老实说,我对 iptables 了解不多,但我正面临这个问题,我决心用 iptables 来解决它
事情是这样的,我想将另一个目标 IP 更改为我网络上的一台特定主机,而不是所有主机。
例如:
每次 192.168.1.77 尝试访问某个 ip 1.2.3.4 时,都会将其交换为另一个 ip 5.6.7.8
我想象这可以通过 iptables 来实现,我只是不知道如何做,我认为即使拒绝该流量对我来说也是可行的。
提前致谢
编辑(2017 年 2 月 23 日):
我有一个部分解决方案可以拒绝所需的 IP,但这适用于我网络上的每个人,我只需要在一台设备中阻止它
iptables -I FORWARD --目标 1.2.3.4 -j REJECT
正如@FreedomPride 所要求的:
root@naboo /root # iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
delegate_input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
delegate_forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
delegate_output all -- anywhere anywhere
Chain delegate_forward (1 references)
target prot opt source destination
forwarding_rule all -- anywhere anywhere /* user chain for forwarding */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
zone_lan_forward all -- anywhere anywhere
zone_wan_forward all -- anywhere anywhere
reject all -- anywhere anywhere
Chain delegate_input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
input_rule all -- anywhere anywhere /* user chain for input */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
zone_lan_input all -- anywhere anywhere
zone_wan_input all -- anywhere anywhere
Chain delegate_output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
output_rule all -- anywhere anywhere /* user chain for output */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
zone_lan_output all -- anywhere anywhere
zone_wan_output all -- anywhere anywhere
Chain forwarding_VPN_rule (1 references)
target prot opt source destination
Chain forwarding_lan_rule (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
Chain forwarding_wan_rule (1 references)
target prot opt source destination
Chain input_VPN_rule (1 references)
target prot opt source destination
Chain input_lan_rule (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan_rule (1 references)
target prot opt source destination
Chain output_VPN_rule (1 references)
target prot opt source destination
Chain output_lan_rule (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destination
Chain output_wan_rule (1 references)
target prot opt source destination
Chain reject (3 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all -- anywhere anywhere
Chain zone_VPN_dest_ACCEPT (3 references)
target prot opt source destination
Chain zone_VPN_forward (0 references)
target prot opt source destination
forwarding_VPN_rule all -- anywhere anywhere /* user chain for forwarding */
ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port forwards */
zone_VPN_dest_ACCEPT all -- anywhere anywhere
Chain zone_VPN_input (0 references)
target prot opt source destination
input_VPN_rule all -- anywhere anywhere /* user chain for input */
ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port redirections */
zone_VPN_src_ACCEPT all -- anywhere anywhere
Chain zone_VPN_output (0 references)
target prot opt source destination
output_VPN_rule all -- anywhere anywhere /* user chain for output */
zone_VPN_dest_ACCEPT all -- anywhere anywhere
Chain zone_VPN_src_ACCEPT (1 references)
target prot opt source destination
Chain zone_lan_dest_ACCEPT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain zone_lan_forward (1 references)
target prot opt source destination
forwarding_lan_rule all -- anywhere anywhere /* user chain for forwarding */
zone_wan_dest_ACCEPT all -- anywhere anywhere /* forwarding lan -> wan */
zone_VPN_dest_ACCEPT all -- anywhere anywhere /* forwarding lan -> VPN */
ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port forwards */
zone_lan_dest_ACCEPT all -- anywhere anywhere
Chain zone_lan_input (1 references)
target prot opt source destination
input_lan_rule all -- anywhere anywhere /* user chain for input */
ACCEPT udp -- anywhere anywhere udp dpts:netbios-ns:netbios-dgm /* Samba 1 */
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn /* Samba 2 */
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds /* Samba 3 */
ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port redirections */
zone_lan_src_ACCEPT all -- anywhere anywhere
Chain zone_lan_output (1 references)
target prot opt source destination
output_lan_rule all -- anywhere anywhere /* user chain for output */
zone_lan_dest_ACCEPT all -- anywhere anywhere
Chain zone_lan_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain zone_wan_dest_ACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain zone_wan_dest_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere
Chain zone_wan_forward (1 references)
target prot opt source destination
forwarding_wan_rule all -- anywhere anywhere /* user chain for forwarding */
zone_lan_dest_ACCEPT esp -- anywhere anywhere /* @rule[7] */
zone_lan_dest_ACCEPT udp -- anywhere anywhere udp dpt:isakmp /* @rule[8] */
ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port forwards */
zone_wan_dest_REJECT all -- anywhere anywhere
Chain zone_wan_input (1 references)
target prot opt source destination
input_wan_rule all -- anywhere anywhere /* user chain for input */
ACCEPT udp -- anywhere anywhere udp dpt:bootpc /* Allow-DHCP-Renew */
ACCEPT icmp -- anywhere anywhere icmp echo-request /* Allow-Ping */
ACCEPT igmp -- anywhere anywhere /* Allow-IGMP */
ACCEPT tcp -- anywhere anywhere tcp dpt:https /* HTTPS over WAN */
ACCEPT tcp -- anywhere anywhere tcp dpt:8000 /* LHTTP over WAN */
ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port redirections */
zone_wan_src_REJECT all -- anywhere anywhere
Chain zone_wan_output (1 references)
target prot opt source destination
output_wan_rule all -- anywhere anywhere /* user chain for output */
zone_wan_dest_ACCEPT all -- anywhere anywhere
Chain zone_wan_src_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere
答案1
我只是添加了 -s(正如我在一开始所说的:我不太了解 iptables......)
iptables -s 192.168.1.77 -I FORWARD --目标 1.2.3.4 -j REJECT
干杯,