linux – iptables阻止客户端ip上网并保持局域网访问

前端之家收集整理的这篇文章主要介绍了linux – iptables阻止客户端ip上网并保持局域网访问前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
随着具有网络访问权限的设备的增加和黑客攻击的可能性,我想阻止特定的IP地址访问互联网,但允许LAN访问.例如,我使用Logitech Harmony遥控器用1个按钮控制我的立体声,卫星和电视.我也可以通过本地网络使用iPad控制它.但是我不希望黑客操作我的电视,所以我想用我的IP Tables防火墙阻止分配给和声遥控器的IP地址.

这是我用来编辑IP表配置的当前脚本.它正在我的Fedora 20盒子上工作,带有2个网卡.第6节是我试图插入规则的地方.其他一切都按预期工作.我包括整个脚本,希望它可以帮助其他人,即使与我的问题无关.毕竟,它都是建立在我自己搜索的知识之上的!

#!/bin/sh
#
# A script for creating an iptables firewall
#

#
# Start by clearing iptables
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

#
# Define our interfaces,Squid IP,and Squid port
#
WAN="p4p1"
LAN="p4p2"
SQUIDIP="192.168.10.10"
SQUIDPORT="3129"

#
# Create log files to help troubleshooting. (We can comment out when not needed)
#
# iptables -A OUTPUT -j LOG
# iptables -A INPUT -j LOG
# iptables -A FORWARD -j LOG

#
# Now to create the Routing Firewall
#

#
# (1) Create the default policies (DROP)
#
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#
# (2) User-defined chain called "okay" for ACCEPTed TCP packets
#
iptables -N okay
iptables -A okay -p tcp --syn -j ACCEPT
iptables -A okay -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p tcp -j DROP

#
# (3) INPUT rules
#
######  (A) Rules for incoming packets from the LAN
iptables -A INPUT -p ALL -i $LAN -s 192.168.10.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.10.10 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.10 -j ACCEPT
iptables -A INPUT -p ALL -i $LAN -d 192.168.10.255 -j ACCEPT

##### (B) Rules for incoming packets from the Internet

######          (i) Packets for established connections
iptables -A INPUT -p ALL -d 192.168.1.10 -m state --state ESTABLISHED,RELATED -j ACCEPT

#####           (ii) TCP rules  ## Opens the server port to any TCP from the internet
iptables -A INPUT -p tcp -i $WAN -s 0/0 –dport 22 -j okay

#####           (iii) UDP rules ## Opens the server port to any UDP from the internet
# iptables -A INPUT -p udp -i $WAN -s 0/0 –dport 53 -j okay

#####          (iv) ICMP rules
iptables -A INPUT -p icmp -i $WAN -s 0/0 --icmp-tpe 8 -j ACCEPT
iptables -A INPUT -p icmp -i $WAN -s 0/0 --icmp-tpe 11 -j ACCEPT

#
# Creates the router between the 2 ethernet cards to accept the packets we want to forward
#
iptables -A FORWARD -i $LAN -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# (5) OUTPUT rules
# Only output packets with local addresses (no spoofing)
#
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.10.10 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.1.10 -j ACCEPT

#
# (6) OUTPUT rule to allow a client LAN access,but DROP internet access
# I use this to prevent varIoUs home appliances from accessing the internet
#
iptables -A OUTPUT -s 192.168.10.110 -j DROP

#
# (7) PREROUTING rules to allow a client to bypass our Squid proxy
# (NetFlix works better when it bypasses the proxy)
iptables -t nat -A PREROUTING -s 192.168.10.204 -j ACCEPT # BluRay player
iptables -t nat -A PREROUTING -s 192.168.10.205 -j ACCEPT # Sony TV

#
# (8) PREROUTING rules for transparent Squid proxy (also requires changes in the squid configuration file)
# (from: http://wiki.squidcache.org/ConfigExamples/Intercept/LinuxRedirect)
#
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP

#
# (9) POSTROUTING chain rules. SNAT is for static IP,MASQUERADE is for dynamic IP
#
iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to-source 192.168.1.10
# iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

#
# Last,but not least,save the new configuration in /etc/sysconfig/iptables
#
service iptables save

#
# EOF
#

解决方法

这不行.
#
# (6) OUTPUT rule to allow a client LAN access,but DROP internet access
# I use this to prevent varIoUs home appliances from accessing the internet
# iptables -A OUTPUT -s 192.168.10.110 -j DROP

它无法工作的原因是OUTPUT表只过滤源自路由器的流量,而不是通过它.您希望将规则应用于FORWARD表,如下所示:

iptables -A FORWARD -s 192.168.10.110 -j DROP

但它可能永远不会坚持下去,因为分配给设备的IP地址可能会随着DHCP而改变.所以我建议你用mac地址过滤.

就像是:

/sbin/iptables -A PREROUTING -i $LAN -m mac --mac-source ff:ff:ff:ff:ff:ff -j DROP

其中ff:ff:ff:ff:ff:ff是您想要过滤的和声遥控器或其他设备的mac地址.

注意:正如注释中所指出的,MAC地址仅适用于Layer2.我见过的例子表明,当过滤器应用于LAN接口时,上述情况应该可行.测试一下,让我知道它是否按预期工作.

我还想补充一下:

#
# Creates the router between the 2 ethernet cards to accept the packets we want to forward
#
iptables -A FORWARD -i $LAN -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

不,它不会在2个以太网卡之间创建路由器.打开ip转发时,内核会自动完成路由.

上面的iptables规则说ACCEPT或允许来自$LAN的数据包通过任何接口.并保持状态在通过前向链路的已建立/相关会话进入路由器而不是来自$LAN.因为那是第一个规则并且停止了.

猜你在找的Linux相关文章