我有一个 Model 3 Raspberry Pi,将 Raspbian Linux 8.0 设置为 VPN 路由器。它具有以下网络接口:
- eth0 - 配置为有线互联网上行链路(当前未使用)
- wlan0 - 无线互联网上行链路(活动)
- eth1(子网 192.168.5.0/24)- 有线客户端 LAN(适用于我的 PC)
- wlan1(子网 192.168.4.0/24)- 客户端 WLAN(适用于我的手机)
- tun0、tun1 - VPN 接口
一切都按照我想要的方式工作(客户端连接通过 VPN),除了一件事:它似乎是在 eth1 和 wlan1 之间路由,这是我不想要的。我不希望 wlan1 上的客户端计算机能够连接到 eth1 上的计算机,但它们可以。我也不希望客户端 WLAN 上的机器能够 SSH 到 Pi,只有通过以太网连接的机器,但目前它们可以。我已将 SSH 设置为仅在 192.168.5.1 上侦听(不在 192.168.4.1 上侦听),但如果我连接到客户端 WLAN,我仍然可以通过 SSH 访问 192.168.5.1。
当然,我启用了 IP 转发,因为我希望它在 wlan1 和 tun0/tun1 之间以及 eth1 和 tun0/tun1 之间路由。
这是我的 iptables 规则:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -s 192.168.4.0/24 -i wlan1 -o eth0 -m conntrack --ctstate NEW -m comment --comment "Block traffic from wlan1 (client WiFi) to eth0 (wired uplink)" -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.4.0/24 -i wlan1 -o wlan0 -m conntrack --ctstate NEW -m comment --comment "Block traffic from wlan1 (client WiFi) to wlan0 (WiFi uplink)" -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.4.0/24 -i wlan1 -o tun0 -m conntrack --ctstate NEW -m comment --comment "Allow traffic from wlan1 (client WiFi) to tun0 (VPN)" -j ACCEPT
-A FORWARD -s 192.168.4.0/24 -i wlan1 -o tun1 -m conntrack --ctstate NEW -m comment --comment "Allow traffic from wlan1 (client WiFi) to tun1 (VPN)" -j ACCEPT
-A FORWARD -s 192.168.5.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -m comment --comment "Block traffic from eth1 (client LAN) to eth0 (wired uplink)" -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.5.0/24 -i eth1 -o wlan0 -m conntrack --ctstate NEW -m comment --comment "Block traffic from eth1 (client LAN) to wlan0 (WiFi uplink)" -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.5.0/24 -i eth1 -o tun0 -m conntrack --ctstate NEW -m comment --comment "Allow traffic from eth1 (client LAN) to tun0 (VPN)" -j ACCEPT
-A FORWARD -s 192.168.5.0/24 -i eth1 -o tun1 -m conntrack --ctstate NEW -m comment --comment "Allow traffic from eth1 (client LAN) to tun1 (VPN)" -j ACCEPT
-A FORWARD -s 192.168.4.0/24 -i wlan1 -o eth1 -m conntrack --ctstate NEW -m comment --comment "Block traffic from wlan1 (client WiFi) to eth1 (client LAN)" -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.4.0/24 -d 192.168.5.0/24 -m conntrack --ctstate NEW -m comment --comment "Block traffic from client WiFi range to client LAN range" -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.5.0/24 -i eth1 -o wlan1 -m conntrack --ctstate NEW -m comment --comment "Block traffic from eth1 (client LAN) to wlan1 (client WiFi)" -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.5.0/24 -d 192.168.4.0/24 -m conntrack --ctstate NEW -m comment --comment "Block traffic from client LAN range to client WiFi range" -j REJECT --reject-with icmp-port-unreachable
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -m comment --comment "Use VPN IP for eth0" -j MASQUERADE
-A POSTROUTING -o wlan0 -m comment --comment "Use VPN IP for wlan0" -j MASQUERADE
-A POSTROUTING -o tun0 -m comment --comment "Use VPN IP for tun0" -j MASQUERADE
-A POSTROUTING -o tun1 -m comment --comment "Use VPN IP for tun1" -j MASQUERADE
COMMIT
答案1
阻止 SSH 访问wlan1:
iptables -A INPUT -i wlan1 -p tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
一般性评论:我看不出使用的意义
-s 192.168.4.0/24 -i wlan1 -o eth1
代替
-i wlan1 -o eth1
我想,因为您想阻止所有数据包,而不仅仅是那些具有有效源地址的数据包。