我不太确定这是怎么可能的,但我有一个带有 2 个接口的 linux(ubuntu 14.04) 盒子。 eth0 连接到我们的 LAN 192.168.0.*
,eth1 连接到网络上的 dlink wifi 路由器192.168.3.*
。
Wifi 网络仅适用于移动设备。他们只能访问安装在盒子上的网络应用程序。我想防止任何意外情况,例如访问 192.168.0.* 网络,即使有人通过 ssh 获得了访问该盒子的授权。
这样的事情可能吗?
编辑
在 /etc/sysctl.conf 中,我现在net.ipv4.ip_forward=0
使用 sudo -p /etc/sysctl.conf 重新启动计算机。但这没有用。我可以 ping 通 192.168.0.* 网络
#sysctl -a
net.ipv4.conf.all.accept_local = 0
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_notify = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.disable_policy = 0
net.ipv4.conf.all.disable_xfrm = 0
net.ipv4.conf.all.force_igmp_version = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.all.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.medium_id = 0
net.ipv4.conf.all.promote_secondaries = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.all.route_localnet = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.shared_media = 1
net.ipv4.conf.all.src_valid_mark = 0
net.ipv4.conf.all.tag = 0
编辑2
下面是我的 iptables
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
答案1
设置net.ipv4.ip_forward
为零应防止从eth1
.但如果任何人拥有 root 访问权限,您就无法阻止任何人访问您的盒子。使用 iptablesfilter
表和input
/或output
链来防止访问该框的非 root 用户访问您的 LAN。