在单独的 dd-wrt ​​VLAN 上转发端口 ip

在单独的 dd-wrt ​​VLAN 上转发端口 ip

我在 dd-wrt ​​中设置了多个隔离的 VLAN。现在我需要将端口转发到 VLAN2 上的 IP。

这里的目标是允许某人使用 vlan2 上的计算机而无需访问我的网络的其余部分。

我使用以下方法隔离了 VLAN:

iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I FORWARD -i br0 -o vlan3 -j DROP
iptables -I FORWARD -i br0 -o vlan4 -j DROP

有任何想法吗?

iptables:

 Chain INPUT (policy ACCEPT)     
 target     prot opt source               destination     
 ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED     
 DROP       udp  --  anywhere             anywhere            udp dpt:route     
 DROP       udp  --  anywhere             anywhere            udp dpt:route     
 ACCEPT     udp  --  anywhere             anywhere            udp dpt:route     
 logaccept  tcp  --  anywhere             DD-WRT              tcp dpt:www        
 DROP       icmp --  anywhere             anywhere     
 DROP       igmp --  anywhere             anywhere     
 ACCEPT     0    --  anywhere             anywhere            state NEW     
 logaccept  0    --  anywhere             anywhere            state NEW     
 ACCEPT     0    --  anywhere             anywhere     
 ACCEPT     0    --  anywhere             anywhere     
 ACCEPT     0    --  anywhere             anywhere     
 DROP       0    --  anywhere             anywhere     

 Chain FORWARD (policy ACCEPT)     
 target     prot opt source               destination     
 DROP       0    --  anywhere             anywhere     
 DROP       0    --  anywhere             anywhere     
 DROP       0    --  anywhere             anywhere     
 ACCEPT     gre  --  192.168.1.0/24       anywhere     
 ACCEPT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:1723     
 ACCEPT     0    --  anywhere             anywhere     
 ACCEPT     0    --  anywhere             anywhere     
 ACCEPT     0    --  anywhere             anywhere     
 ACCEPT     0    --  anywhere             anywhere     
 logdrop    0    --  anywhere             anywhere            state INVALID     
 TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN tcpmss match 1461:65535 TCPMSS set 1460     
 lan2wan    0    --  anywhere             anywhere     
 ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED     
 ACCEPT     tcp  --  anywhere             192.168.1.98        tcp dpt:www     
 ACCEPT     tcp  --  anywhere             192.168.1.111       tcp dpt:www         
 TRIGGER    0    --  anywhere             anywhere            TRIGGER type:in match:0 relate:0     
 trigger_out  0    --  anywhere             anywhere     
 ACCEPT     0    --  anywhere             anywhere            state NEW     
 DROP       0    --  anywhere             anywhere     

 Chain OUTPUT (policy ACCEPT)     
 target     prot opt source               destination     

 Chain advgrp_1 (0 references)     
 target     prot opt source               destination     

 Chain advgrp_10 (0 references)     
 target     prot opt source               destination     

 Chain advgrp_2 (0 references)     
 target     prot opt source               destination     

 Chain advgrp_3 (0 references)     
 target     prot opt source               destination     

 Chain advgrp_4 (0 references)     
 target     prot opt source               destination     

 Chain advgrp_5 (0 references)     
 target     prot opt source               destination     

 Chain advgrp_6 (0 references)     
 target     prot opt source               destination     

 Chain advgrp_7 (0 references)     
 target     prot opt source               destination     

 Chain advgrp_8 (0 references)     
 target     prot opt source               destination     

 Chain advgrp_9 (0 references)     
 target     prot opt source               destination     

 Chain grp_1 (1 references)     
 target     prot opt source               destination     

 Chain grp_10 (0 references)     
 target     prot opt source               destination     

 Chain grp_2 (0 references)     
 target     prot opt source               destination     

 Chain grp_3 (0 references)     
 target     prot opt source               destination     

 Chain grp_4 (0 references)     
 target     prot opt source               destination     

 Chain grp_5 (0 references)     
 target     prot opt source               destination     

 Chain grp_6 (0 references)     
 target     prot opt source               destination     

 Chain grp_7 (0 references)     
 target     prot opt source               destination     

 Chain grp_8 (0 references)     
 target     prot opt source               destination     

 Chain grp_9 (0 references)     
 target     prot opt source               destination     

 Chain lan2wan (1 references)     
 target     prot opt source               destination     
 grp_1      0    --  anywhere             anywhere     

 Chain logaccept (3 references)     
 target     prot opt source               destination     
 ACCEPT     0    --  anywhere             anywhere     

 Chain logdrop (1 references)     
 target     prot opt source               destination     
 DROP       0    --  anywhere             anywhere     

 Chain logreject (0 references)     
 target     prot opt source               destination     
 REJECT     tcp  --  anywhere             anywhere            tcp reject-with tcp-reset     

 Chain trigger_out (1 references)     
 target     prot opt source               destination     
 root@DD-WRT:~#     

答案1

您不会将单个端口转发到 VLAN,而是将其转发到特定 IP。如果您出于某种原因希望将其广播到整个 VLAN,则可以将其转发到 VLAN2 的广播地址。

此外,您可能需要确保所有 VLAN 都使用单独的子网。当 dd-wrt ​​开始循环时,它会变得有点奇怪,因为它试图在具有相同子网的多个 VLAN 之间进行路由。

答案2

您仍然可以在 GUI 中使用相同的端口转发应用程序。DD-WRT v24-sp1 (07/27/08) std 上的环回已损坏。因此,要测试它,您必须从网络外部进行连接。

相关内容