阻止到 LAN 的流量但允许到 Internet 的流量(iptables)

阻止到 LAN 的流量但允许到 Internet 的流量(iptables)

我正在家庭网络上设置一个 CentOS 服务器,大约有十几个人将使用该服务器进行教育目的 - 例如学习如何使用 Linux shell 和托管网站等。我的路由器上有端口 22 和端口 80,因此他们将能够通过互联网上的 SSH 登录。

由于我无法完全信任这些用户,因此我目前正尝试尽可能地锁定服务器(检查权限、阻止种子等)。由于我不希望人们通过服务器探测我网络上的其余计算机,因此我想阻止到本地局域网上的计算机的流量,同时仍允许到互联网的流量。

我对 iptables 不是很熟悉,但我尝试设置了一些 iptables 规则 - 它首先允许到 192.168.1.1(路由器)和 192.168.1.2(我用来配置服务器的计算机)的流量,然后阻止到 192.168.1.0/24 的流量并记录此类流量。其余流量应该被允许。但是,问题是服务器无法连接到互联网。

这是我当前的 iptables 配置:

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            192.168.1.2
2    ACCEPT     all  --  0.0.0.0/0            192.168.1.1
3    LOGGING    all  --  0.0.0.0/0            0.0.0.0/0
4    DROP       all  --  0.0.0.0/0            192.168.1.0/24
5    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain LOGGING (1 references)
num  target     prot opt source               destination
1    LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 7 prefix `DROP: '
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0

ping 允许的 IP(192.168.1.1 和 192.168.1.2)可以工作(好),但 ping Google 不工作(坏):

[root@server ~]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1950ms

[root@server ~]# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=128 time=0.294 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=128 time=0.270 ms

当然,我知道授予他人访问我网络上的服务器的权限需要一定的信任,但我仍然希望尽可能地加强这种信任。如果有人能就我能做的其他事情发表评论,我也会非常感激。

提前致谢!

答案1

好的,我自己解决了这个问题,所以我将回答我自己的问题以供参考。问题是所有流量都经过 LOGGING 链,而 LOGGING 链的第二条规则会丢弃所有流量。我刚刚从 LOGGING 链中删除了规则 2,一切正常。

答案2

我遇到了类似的挑战,我的物联网设备存在多个漏洞,我想将其隔离在我的局域网上,但它通过交换机与其他​​我不想隔离的设备相连。我尝试创建一个单独的链,并在输入链的开头放置对它的引用,用于任何具有物联网设备源或物联网设备目标的东西,然后在新链中,如果源是局域网而目标是物联网,则丢弃,或者如果源是物联网而目标是局域网,则丢弃,但我无法让它丢弃数据包,仍然可以 ping 并访问设备。甚至尝试将我的规则添加到其他几个链的开头,看看是否有区别,但没有运气——有什么想法吗?

b1tphr34k@RT-AC87U-C598:/tmp/home/root# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
TIVOFILTER  all  --  192.168.10.8         anywhere
TIVOFILTER  all  --  anywhere             192.168.10.8
logdrop    icmp --  anywhere             anywhere             icmp echo-request
logaccept  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
logdrop    all  --  anywhere             anywhere             state INVALID
PTCSRVWAN  all  --  anywhere             anywhere
PTCSRVLAN  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
logaccept  udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
INPUT_ICMP  icmp --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  192.168.10.8         192.168.10.0/24
DROP       all  --  192.168.10.0/24      192.168.10.8
logaccept  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
logdrop    all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere             state INVALID
logaccept  all  --  anywhere             anywhere
SECURITY   all  --  anywhere             anywhere
NSFW       all  --  anywhere             anywhere
logaccept  all  --  anywhere             anywhere             ctstate DNAT
logaccept  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  192.168.10.0/24      192.168.10.8
DROP       all  --  192.168.10.8         192.168.10.0/24

Chain ACCESS_RESTRICTION (0 references)
target     prot opt source               destination

Chain FUPNP (0 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             192.168.10.5         udp dpt:54927
ACCEPT     tcp  --  anywhere             192.168.10.7         tcp dpt:32400

Chain INPUT_ICMP (1 references)
target     prot opt source               destination
RETURN     icmp --  anywhere             anywhere             icmp echo-request
RETURN     icmp --  anywhere             anywhere             icmp timestamp-request
logaccept  icmp --  anywhere             anywhere

Chain NSFW (1 references)
target     prot opt source               destination
logdrop    udp  --  anywhere             anywhere             udp spt:https
logdrop    udp  --  anywhere             anywhere             udp dpt:https
logdrop    udp  --  anywhere             anywhere             udp spt:www
logdrop    udp  --  anywhere             anywhere             udp dpt:www
logdrop    icmp --  anywhere             anywhere             icmp timestamp-request
logdrop    icmp --  anywhere             anywhere             icmp timestamp-reply
RETURN     all  --  anywhere             anywhere

Chain PControls (0 references)
target     prot opt source               destination
logaccept  all  --  anywhere             anywhere

Chain PTCSRVLAN (1 references)
target     prot opt source               destination

Chain PTCSRVWAN (1 references)
target     prot opt source               destination

Chain SECURITY (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
logdrop    icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere

Chain TIVOFILTER (2 references)
target     prot opt source               destination
DROP       all  --  192.168.10.0/24      192.168.10.8
DROP       all  --  192.168.10.8         192.168.10.0/24

Chain logaccept (8 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (14 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP       all  --  anywhere             anywhere

相关内容