--dport 80 -j REJECT --reject-with icmp-port-unreachable -A KUBE-SERVICES -d 10.96.61.252/32 -p tcp -m comment --comment "default/nginx-64: has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable --dport 80 -j REJECT --reject-with icmp-port-unreachable -A KUBE-SERVICES -d 10.98.85.41/32 -p tcp -m comment --comment "default/nginx-9: has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable --dport 80 -j REJECT --reject-with icmp-port-unreachable -A KUBE-SERVICES -d 10.106.49.80/32 -p tcp -m comment --comment "default/nginx-37: has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable

键> read redhat-access-insights rescan-scsi-bus.sh readarray reject reset readelf remotectl resize2fs readlink iptables 服务的术 语中分别是 ACCEPT（允许流量通过）、REJECT（拒绝流量通过）、LOG（记录日志信息）、 DROP（拒绝流量通过）。“允许流量通过”和“记录日志信息”都比较好理解，这里需要着重 讲解的是 REJECT 和 DROP 的不同点。就 DROP 来说，它是直接将流量丢弃而且不响应； REJECT 则会在拒绝流量后再回复一条“信息已经收到，但是被扔掉了”信息，从而让流量 正在家里看电视，突然听到有人敲门，您透过防盗门的猫眼一看是推销商品的，便会在不需 要的情况下开门并拒绝他们（REJECT）。但如果看到的是债主带了十几个小弟来讨债，此时 不仅要拒绝开门，还要默不作声，伪装成自己不在家的样子（DROP）。 在红帽认证考试中必须用 REJECT 进行拒绝，好让用于判分的脚本得到反应，以 获得分值。而在工作中更多建议用 DROP 进行拒绝，这可以隐藏服务器的运行状态。

LOG | | raw | -R (replace) | PREROUTING | --sport source_port | REJECT | | | -F (flush) | POSTROUTING | --dport destination_ip | DNAT INPUT -p tcp --dport 443 -j ACCEPT iptables -A OUTPUT -j ACCEPT iptables -A INPUT -j REJECT iptables -A FORWARD -j REJECT The first rules allows all incoming traffic on the loopback device. The second line is trying to reconnect. The last 3rd last line allows all outgoing packets, and the last 2 lines reject everything else which does not match the rules. If you want to view all the rules. # iptables -nvL

FORWARD | -d destination_ip | ˓→LOG | | raw | -R (replace) | PREROUTING | --sport source_port | ˓→REJECT | (continues on next page) 96 Chapter 14. Linux Firewall Linux command line for you and me Documentation INPUT -p tcp --dport 443 -j ACCEPT iptables -A OUTPUT -j ACCEPT iptables -A INPUT -j REJECT iptables -A FORWARD -j REJECT The first rules allows all incoming traffic on the loopback device. The second line is trying to reconnect. The last 3rd last line allows all outgoing packets, and the last 2 lines reject everything else which does not match the rules. If you want to view all the rules. # iptables -nvL

or redirect)：已经由服务或转 port 功能设定为动 态路由 M (modified from routing daemon or redirect)：路由已经被修改了； ! (reject route)：这个路由将不会被接受(用来抵挡不安全的网域！) Iface：这个路由传递封包的接口。 此外，观察一下上面的路由排列顺序喔，依序是由小网域 (192.168.1.0/24 是 Class ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 <==以下类推 16. REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 17. 18. Chain FORWARD (policy ACCEPT) <==针对 <==针对 FORWARD 链，且预设政策为可接受 19. target prot opt source destination 20. REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 21. 22. Chain OUTPUT (policy ACCEPT) <==针对 OUTPUT

based environment it is enough to "unassign" devices from the kernel driver. Without that DPDK will reject to use the device to avoid issues with kernel and DPDK working on the device at the same time. Since ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT]: " -A ufw-user-limit -j REJECT -A ufw-user-limit-accept -j ACCEPT COMMIT Rules updated • ufw can be disabled by: sudo ufw disable are creating a firewall in addition to a gateway device, you may have set the policies to DROP or REJECT, in which case your masqueraded traffic needs to be allowed through the FORWARD chain for the above

更简单 read 从键盘读取变量值 readelf 用于显示elf格式文件的信息 readonly 标记shell变量或函数为只读 reboot 重新启动正在运行的Linux操作系统 reject 指示打印系统拒绝发往指定目标打印机的打印任务 rename 用字符串替换的方式批量改变文件名 renice 修改正在运行的进程的调度优先级 repquota 报表的格式输出磁盘空间限制的状态 17. -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -j ACCEPT 18. -A RH-Firewall-1-INPUT -j reject --reject-with icmp6-adm-prohibited 19. COMMIT 与 IPv4 的 iptables 规则类似，但又不完全相同。 要开启 80 端口（HTTP 服务器端口），在 对于那些没有特定规则与之匹配的数据包，可能是我们不想要的，多半是有问题的。我们可能也希望在 丢弃（DROP）之前记录它们。此时，可以将最后一行： 1. -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited 2. COMMIT 改为： 1. -A RH-Firewall-1-INPUT -j LOG 2. -A RH-Firewall-1-INPUT

other requests. Allow service1 to produce on Kafka topic topic1 and service2 to consume on topic1. Reject all other Kafka messages. Require the HTTP header X-Token: [0-9]+ to be present in all REST calls each client workload to also trust this new certificate, otherwise the client’s TLS library will reject the connection as invalid. In this model, the network firewall uses the certificate signed by the 10:53:40.147 Channel ipv4 State: DOWN Input filter: ACCEPT Output filter: REJECT ... Basic configuration It’s hard to discuss bird configurations without considering specific

other requests. Allow service1 to produce on Kafka topic topic1 and service2 to consume on topic1. Reject all other Kafka messages. Require the HTTP header X-Token: [0-9]+ to be present in all REST calls each client workload to also trust this new certificate, otherwise the client’s TLS library will reject the connection as invalid. In this model, the network firewall uses the certificate signed by the 10:53:40.147 Channel ipv4 State: DOWN Input filter: ACCEPT Output filter: REJECT ... Basic configuration It’s hard to discuss bird configurations without considering specific

other requests. Allow service1 to produce on Kafka topic topic1 and service2 to consume on topic1. Reject all other Kafka messages. Require the HTTP header X-Token: [0-9]+ to be present in all REST calls each client workload to also trust this new certificate, otherwise the client’s TLS library will reject the connection as invalid. In this model, the network firewall uses the certificate signed by the 10:53:40.147 Channel ipv4 State: DOWN Input filter: ACCEPT Output filter: REJECT ... Basic configuration It’s hard to discuss bird configurations without considering specific