我在 dd-wrt 中设置了多个隔离的 VLAN。现在我需要将端口转发到 VLAN2 上的 IP。
这里的目标是允许某人使用 vlan2 上的计算机而无需访问我的网络的其余部分。
我使用以下方法隔离了 VLAN:
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I FORWARD -i br0 -o vlan3 -j DROP
iptables -I FORWARD -i br0 -o vlan4 -j DROP
有任何想法吗?
iptables:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
DROP udp -- anywhere anywhere udp dpt:route
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT udp -- anywhere anywhere udp dpt:route
logaccept tcp -- anywhere DD-WRT tcp dpt:www
DROP icmp -- anywhere anywhere
DROP igmp -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
logaccept 0 -- anywhere anywhere state NEW
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
DROP 0 -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP 0 -- anywhere anywhere
DROP 0 -- anywhere anywhere
DROP 0 -- anywhere anywhere
ACCEPT gre -- 192.168.1.0/24 anywhere
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:1723
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
logdrop 0 -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1461:65535 TCPMSS set 1460
lan2wan 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.1.98 tcp dpt:www
ACCEPT tcp -- anywhere 192.168.1.111 tcp dpt:www
TRIGGER 0 -- anywhere anywhere TRIGGER type:in match:0 relate:0
trigger_out 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
DROP 0 -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain advgrp_1 (0 references)
target prot opt source destination
Chain advgrp_10 (0 references)
target prot opt source destination
Chain advgrp_2 (0 references)
target prot opt source destination
Chain advgrp_3 (0 references)
target prot opt source destination
Chain advgrp_4 (0 references)
target prot opt source destination
Chain advgrp_5 (0 references)
target prot opt source destination
Chain advgrp_6 (0 references)
target prot opt source destination
Chain advgrp_7 (0 references)
target prot opt source destination
Chain advgrp_8 (0 references)
target prot opt source destination
Chain advgrp_9 (0 references)
target prot opt source destination
Chain grp_1 (1 references)
target prot opt source destination
Chain grp_10 (0 references)
target prot opt source destination
Chain grp_2 (0 references)
target prot opt source destination
Chain grp_3 (0 references)
target prot opt source destination
Chain grp_4 (0 references)
target prot opt source destination
Chain grp_5 (0 references)
target prot opt source destination
Chain grp_6 (0 references)
target prot opt source destination
Chain grp_7 (0 references)
target prot opt source destination
Chain grp_8 (0 references)
target prot opt source destination
Chain grp_9 (0 references)
target prot opt source destination
Chain lan2wan (1 references)
target prot opt source destination
grp_1 0 -- anywhere anywhere
Chain logaccept (3 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain logdrop (1 references)
target prot opt source destination
DROP 0 -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp reject-with tcp-reset
Chain trigger_out (1 references)
target prot opt source destination
root@DD-WRT:~#
答案1
您不会将单个端口转发到 VLAN,而是将其转发到特定 IP。如果您出于某种原因希望将其广播到整个 VLAN,则可以将其转发到 VLAN2 的广播地址。
此外,您可能需要确保所有 VLAN 都使用单独的子网。当 dd-wrt 开始循环时,它会变得有点奇怪,因为它试图在具有相同子网的多个 VLAN 之间进行路由。
答案2
您仍然可以在 GUI 中使用相同的端口转发应用程序。DD-WRT v24-sp1 (07/27/08) std 上的环回已损坏。因此,要测试它,您必须从网络外部进行连接。