随着具有网络访问权限的设备的增加和黑客攻击的可能性,我想阻止特定的IP地址访问互联网,但允许LAN访问.例如,我使用Logitech Harmony遥控器用1个按钮控制我的立体声,卫星和电视.我也可以通过本地网络使用iPad控制它.但是我不希望黑客操作我的电视,所以我想用我的IP Tables防火墙阻止分配给和声遥控器的IP地址.
这是我用来编辑IP表配置的当前脚本.它正在我的Fedora 20盒子上工作,带有2个网卡.第6节是我试图插入规则的地方.其他一切都按预期工作.我包括整个脚本,希望它可以帮助其他人,即使与我的问题无关.毕竟,它都是建立在我自己搜索的知识之上的!
#!/bin/sh # # A script for creating an iptables firewall # # # Start by clearing iptables # iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X # # Define our interfaces,Squid IP,and Squid port # WAN="p4p1" LAN="p4p2" SQUIDIP="192.168.10.10" SQUIDPORT="3129" # # Create log files to help troubleshooting. (We can comment out when not needed) # # iptables -A OUTPUT -j LOG # iptables -A INPUT -j LOG # iptables -A FORWARD -j LOG # # Now to create the Routing Firewall # # # (1) Create the default policies (DROP) # iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # # (2) User-defined chain called "okay" for ACCEPTed TCP packets # iptables -N okay iptables -A okay -p tcp --syn -j ACCEPT iptables -A okay -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A okay -p tcp -j DROP # # (3) INPUT rules # ###### (A) Rules for incoming packets from the LAN iptables -A INPUT -p ALL -i $LAN -s 192.168.10.0/24 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 192.168.10.10 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 192.168.1.10 -j ACCEPT iptables -A INPUT -p ALL -i $LAN -d 192.168.10.255 -j ACCEPT ##### (B) Rules for incoming packets from the Internet ###### (i) Packets for established connections iptables -A INPUT -p ALL -d 192.168.1.10 -m state --state ESTABLISHED,RELATED -j ACCEPT ##### (ii) TCP rules ## Opens the server port to any TCP from the internet iptables -A INPUT -p tcp -i $WAN -s 0/0 –dport 22 -j okay ##### (iii) UDP rules ## Opens the server port to any UDP from the internet # iptables -A INPUT -p udp -i $WAN -s 0/0 –dport 53 -j okay ##### (iv) ICMP rules iptables -A INPUT -p icmp -i $WAN -s 0/0 --icmp-tpe 8 -j ACCEPT iptables -A INPUT -p icmp -i $WAN -s 0/0 --icmp-tpe 11 -j ACCEPT # # Creates the router between the 2 ethernet cards to accept the packets we want to forward # iptables -A FORWARD -i $LAN -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # # (5) OUTPUT rules # Only output packets with local addresses (no spoofing) # iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -p ALL -s 192.168.10.10 -j ACCEPT iptables -A OUTPUT -p ALL -s 192.168.1.10 -j ACCEPT # # (6) OUTPUT rule to allow a client LAN access,but DROP internet access # I use this to prevent varIoUs home appliances from accessing the internet # iptables -A OUTPUT -s 192.168.10.110 -j DROP # # (7) PREROUTING rules to allow a client to bypass our Squid proxy # (NetFlix works better when it bypasses the proxy) iptables -t nat -A PREROUTING -s 192.168.10.204 -j ACCEPT # BluRay player iptables -t nat -A PREROUTING -s 192.168.10.205 -j ACCEPT # Sony TV # # (8) PREROUTING rules for transparent Squid proxy (also requires changes in the squid configuration file) # (from: http://wiki.squidcache.org/ConfigExamples/Intercept/LinuxRedirect) # iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP # # (9) POSTROUTING chain rules. SNAT is for static IP,MASQUERADE is for dynamic IP # iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to-source 192.168.1.10 # iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE # # Last,but not least,save the new configuration in /etc/sysconfig/iptables # service iptables save # # EOF #
解决方法
这不行.
# # (6) OUTPUT rule to allow a client LAN access,but DROP internet access # I use this to prevent varIoUs home appliances from accessing the internet # iptables -A OUTPUT -s 192.168.10.110 -j DROP
它无法工作的原因是OUTPUT表只过滤源自路由器的流量,而不是通过它.您希望将规则应用于FORWARD表,如下所示:
iptables -A FORWARD -s 192.168.10.110 -j DROP
但它可能永远不会坚持下去,因为分配给设备的IP地址可能会随着DHCP而改变.所以我建议你用mac地址过滤.
就像是:
/sbin/iptables -A PREROUTING -i $LAN -m mac --mac-source ff:ff:ff:ff:ff:ff -j DROP
其中ff:ff:ff:ff:ff:ff是您想要过滤的和声遥控器或其他设备的mac地址.
注意:正如注释中所指出的,MAC地址仅适用于Layer2.我见过的例子表明,当过滤器应用于LAN接口时,上述情况应该可行.测试一下,让我知道它是否按预期工作.
我还想补充一下:
# # Creates the router between the 2 ethernet cards to accept the packets we want to forward # iptables -A FORWARD -i $LAN -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
不,它不会在2个以太网卡之间创建路由器.打开ip转发时,内核会自动完成路由.
上面的iptables规则说ACCEPT或允许来自$LAN的数据包通过任何接口.并保持状态在通过前向链路的已建立/相关会话进入路由器而不是来自$LAN.因为那是第一个规则并且停止了.
