如何通过 dd-wrt 中的 iptables 通过外部代理重定向除本地以外的所有流量？

Question 1

您可以使用 ! -s or -d排除某些 IP/网络

来自 iptables 人

[!] -s, --source address[/mask][,...]
     Source specification. Address can be either a network name, a hostname,  a
     network  IP address (with /mask), or a plain IP address. Hostnames will be
     resolved once only, before the rule is submitted to  the  kernel.   Please
     note  that  specifying any name to be resolved with a remote query such as
     DNS is a really bad idea.  The mask can be either  a  network  mask  or  a
     plain number, specifying the number of 1's at the left side of the network
     mask.  Thus, a mask of 24 is equivalent to 255.255.255.0.  A "!"  argument
     before  the  address  specification  inverts the sense of the address. The
     flag --src is an alias for this option.  Multiple addresses can be  speciâ
     fied,  but  this  will  expand to multiple rules (when adding with -A), or
     will cause multiple rules to be deleted (with -D).

[!] -d, --destination address[/mask][,...]
     Destination specification.  See the description of the  -s  (source)  flag
     for  a detailed description of the syntax.  The flag --dst is an alias for
     this option

所以你的规则应该排除特定的IP

iptables -t nat -A PREROUTING -i br0 '!' -d IPAddrOfyourRouter/32 -p tcp --dport 80 -j DNAT --to 218.108.168.73:82

Answer

您可以使用 ! -s or -d排除某些 IP/网络

来自 iptables 人

[!] -s, --source address[/mask][,...]
     Source specification. Address can be either a network name, a hostname,  a
     network  IP address (with /mask), or a plain IP address. Hostnames will be
     resolved once only, before the rule is submitted to  the  kernel.   Please
     note  that  specifying any name to be resolved with a remote query such as
     DNS is a really bad idea.  The mask can be either  a  network  mask  or  a
     plain number, specifying the number of 1's at the left side of the network
     mask.  Thus, a mask of 24 is equivalent to 255.255.255.0.  A "!"  argument
     before  the  address  specification  inverts the sense of the address. The
     flag --src is an alias for this option.  Multiple addresses can be  speciâ
     fied,  but  this  will  expand to multiple rules (when adding with -A), or
     will cause multiple rules to be deleted (with -D).

[!] -d, --destination address[/mask][,...]
     Destination specification.  See the description of the  -s  (source)  flag
     for  a detailed description of the syntax.  The flag --dst is an alias for
     this option

所以你的规则应该排除特定的IP

iptables -t nat -A PREROUTING -i br0 '!' -d IPAddrOfyourRouter/32 -p tcp --dport 80 -j DNAT --to 218.108.168.73:82

Question 2

我看到很多人都提出了这个请求。

使用案例： 我应该能够将特定端口上的所有流量转发到特定 IP。

解决方案

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat  -F
iptables -t nat -A PREROUTING -p tcp --dport 5432 -j DNAT --to-destination 10.21.33.61:5432
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -L -n

。

新用例：我应该能够将特定端口上的所有流量转发到特定 IP，但排除 1 个 IP。

解决方案

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat  -F
iptables -t nat -A PREROUTING '!' -s 10.21.33.61/32 -p tcp --dport 5432 -j DNAT --to 10.21.33.61:5432
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -L -n

这里：

10.21.33.61/32是我们要从转发中排除的 IP。
10.21.33.61:5432是我们要将流量转发到的 IP:端口
5432是您要转发流量的端口。
'!' -s用于排除来源。

Answer

我看到很多人都提出了这个请求。

使用案例： 我应该能够将特定端口上的所有流量转发到特定 IP。

解决方案

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat  -F
iptables -t nat -A PREROUTING -p tcp --dport 5432 -j DNAT --to-destination 10.21.33.61:5432
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -L -n

。

新用例：我应该能够将特定端口上的所有流量转发到特定 IP，但排除 1 个 IP。

解决方案

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat  -F
iptables -t nat -A PREROUTING '!' -s 10.21.33.61/32 -p tcp --dport 5432 -j DNAT --to 10.21.33.61:5432
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -L -n

这里：

10.21.33.61/32是我们要从转发中排除的 IP。
10.21.33.61:5432是我们要将流量转发到的 IP:端口
5432是您要转发流量的端口。
'!' -s用于排除来源。

如何通过 dd-wrt 中的 iptables 通过外部代理重定向除本地以外的所有流量？

答案1

答案2

相关内容