我在我的 PPP 网关上使用 Firehol,正在寻找一种方法来仅允许白名单客户端 LAN IP 的出站互联网流量。
我已经尝试了注释掉的行,但是这会阻止所有客户端。
interface4 "${lan_interface}" lan
policy accept
interface4 "${ppp_interface}" internet
protection strong
policy reject
### client all accept src "${LAN_HOSTS_WHITELIST}"
client all accept
server http accept
server https accept
server ssh accept src "${SSH_ACCESS}"
server ping accept src "${ICMP_ACCESS}"
server ident reject with tcp-reset
router4 lan2internet inface "${lan_interface}" outface "${ppp_interface}"
masquerade
route all accept
答案1
我通过将白名单主机移至路由来解决这个问题
interface4 "${lan_interface}" lan
policy accept
interface4 "${ppp_interface}" internet
protection strong
policy reject
client all accept
server http accept
server https accept
server ssh accept src "${SSH_ACCESS}"
server ping accept src "${ICMP_ACCESS}"
server ident reject with tcp-reset
router4 lan2internet inface "${lan_interface}" outface "${ppp_interface}"
masquerade
route all accept src "${LAN_HOSTS_WHITELIST}"