  2. Kernel IP routing table
  3. Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
  4. 192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
  5. 0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0




在路由表上记录来自192.168.0.8的数据包全部丢弃,状态就等同于无效路由了。

  1. debian:~# route add -host 192.168.0.8 reject
  2. debian:~# ping 192.168.0.8
  3. connect: Network is unreachable



删除一个已存在的规则
route del -host ip/domain reject

  1. debian:~# ping 192.168.0.8
  2. connect: Network is unreachable
  3. debian:~# route del -host 192.168.0.8 reject
  4. debian:~# ping 192.168.0.8
  5. PING 192.168.0.8 (192.168.0.8) 56(84) bytes of data.
  6. 64 bytes from 192.168.0.8: icmp_seq=1 ttl=64 time=5.50 ms
  7. 64 bytes from 192.168.0.8: icmp_seq=2 ttl=64 time=0.210 ms
  8.  
  9. --- 192.168.0.8 ping statistics ---
  10. 2 packets transmitted, 2 received, 0% packet loss, time 1004ms
  11. rtt min/avg/max/mdev = 0.210/2.859/5.509/2.650 ms


我猜~这些文章你可能也感兴趣

1 个留言:

  1. 3m on 十一 24th, 2008 - 11:22

    3m啊3m kk啊kk

    忍…

给我留言:

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word