iptables:更改特定网络主机的目的地

tag-icon tag-icon linux router iptables openwrt dd-wrt
iptables:更改特定网络主机的目的地

老实说,我对 iptables 了解不多,但我正面临这个问题,我决心用 iptables 来解决它

事情是这样的,我想将另一个目标 IP 更改为我网络上的一台特定主机,而不是所有主机。

例如:

每次 192.168.1.77 尝试访问某个 ip 1.2.3.4 时,都会将其交换为另一个 ip 5.6.7.8

我想象这可以通过 iptables 来实现,我只是不知道如何做,我认为即使拒绝该流量对我来说也是可行的。

提前致谢

编辑(2017 年 2 月 23 日):

我有一个部分解决方案可以拒绝所需的 IP,但这适用于我网络上的每个人,我只需要在一台设备中阻止它

iptables -I FORWARD --目标 1.2.3.4 -j REJECT

正如@FreedomPride 所要求的:

root@naboo /root # iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
delegate_input  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
delegate_forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
delegate_output  all  --  anywhere             anywhere            

Chain delegate_forward (1 references)
target     prot opt source               destination         
forwarding_rule  all  --  anywhere             anywhere             /* user chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
zone_lan_forward  all  --  anywhere             anywhere            
zone_wan_forward  all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            

Chain delegate_input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
input_rule  all  --  anywhere             anywhere             /* user chain for input */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN
zone_lan_input  all  --  anywhere             anywhere            
zone_wan_input  all  --  anywhere             anywhere            

Chain delegate_output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
output_rule  all  --  anywhere             anywhere             /* user chain for output */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
zone_lan_output  all  --  anywhere             anywhere            
zone_wan_output  all  --  anywhere             anywhere            

Chain forwarding_VPN_rule (1 references)
target     prot opt source               destination         

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination         

Chain forwarding_rule (1 references)
target     prot opt source               destination         

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination         

Chain input_VPN_rule (1 references)
target     prot opt source               destination         

Chain input_lan_rule (1 references)
target     prot opt source               destination         

Chain input_rule (1 references)
target     prot opt source               destination         

Chain input_wan_rule (1 references)
target     prot opt source               destination         

Chain output_VPN_rule (1 references)
target     prot opt source               destination         

Chain output_lan_rule (1 references)
target     prot opt source               destination         

Chain output_rule (1 references)
target     prot opt source               destination         

Chain output_wan_rule (1 references)
target     prot opt source               destination         

Chain reject (3 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP       all  --  anywhere             anywhere            

Chain zone_VPN_dest_ACCEPT (3 references)
target     prot opt source               destination         

Chain zone_VPN_forward (0 references)
target     prot opt source               destination         
forwarding_VPN_rule  all  --  anywhere             anywhere             /* user chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port forwards */
zone_VPN_dest_ACCEPT  all  --  anywhere             anywhere            

Chain zone_VPN_input (0 references)
target     prot opt source               destination         
input_VPN_rule  all  --  anywhere             anywhere             /* user chain for input */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port redirections */
zone_VPN_src_ACCEPT  all  --  anywhere             anywhere            

Chain zone_VPN_output (0 references)
target     prot opt source               destination         
output_VPN_rule  all  --  anywhere             anywhere             /* user chain for output */
zone_VPN_dest_ACCEPT  all  --  anywhere             anywhere            

Chain zone_VPN_src_ACCEPT (1 references)
target     prot opt source               destination         

Chain zone_lan_dest_ACCEPT (4 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain zone_lan_forward (1 references)
target     prot opt source               destination         
forwarding_lan_rule  all  --  anywhere             anywhere             /* user chain for forwarding */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* forwarding lan -> wan */
zone_VPN_dest_ACCEPT  all  --  anywhere             anywhere             /* forwarding lan -> VPN */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere            

Chain zone_lan_input (1 references)
target     prot opt source               destination         
input_lan_rule  all  --  anywhere             anywhere             /* user chain for input */
ACCEPT     udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-dgm /* Samba 1 */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn /* Samba 2 */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds /* Samba 3 */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere            

Chain zone_lan_output (1 references)
target     prot opt source               destination         
output_lan_rule  all  --  anywhere             anywhere             /* user chain for output */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere            

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain zone_wan_dest_ACCEPT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain zone_wan_dest_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere            

Chain zone_wan_forward (1 references)
target     prot opt source               destination         
forwarding_wan_rule  all  --  anywhere             anywhere             /* user chain for forwarding */
zone_lan_dest_ACCEPT  esp  --  anywhere             anywhere             /* @rule[7] */
zone_lan_dest_ACCEPT  udp  --  anywhere             anywhere             udp dpt:isakmp /* @rule[8] */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port forwards */
zone_wan_dest_REJECT  all  --  anywhere             anywhere            

Chain zone_wan_input (1 references)
target     prot opt source               destination         
input_wan_rule  all  --  anywhere             anywhere             /* user chain for input */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc /* Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request /* Allow-Ping */
ACCEPT     igmp --  anywhere             anywhere             /* Allow-IGMP */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https /* HTTPS over WAN */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8000 /* LHTTP over WAN */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port redirections */
zone_wan_src_REJECT  all  --  anywhere             anywhere            

Chain zone_wan_output (1 references)
target     prot opt source               destination         
output_wan_rule  all  --  anywhere             anywhere             /* user chain for output */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere            

Chain zone_wan_src_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere

答案1

我只是添加了 -s(正如我在一开始所说的:我不太了解 iptables......)

iptables -s 192.168.1.77 -I FORWARD --目标 1.2.3.4 -j REJECT

干杯,

相关内容