Q1. 有紅色那一條rule了, 為何仍有 connect 入唔到

iptables -nL | head

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED
DROP       all  --  0.0.0.0/0            0.0.0.0/0           ctstate INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
syn_flood  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02
input_rule  all  --  0.0.0.0/0            0.0.0.0/0
input      all  --  0.0.0.0/0            0.0.0.0/0

A1. 行以下指令你會知發生咩事~

iptables -vnL

Q2. 為何以下指令會出事

iptables -F

A2 當 Default Policy 是 Deny 你就知味道了 ...

Q3 為何以下的 rule 唔 work

iptables -A input eth0:1 -j ACCEPT

A2 iptable 不支援 subinterface 的

很多 martian source

Apr 11 16:58:42 openvz kernel: [   55.375929] martian source 58.64.??.?? from 58.64.??.??, on dev eth1
Apr 11 16:58:42 openvz kernel: [   55.375931] ll header: ff:ff:ff:ff:ff:ff:84:18:88:a0:dc:??:??:??

cat /proc/sys/net/ipv4/conf/all/log_martians

P.S.

/proc/sys/net/ipv4/conf/eth1/log_martians 會 overide 以上設定

/etc/sysctl.conf
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.eth1.log_martians = 0

echo 0 > /proc/sys/net/ipv4/conf/{all,default}/log_martians

RFC 1812defines what a martian source
 

martian source 10.0.0.100 from 10.0.0.100, on dev eth0 ll header: 00:30:84:73:71:ee:00:90:d0:8e:a1:6f:08:00

source MAC address: 00:90:d0:8e:a1:6f
destination MAC address: 00:30:84:73:71:ee
ethertype: 08:00 (IP)