IPTables(Firehol)规则仅允许白名单客户端 IP 出站到 PPP 接口

IPTables(Firehol)规则仅允许白名单客户端 IP 出站到 PPP 接口

我在我的 PPP 网关上使用 Firehol,正在寻找一种方法来仅允许白名单客户端 LAN IP 的出站互联网流量。

我已经尝试了注释掉的行,但是这会阻止所有客户端。

interface4 "${lan_interface}" lan
    policy accept

interface4 "${ppp_interface}" internet
    protection strong

    policy reject
    ### client all accept src "${LAN_HOSTS_WHITELIST}"
    client all accept

    server http accept
    server https accept
    server ssh accept src "${SSH_ACCESS}"
    server ping accept src "${ICMP_ACCESS}"
    server ident reject with tcp-reset

 router4 lan2internet inface "${lan_interface}" outface "${ppp_interface}"
    masquerade
    route all accept

答案1

我通过将白名单主机移至路由来解决这个问题

interface4 "${lan_interface}" lan
    policy accept

interface4 "${ppp_interface}" internet
    protection strong

    policy reject
    client all accept

    server http accept
    server https accept
    server ssh accept src "${SSH_ACCESS}"
    server ping accept src "${ICMP_ACCESS}"
    server ident reject with tcp-reset

 router4 lan2internet inface "${lan_interface}" outface "${ppp_interface}"
    masquerade
    route all accept src "${LAN_HOSTS_WHITELIST}"

相关内容