我在设置时遇到了问题。这就是我想做的。我在 dd-wrt 上运行着 Chillispot (hotpsot)。一切都设置好了,但客户端只需要 80 和 443 通过热点。我找到了这个 dd-wrt 教程,但似乎不起作用。
http://www.dd-wrt.com/wiki/index.php/Iptables#Allow_HTTP_traffic_only_to_specific_domain.28s.29
最初我尝试将选项放在顶部,但没有成功。然后我刷新了 iptables 并只设置了这三个。我可以看到 pkts 数量在增长,但出于某种原因,我可以浏览。
root@DD-WRT:~# iptables -nvL FORWARD
Chain FORWARD (policy ACCEPT 3105 packets, 2442K bytes)
pkts bytes target prot opt in out source destination
1629 230K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,80,443
2346 2792K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
328 46420 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
这是来自路由器的一些信息,chillispot 是 tun0 接口。
root@DD-WRT:~# iptables -vnL FORWARD --line-numbers
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT 47 -- * vlan1 192.168.8.0/24 0.0.0.0/0
2 0 0 ACCEPT tcp -- * vlan1 192.168.8.0/24 0.0.0.0/0 tcp dpt:1723
3 32 1851 ACCEPT 0 -- tun0 * 0.0.0.0/0 0.0.0.0/0 state NEW
4 0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
5 48 2408 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
6 756 452K lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
7 756 452K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
8 0 0 TRIGGER 0 -- vlan1 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
9 0 0 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
10 0 0 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
11 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
12 0 0 DROP 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
13 0 0 DROP 0 -- * br0 0.0.0.0/0 0.0.0.0/0
接口:
root@DD-WRT:~# ifconfig -a
br0 Link encap:Ethernet HWaddr 00:12:17:CF:80:5F
inet addr:192.168.8.1 Bcast:192.168.8.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2371 errors:0 dropped:0 overruns:0 frame:0
TX packets:1862 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:259721 (253.6 KiB) TX bytes:254862 (248.8 KiB)
br0:0 Link encap:Ethernet HWaddr 00:12:17:CF:80:5F
inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth0 Link encap:Ethernet HWaddr 00:12:17:CF:80:5F
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5050 errors:0 dropped:0 overruns:0 frame:0
TX packets:2508 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1066410 (1.0 MiB) TX bytes:376001 (367.1 KiB)
Interrupt:5
eth1 Link encap:Ethernet HWaddr 00:12:17:CF:80:61
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:729 errors:0 dropped:0 overruns:0 frame:114693
TX packets:697 errors:2 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:107869 (105.3 KiB) TX bytes:473134 (462.0 KiB)
Interrupt:4 Base address:0x1000
etherip0 Link encap:Ethernet HWaddr 1E:13:B7:09:CC:8C
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:18 errors:0 dropped:0 overruns:0 frame:0
TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1210 (1.1 KiB) TX bytes:1210 (1.1 KiB)
teql0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.182.1 P-t-P:192.168.182.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING MTU:1500 Metric:1
RX packets:662 errors:0 dropped:0 overruns:0 frame:0
TX packets:587 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:92167 (90.0 KiB) TX bytes:427657 (417.6 KiB)
vlan0 Link encap:Ethernet HWaddr 00:12:17:CF:80:5F
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2371 errors:0 dropped:0 overruns:0 frame:0
TX packets:1864 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:269558 (263.2 KiB) TX bytes:262680 (256.5 KiB)
vlan1 Link encap:Ethernet HWaddr 00:12:17:CF:80:60
inet addr:10.3.2.47 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2675 errors:0 dropped:0 overruns:0 frame:0
TX packets:645 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:705429 (688.8 KiB) TX bytes:102197 (99.8 KiB)
路由表:
root@DD-WRT:~# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.182.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.3.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan1
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.3.2.1 0.0.0.0 UG 0 0 0 vlan1
非常感谢您的帮助。
TIA,阿伦
答案1
说实话,我还没仔细考虑你的设置细节,因为我要去睡觉了,但我看到有一个桥处于活动状态。桥在第 2 级捕获数据包,这可能意味着你的规则没有完全按照你的预期执行。在我的设置中,我需要使用 physdev 模块根据入站/出站接口进行过滤。只是想提一下这一点;可能会让你省去一些麻烦。