我有一个具有以下拓扑结构的networking: – 网卡面向网关的WAN调制解调器:192.168.0.1 – 具有两个网卡的Ubuntu 14.04网关:1)Eth0(面对调制解调器):192.168.0.201 2)Eth1(面向LAN): 10.0.0.1
我试图通过iptables来限制对互联网和局域网(从互联网)的访问,但规则似乎没有任何效果。
在rc.local中,我有以下设置:
++#!/bin/sh -e # # rc.local # turning on address verification echo -n "Enabling source address verification..." echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter echo "done" #just for the sake of turning the networks off and on... not sure if it would work turning them back on only at the end of script ? -- Also flushing NICs ip addr flush eth0; ip addr flush eth1; ifconfig eth0 down; ifconfig eth1 down; ifconfig lo down; ifconfig lo up; ifconfig eth0 up; ifconfig eth1 up; ifconfig eth0 192.168.0.201 netmask 255.255.255.0 ifconfig eth1 10.0.0.1 netmask 255.255.255.0 #routing table check up : route add 127.0.0.1 dev lo; route add -net 127.0.0.0/8 dev lo; route add -net 10.0.0.0/24 dev eth1; route add -net 192.168.0.0/8 dev eth0; route add default gw 192.168.0.1; # turn fowarding off while configuring iptables : sysctl net/ipv4/ip_forward=0 iptables -F iptables -X iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X #and on again once the policies are set sysctl net/ipv4/ip_forward=1 #limiting LAN clients iptables -A FORWARD -d 10.0.0.74 -m time --timestart 20:00 --timestop 10:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -d 10.0.0.228 -m time --timestart 20:00 --timestop 10:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -d 10.0.0.121 -m time --timestart 20:00 --timestop 10:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -d 10.0.0.221 -m time --timestart 20:00 --timestop 10:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -d 10.0.0.2 -m time --timestart 10:00 --timestop 20:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP #block IPs iptables -A INPUT -s 173.194.45.189 -j DROP iptables -A INPUT -s 208.92.53.87 -j DROP #masquerade on wan card : iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #accept all packets in lo and protect against spoofing : iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i !lo -s 127.0.0.0/8 -j LOG iptables -A INPUT -i !lo -s 127.0.0.0/8 -j DROP iptables -A FORWARD -i !lo -s 127.0.0.0/8 -j LOG iptables -A FORWARD -i !lo -s 127.0.0.0/8 -j DROP #accept only established input but all output on WAN card iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #just forget the invalid packets : iptables -A OUTPUT -o eth0 -m state --state INVALID -j DROP iptables -A INPUT -i eth0 -m state --state INVALID -j LOG iptables -A INPUT -i eth0 -m state --state INVALID -j DROP #not sure whether to put this before or after spoofing protection ? iptables -A INPUT -i eth1 -j ACCEPT iptables -A OUTPUT -o eth1 -j ACCEPT #against spoofing on LAN card input : iptables -A INPUT -i !eth1 -s 10.0.0.0/24 -j LOG iptables -A INPUT -i !eth1 -s 10.0.0.0/24 -j DROP exit 0 用iptables -L列出规则我得到:
Chain INPUT (policy DROP) target prot opt source destination DROP all -- 173.194.45.189 anywhere DROP all -- 208.92.53.87 anywhere ACCEPT tcp -- 10.0.0.0/24 anywhere ctstate NEW,RELATED,ESTABLISHED tcp dpt:sunrpc ACCEPT udp -- 10.0.0.0/24 anywhere ctstate NEW,RELATED,ESTABLISHED udp dpt:sunrpc ACCEPT all -- anywhere anywhere LOG all -- 127.0.0.0/8 anywhere LOG level warning DROP all -- 127.0.0.0/8 anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED LOG all -- anywhere anywhere state INVALID LOG level warning DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere LOG all -- 10.0.0.0/24 anywhere LOG level warning DROP all -- 10.0.0.0/24 anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination LOG all -- 127.0.0.0/8 anywhere LOG level warning DROP all -- 127.0.0.0/8 anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere
基于时间的规则不在那里。 任何人都可以看到为什么? 注意:下面的规则应该是有效的一天中的一个时间:
iptables -A FORWARD -d 10.0.0.2 -m time --timestart 10:00 --timestop 20:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP
对于天数选项,请使用--weekdays而不是--days ,如下所示
arul@cheetah:~$ sudo iptables -A FORWARD -d 10.0.0.2 -m time --timestart 10:00 --timestop 20:00 --weekdays Sun,Mon,Tue,Wed,Thu,Fri -j DROP arul@cheetah:~$ sudo iptables -L -n -v Chain INPUT (policy ACCEPT 1 packets, 328 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 10.0.0.2 TIME from 10:00:00 to 20:00:00 on Mon,Tue,Wed,Thu,Fri,Sun UTC Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination