昨天在iptables入门学习之iptables的INPUT,OUTPUT,FORWARD 这篇文章里提到用iptables来封锁一个IP的数据包的进或出。但是如果数据量很大的话,iptables就会随着数据量增大而增加机器的负担。其实对付大流量的攻击,国外的ISP在网络层上直接就block掉,直译为“无效路由”命令是: route add -host ip或者域名 reject — 192.168.0.8 ping statistics —
查看路由表,不解析成域名或机器名,只显示IP, 等价于netstat -rn
指定的规则将在重启后失效
debian:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
在路由表上记录来自192.168.0.8的数据包全部丢弃,状态就等同于无效路由了。
debian:~# route add -host 192.168.0.8 reject
debian:~# ping 192.168.0.8
connect: Network is unreachable
删除一个已存在的规则
route del -host ip/domain reject
debian:~# ping 192.168.0.8
connect: Network is unreachable
debian:~# route del -host 192.168.0.8 reject
debian:~# ping 192.168.0.8
PING 192.168.0.8 (192.168.0.8) 56(84) bytes of data.
64 bytes from 192.168.0.8: icmp_seq=1 ttl=64 time=5.50 ms
64 bytes from 192.168.0.8: icmp_seq=2 ttl=64 time=0.210 ms
2 packets transmitted, 2 received, 0% packet loss, time 1004ms
rtt min/avg/max/mdev = 0.210/2.859/5.509/2.650 ms
3m啊3m kk啊kk
忍…