使用IPTABLES隔离接口

tag-icon tag-icon linux networking iptables
使用IPTABLES隔离接口

我在我的 Linux 机器上使用以下设置:

系统中存在两个网桥,其接口如下:

桥接默认-

  1. 局域网
  2. 广域网

桥_1 -

  1. 无线局域网1

我想在接口之间进行隔离,以便从接口 WLAN1 到达的消息将无法到达 LAN 接口(在bridge_default 上) - 只能到达 WAN 接口。

为此,我制定了以下规则:

Chain DEFAULT_FORWARD (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  wlan1 wan  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  bridge_default wlan1  0.0.0.0/0            0.0.0.0/0

Chain DEFAULT_INPUT (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  wlan1 wan  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  bridge_default wlan1  0.0.0.0/0            0.0.0.0/0

Chain DEFAULT_OUTPUT (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  wlan1 wan  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  bridge_default wlan1  0.0.0.0/0            0.0.0.0/0

但是,当我实际测试此配置时,我注意到行为并不符合预期。更具体地说,日志显示消息是从bridge_1 到达的,而不是从接口 WLAN1 到达的:

IN=bridge_1 OUT= PHYSIN=wlan1 MAC=00:e0:92:00:01:51:e8:2a:ea:18:60:7d:08:00 S RC=192.168.2.101 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=21154 PROTO=ICMP TYPE=8 CODE=0 ID=6 SEQ=6891

编辑

iptables-save 命令的结果如下所示:

-A DEFAULT_FORWARD -i wlan1 -o wan -j ACCEPT
-A DEFAULT_FORWARD -i bridge_default -o wlan1 -j DROP
-A DEFAULT_INPUT -i wlan1 -o wan -j ACCEPT
-A DEFAULT_INPUT -i bridge_default -o wlan1 -j DROP
-A DEFAULT_OUTPUT -i wlan1 -o wan -j ACCEPT
-A DEFAULT_OUTPUT -i bridge_default -o wlan1 -j DROP

可用 NIC 列表:

root@ugwcpe:~# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP,80000> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
8: eth0_1: <NO-CARRIER,BROADCAST,MULTICAST,UP,80000> mtu 1500 qdisc pfifo_fast master default_bridge state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:e0:92:00:01:40 brd ff:ff:ff:ff:ff:ff
9: eth0_2: <NO-CARRIER,BROADCAST,MULTICAST,UP,80000> mtu 1500 qdisc pfifo_fast master default_bridge state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:e0:92:00:01:41 brd ff:ff:ff:ff:ff:ff
10: eth0_3: <NO-CARRIER,BROADCAST,MULTICAST,UP,80000> mtu 1500 qdisc pfifo_fast master default_bridge state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:e0:92:00:01:42 brd ff:ff:ff:ff:ff:ff
11: eth0_4: <NO-CARRIER,BROADCAST,MULTICAST,UP,80000> mtu 1500 qdisc pfifo_fast master default_bridge state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:e0:92:00:01:43 brd ff:ff:ff:ff:ff:ff
12: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP,80000> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:e0:92:00:01:44 brd ff:ff:ff:ff:ff:ff
15: default_bridge: <BROADCAST,MULTICAST,UP,LOWER_UP,80000> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
    link/ether 00:e0:92:00:01:40 brd ff:ff:ff:ff:ff:ff
16: wan@eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP,80000> mtu 1500 qdisc noqueue state LOWERLAYERDOWN mode DEFAULT group default
    link/ether 00:e0:92:00:01:45 brd ff:ff:ff:ff:ff:ff
17: rtlog0: <BROADCAST,MULTICAST,UP,LOWER_UP,80000> mtu 1500 qdisc pfifo_fast master default_bridge state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether 00:e0:92:00:01:40 brd ff:ff:ff:ff:ff:ff
18: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP,80000> mtu 1500 qdisc pfifo_fast master default_bridge state UP mode DEFAULT group default qlen 1000
    link/ether 00:e0:92:00:01:50 brd ff:ff:ff:ff:ff:ff
25: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP,80000> mtu 1500 qdisc pfifo_fast master default_bridge state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether 00:e0:92:00:01:51 brd ff:ff:ff:ff:ff:ff
26: wlan0.1: <BROADCAST,MULTICAST,UP,LOWER_UP,80000> mtu 1500 qdisc pfifo_fast master default_bridge state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether 00:e0:92:00:01:52 brd ff:ff:ff:ff:ff:ff

默认转发规则:

-A DEFAULT_FORWARD -i bridge1 -o wan -j ACCEPT
-A DEFAULT_FORWARD -i wan -o bridge1 -j ACCEPT
-A DEFAULT_FORWARD -i default_bridge -o bridge1 -j DROP
-A DEFAULT_FORWARD -i bridge1 -o default_bridge -j DROP
-A DEFAULT_FORWARD -i bridge1 -o wan -j ACCEPT
-A DEFAULT_FORWARD -i wan -o bridge1 -j ACCEPT
-A DEFAULT_FORWARD -o bridge1 -j DROP
-A DEFAULT_FORWARD -i bridge1 -j DROP
-A DEFAULT_FORWARD -i wlan -o wan -j ACCEPT
-A DEFAULT_FORWARD -i wan -o wlan -j ACCEPT
-A DEFAULT_FORWARD -o wlan -j DROP
-A DEFAULT_FORWARD -i wlan -j DROP

有人可以帮助我并指出我做错了什么吗?

谢谢大家!

答案1

您没有阻止消息wlan1传递到lan.

我对 有点困惑NICs

尝试这个:

-A DEFAULT_FORWARD -i wlan1 -o wan -j ACCEPT
-A DEFAULT_FORWARD -i bridge_default -o wlan1 -j DROP
############# ADDED #################################
-A DEFAULT_FORWARD -i wlan1 -o bridge_default -j DROP
#####################################################
-A DEFAULT_INPUT -i wlan1 -o wan -j ACCEPT
-A DEFAULT_INPUT -i bridge_default -o wlan1 -j DROP
-A DEFAULT_OUTPUT -i wlan1 -o wan -j ACCEPT
-A DEFAULT_OUTPUT -i bridge_default -o wlan1 -j DROP

bridge_default如果与您添加的第一条规则不匹配,则任何数据包都不会传递到-i wlan1 -o wan -j ACCEPT

答案2

这里描述的问题是由于iptables只有在linux堆栈之后才应用,可以通过以下几种方法解决:

  1. 使用 ebtables 代替 iptables -

由于 ebtables 在 ETH 层应用规则,我们可以在实际接口上应用规则,而不是像这里描述的那样,当数据包到达 Linux 网桥时,它正在被编辑和更改,因此 IN 值将是网桥

  1. 使用bridge_1代替接口-

如果相同的上表规则将应用于网桥而不是接口 - 不会出现问题并且规则将正常工作

相关内容