随着networking访问和黑客攻击的可能性的增加,我想阻止特定的IP地址访问互联网,但允许局域网访问。 例如,我使用Logitech Harmony遥控器通过1个button控制立体声,卫星和电视机。 我也可以用我的iPad通过本地networking进行控制。 但我不希望黑客操作我的电视,所以我想用IP桌面防火墙阻止分配给和声远程的IP地址。
以下是我用来编辑IP表configuration的当前脚本。 这是在我的Fedora 20盒上使用2个网卡。 第6部分是我试图插入规则的地方。 其他一切都按预期工作。 我包括整个脚本,希望它可以帮助别人,即使与我的问题无关。 毕竟,这一切都是从我自己的search中获得的知识build立起来的!
#!/bin/sh # # A script for creating an iptables firewall # # # Start by clearing iptables # iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X # # Define our interfaces, Squid IP, and Squid port # WAN="p4p1" LAN="p4p2" SQUIDIP="192.168.10.10" SQUIDPORT="3129" # # Create log files to help troubleshooting. (We can comment out when not needed) # # iptables -A OUTPUT -j LOG # iptables -A INPUT -j LOG # iptables -A FORWARD -j LOG # # Now to create the Routing Firewall # # # (1) Create the default policies (DROP) # iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # # (2) User-defined chain called "okay" for ACCEPTed TCP packets # iptables -N okay iptables -A okay -p tcp --syn -j ACCEPT iptables -A okay -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A okay -p tcp -j DROP # # (3) INPUT rules # ###### (A) Rules for incoming packets from the LAN iptables -A INPUT -p ALL -i $LAN -s 192.168.10.0/24 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 192.168.10.10 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 192.168.1.10 -j ACCEPT iptables -A INPUT -p ALL -i $LAN -d 192.168.10.255 -j ACCEPT ##### (B) Rules for incoming packets from the Internet ###### (i) Packets for established connections iptables -A INPUT -p ALL -d 192.168.1.10 -m state --state ESTABLISHED,RELATED -j ACCEPT ##### (ii) TCP rules ## Opens the server port to any TCP from the internet iptables -A INPUT -p tcp -i $WAN -s 0/0 –dport 22 -j okay ##### (iii) UDP rules ## Opens the server port to any UDP from the internet # iptables -A INPUT -p udp -i $WAN -s 0/0 –dport 53 -j okay ##### (iv) ICMP rules iptables -A INPUT -p icmp -i $WAN -s 0/0 --icmp-tpe 8 -j ACCEPT iptables -A INPUT -p icmp -i $WAN -s 0/0 --icmp-tpe 11 -j ACCEPT # # Creates the router between the 2 ethernet cards to accept the packets we want to forward # iptables -A FORWARD -i $LAN -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # # (5) OUTPUT rules # Only output packets with local addresses (no spoofing) # iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -p ALL -s 192.168.10.10 -j ACCEPT iptables -A OUTPUT -p ALL -s 192.168.1.10 -j ACCEPT # # (6) OUTPUT rule to allow a client LAN access, but DROP internet access # I use this to prevent various home appliances from accessing the internet # iptables -A OUTPUT -s 192.168.10.110 -j DROP # # (7) PREROUTING rules to allow a client to bypass our Squid proxy # (NetFlix works better when it bypasses the proxy) iptables -t nat -A PREROUTING -s 192.168.10.204 -j ACCEPT # BluRay player iptables -t nat -A PREROUTING -s 192.168.10.205 -j ACCEPT # Sony TV # # (8) PREROUTING rules for transparent Squid proxy (also requires changes in the squid configuration file) # (from: http://wiki.squidcache.org/ConfigExamples/Intercept/LinuxRedirect) # iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP # # (9) POSTROUTING chain rules. SNAT is for static IP, MASQUERADE is for dynamic IP # iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to-source 192.168.1.10 # iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE # # Last, but not least, save the new configuration in /etc/sysconfig/iptables # service iptables save # # EOF # 这是行不通的。
# # (6) OUTPUT rule to allow a client LAN access, but DROP internet access # I use this to prevent various home appliances from accessing the internet # iptables -A OUTPUT -s 192.168.10.110 -j DROP
它不起作用的原因是OUTPUT表只会过滤来自路由器的stream量,而不是通过它。 您希望将规则应用于FORWARD表,如下所示:
iptables -A FORWARD -s 192.168.10.110 -j DROP
但是,由于分配给设备的IP地址可能会随着DHCP而改变, 所以我build议你用mac地址来过滤。
就像是:
/sbin/iptables -A PREROUTING -i $LAN -m mac --mac-source ff:ff:ff:ff:ff:ff -j DROP
其中ff:ff:ff:ff:ff:ff是您要过滤的和声远程或其他设备的mac地址。
注意:正如注释中指出的那样,MAC地址只能在Layer2上运行。 我见过的例子表明上述应该工作,虽然filter应用于LAN接口。 testing一下,让我知道它是否按预期工作。
我还想补充一点:
# # Creates the router between the 2 ethernet cards to accept the packets we want to forward # iptables -A FORWARD -i $LAN -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
不,它不会在2个以太网卡之间创build路由器。 IP转发开启时,内核自动完成路由。
上面的iptables规则说ACCEPT或允许源于$ LAN的数据包通过任何接口。 并且保持通过正向链路进入路由器的已build立/相关会话的状态不是源自$ LAN。 因为那会触发第一条规则并停止。
谢谢马特! 我觉得这将是一件容易的事情。 所以我需要使用FORWARD规则,而不是输出! 我不必担心IP地址改变,因为这台服务器也提供了DHCP,我将它们分配给基于MAC地址的设备。 但我看到你的build议如何在另一种情况下工作。
至于路由评论…我是一个剪贴板程序员。 我已经使用了这部分脚本,因为我从RedHat 8 Bible上复制了RedHat 8之前的版本。 尽pipe这些评论并不在原文中,但我仍然试图对自己的理解发表评论。 书中的实际评论指出:
“FOWARD连锁规则 – 因为防火墙也充当路由器,所以需要FORWARD规则来限制防火墙将在两个networking(Internet和LAN)之间传递的信息”
评论是我对所读的内容的误解。 我很抱歉。 这是Matt修改FORWARD规则的正确脚本。 此外,它现在移到了FORWARD部分的顶部,我已经更新了评论,以反映我在原始脚本中实际上所说的内容。
所需的IP现在可以访问本地networking,但不能访问互联网。
#!/bin/sh # # A script for creating an iptables firewall # # # Start by clearing iptables # iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X # # Define our interfaces, Squid IP, and Squid port # WAN="p4p1" LAN="p4p2" SQUIDIP="192.168.10.10" SQUIDPORT="3129" # # Create log files to help troubleshooting. Comment out when not needed. # # iptables -A OUTPUT -j LOG # iptables -A INPUT -j LOG # iptables -A FORWARD -j LOG # Turn on ip forwarding in the kernel with: # echo 1 > /proc/sys/net/ipv4/ip_forward # or edit /etc/sysctl.conf and add: "net.ipv4.ip_forward = 1" # ##### Now to create the Routing Firewall # # # (1) Create the default policies (DROP) # iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # # (2) User-defined chain called "okay" for ACCEPTed TCP packets # iptables -N okay iptables -A okay -p tcp --syn -j ACCEPT iptables -A okay -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A okay -p tcp -j DROP # # (3) INPUT rules # ###### (A) Rules for incoming packets from the LAN iptables -A INPUT -p ALL -i $LAN -s 192.168.10.0/24 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 192.168.10.10 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 192.168.1.10 -j ACCEPT iptables -A INPUT -p ALL -i $LAN -d 192.168.10.255 -j ACCEPT ##### (B) Rules for incoming packets from the Internet ###### (i) Packets for established connetions iptables -A INPUT -p ALL -d 192.168.1.10 -m state --state ESTABLISHED,RELATED -j ACCEPT ##### (ii) TCP rules ## Opens the server port to any TCP from the internet iptables -A INPUT -p tcp -i $WAN -s 0/0 --dport 22 -j okay ##### (iii) UDP rules ## Opens the server port to any UDP from the internet # iptables -A INPUT -p udp -i $WAN -s 0/0 --dport 53 -j okay ##### (iv) ICMP rules iptables -A INPUT -p icmp -i $WAN -s 0/0 --icmp-type 8 -j ACCEPT iptables -A INPUT -p icmp -i $WAN -s 0/0 --icmp-type 11 -j ACCEPT # # (4) FORWARD rules # ##### (A) FORWARD rule to allow a client LAN access, but DROP internet access ##### I use this to prevent various home appliances from accessing the internet # iptables -A FORWARD -s 192.168.10.110 -j DROP ##### (B) Since this firewall is also a router, limit what packets are forwarded ##### between the 2 ethernet cards # iptables -A FORWARD -i $LAN -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # # (5) OUTPUT rules # Only output packets with local addresses (no spoofing) # iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -p ALL -s 192.168.10.10 -j ACCEPT iptables -A OUTPUT -p ALL -s 192.168.1.10 -j ACCEPT # # (6) PREROUTING rules to allow a client to bypass our Squid proxy # (NetFlix works better when it bypasses the proxy) iptables -t nat -A PREROUTING -s 192.168.10.204 -j ACCEPT # BluRay player iptables -t nat -A PREROUTING -s 192.168.10.205 -j ACCEPT # Sony TV # # (7) PREROUTING rules for transparent Squid proxy # Also requires changes in the squid configuration file # (from: http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect) # iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP # # (8) POSTROUTING chain rules. SNAT is for static IP, MASQUERADE is for dynamic IP # iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to-source 192.168.1.10 # iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE # # Last, but not least, save the new configuration in /etc/sysconfig/iptables # service iptables save # # EOF #