图1用图形说明了这个信息包过滤过程。
Figure 1 graphically illustrates this packet filtering process.
处理入站信息包的规则被添加到input链中。
Rules dealing with incoming packets are added to the INPUT chain.
处理出站信息包的规则被添加到OUT put链中。
Rules dealing with outgoing packets are added to the OUTPUT chain.
对于可对信息包执行的其它操作,还有许多其它目标。
There are many more targets available for other actions that can be performed on packets.
理想的策略应该告诉内核DROP该信息包。
Ideally the policy should tell the kernel to DROP that packet.
使用该代码来创建RecipeJAUS信息包序列。
另外,REJECT将错误消息发回给信息包的发送方。
Also, REJECT sends back an error message to the sender of the packet.
根据规则所处理的信息包的类型,可以将规则分组在链中。
The rules are grouped in chains, according to the types of packets they deal with.
首先,攻击者需要确保假的信息包确实被路由到目标机器。
First, the attacker needs to make sure that the fake packets will actually be routed to the target.
这三个链是基本信息包过滤表中内置的缺省主链。
These three chains are the main chains built-in by default inside basic packet-filtering tables.
处理正在转发的信息包的规则被添加到forward链中。
And rules dealing with packets being forwarded are added to the forward chain.
一旦这些规则就位,系统就只废弃任何属于其中一个类别的信息包。
Once these rules are in place, your system will simply discard any packets that fall into one of these categories.
所有与链中任何规则都不匹配的信息包都将被强制使用此链的策略。
All packets that don't match any rule in the chain will then be forced to use the policy of the chain.
这意味着,将丢弃所有与input链中任何规则都不匹配的信息包。
That means all the packets not matching any rule in the INPUT chain will be dropped.
这里,我将研究可用于采用任何协议的信息包的通用匹配。
Here I will explore generic matches that can be used for packets having any protocols. The following are important and often-used generic matches with their examples and explanations.
表是包含仅处理特定类型信息包的规则和链的信息包过滤表。
A table is a packet filtering table that contains rules and chains dealing with specific kinds of packets only.
还可以使用目标DROP或REJECT来阻塞并杀死信息包。
A packet can also be blocked and killed using target DROP or REJECT.
但是,如果信息包与这条规则不匹配,那么它将与链中的下一条规则进行比较。
But if the packet doesn't match a rule, then it is compared to the next rule in the chain.
建立规则并将链放在适当的位置之后,就可以开始进行真正的信息包过滤工作了。
After the rules are built and chains are in place, the real work of packet filtering starts.
小企业合同商可以向美国陆军提供最多五个信息包,并以电子形式提交。
Small business contractors should limit their responses to five pages and submit them electronically, the notice states.
如果链是如INPUT之类的主链,则使用该链的缺省策略处理信息包。
If the chain is a main chain like INPUT, the packet will be handled using the default policy of that chain.
我们已经知道,目标是由规则指定的操作,对与那些规则匹配的信息包执行这些操作。
We already know that targets are the actions specified by rules to be performed on packets that match those rules.
最后,RELATED表示该信息包正在启动新连接,以及它与已建立的连接相关联。
Finally, RELATED means that the packet is starting a new connection and it is associated with an already established connection.
如果某个信息包与规则匹配,那么使用目标ACCEPT允许该信息包通过。
If a packet matches a rule, the packet can be allowed to pass through using target ACCEPT.
现在,您已经学习了如何建立基本的规则和链以及如何从信息包过滤表中添加或删除它们。
Now you've learned how to build basic rules and chains and how to add or remove them from the packet filtering tables.
第一条命令从INPUT链删除规则,它指定 DROP前往端口 80 的信息包。
The first command deletes a rule from the INPUT chain that specifies packets destined for port 80 to be DROPped.
sbin/ifconfig/eth0命令的输出将列出收到和传输的所有信息包总数。
The output from the /sbin/ifconfig/eth0 command lists a total of all packets received and transmitted.
如果信息包与某条规则匹配,那么内核就对该信息包执行由该规则的目标指定的操作。
If a packet matches a rule, the kernel performs the action specified by the target of that rule on the packet.
智能自动调温器信息包最终的RecipeJAUS步骤信息包支持文件在清单7中。
The resultant RecipeJAUS step packet support file for the smart thermostat packet is in Listing 7.
当信息包到达时,根据每个信息包中包含的类型、源地址、目的地址和端口信息来过滤它们。
As packets arrive, they are filtered by their type, source address, destination address, and port information contained in each packet.
应用推荐