运行在最新的内核(4.4.6)上的服务器已经configuration了一个绑定设备( bond0 ),它带有两个受限制的接口eth0 , wlan0和主接口eth0 。
cat /proc/net/bonding/bond0 Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) Bonding Mode: fault-tolerance (active-backup) Primary Slave: eth0 (primary_reselect always) Currently Active Slave: wlan0 MII Status: up MII Polling Interval (ms): 1000 Up Delay (ms): 1000 Down Delay (ms): 1000 Slave Interface: wlan0 MII Status: up Speed: Unknown Duplex: Unknown Link Failure Count: 3 Permanent HW addr: dc:53:60:5f:50:cd Slave queue ID: 0 Slave Interface: eth0 MII Status: down Speed: Unknown Duplex: Unknown Link Failure Count: 4 Permanent HW addr: b8:ae:ed:7c:7d:c9 Slave queue ID: 0 我也运行iptables来过滤stream量,并阻止一些本地端口,而我允许所有传出stream量。
*filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 8090 -j ACCEPT
我没有做的是创build一个机制,当主接口eth0closures, wlan0变得活跃,阻止特定端口上的远程访问。
我试图添加一个iptable规则为wlan0,而我知道这是不正确的,因为接口是bond0 (失败)
*filter -A INPUT -p tcp -i wlan0 -m state --state NEW -m tcp --dport 8090 -j DROP -A INPUT -p tcp -m state --state NEW -m tcp --dport 8090 -j ACCEPT
我试图添加一个iptable规则为wlan0标记preroute上的数据包和捕获filter(失败)
*mangle -A PREROUTING -i wlan0 -j MARK --set-xmark 0x1/0xffffffff *filter -A INPUT -p tcp -m state --state NEW -m tcp --dport 8090 -m mark ! --mark 0x1 ACCEPT
我尝试添加一个ebtable规则来标记Layer2上的数据包并捕获Layer3filter(失败)
EBTABLE ebtables -t broute -A BROUTING -p ipv4 -i wlan0 -j mark --set-mark 0x1 --mark-target ACCEPT IPTABLE *filter -A INPUT -p tcp -m state --state NEW -m tcp --dport 8090 -m mark ! --mark 0x1 ACCEPT
我想避免MAC地址解决scheme,因为它不适用于Mac策略:无
有任何想法吗?