iptables 阻止客户端 ip 互联网访问并保持 LAN 访问

这行不通。

#
# (6) OUTPUT rule to allow a client LAN access, but DROP internet access
# I use this to prevent various home appliances from accessing the internet
# iptables -A OUTPUT -s 192.168.10.110 -j DROP

它不起作用的原因是 OUTPUT 表仅过滤来自路由器的流量，而不是通过路由器的流量。您希望将规则应用到 FORWARD 表，如下所示：

iptables -A FORWARD -s 192.168.10.110 -j DROP

但它可能不会永远存在，因为分配给设备的 IP 地址会随着 DHCP 而改变。所以我建议你改为按 mac 地址进行过滤。

就像是：

/sbin/iptables -A PREROUTING -i $LAN -m mac --mac-source ff:ff:ff:ff:ff:ff -j DROP

ff:ff:ff:ff:ff:ff您想要过滤的 Harmony 遥控器或其他设备的 MAC 地址在 哪里？

注意：正如评论中指出的那样，MAC 地址仅在第 2 层起作用。我见过的示例表明，由于过滤器应用于 LAN 接口，因此上述操作应该可以工作。请测试一下，然后让我知道它是否按预期工作。

我还想补充一点：

#
# Creates the router between the 2 ethernet cards to accept the packets we want to forward
#
iptables -A FORWARD -i $LAN -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

不，它不会在 2 个以太网卡之间创建路由器。当启用 IP 转发时，路由由内核自动完成。

上述 iptables 规则表示接受或允许来自 $LAN 的数据包通过任何接口。并保持通过前向链进入路由器的已建立/相关会话的状态，这些会话不是来自 $LAN。因为这会触发第一条规则并停止。

谢谢 Matt！我以为这会是一件很简单的事情。所以我需要使用 FORWARD 规则，而不是 OUTPUT！我不必担心 IP 地址更改，因为此服务器还提供 DHCP，我根据 MA​​C 地址将它们分配给设备。但我知道您的建议在不同情况下会如何发挥作用。

至于路由注释...我是一名剪切粘贴程序员。自从多年前从“RedHat 8 圣经”中复制以来，我一直在使用脚本的这一部分，那时 RedHat 还没有从 Fedora 中分离出来。虽然注释不在原始脚本中，但我尝试根据自己的理解进行注释。书中的实际注释指出：

---

“FOWARD 链式规则 - 因为防火墙也充当路由器，所以需要 FORWARD 规则来限制防火墙在两个网络（Internet 和 LAN）之间传递和不传递的内容”

---

该评论是我对所读内容的误解。我很抱歉。这是经过更正的脚本，其中 Matt 更改了 FORWARD 规则。此外，它现在移到了 FORWARD 部分的顶部，并且我已更新评论以反映我获得原始脚本的书中实际说的内容。

所需 IP 现在可以访问本地网络，但不能访问互联网。

#!/bin/sh
#
# A script for creating an iptables firewall
#

#
# Start by clearing iptables
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

#
# Define our interfaces, Squid IP, and Squid port
#
WAN="p4p1"
LAN="p4p2"
SQUIDIP="192.168.10.10"
SQUIDPORT="3129"

#
# Create log files to help troubleshooting. Comment out when not needed.
#
# iptables -A OUTPUT -j LOG
# iptables -A INPUT -j LOG
# iptables -A FORWARD -j LOG


# Turn on ip forwarding in the kernel with:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# or edit /etc/sysctl.conf and add: "net.ipv4.ip_forward = 1"

#
##### Now to create the Routing Firewall
#

#
# (1) Create the default policies (DROP)
#
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#
# (2) User-defined chain called "okay" for ACCEPTed TCP packets
#
iptables -N okay
iptables -A okay -p tcp --syn -j ACCEPT
iptables -A okay -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p tcp -j DROP

#
# (3) INPUT rules
#
######  (A) Rules for incoming packets from the LAN
iptables -A INPUT -p ALL -i $LAN -s 192.168.10.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.10.10 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.10 -j ACCEPT
iptables -A INPUT -p ALL -i $LAN -d 192.168.10.255 -j ACCEPT

##### (B) Rules for incoming packets from the Internet

######      (i) Packets for established connetions
iptables -A INPUT -p ALL -d 192.168.1.10 -m state --state ESTABLISHED,RELATED -j ACCEPT

#####       (ii) TCP rules  ## Opens the server port to any TCP from the internet
iptables -A INPUT -p tcp -i $WAN -s 0/0 --dport 22 -j okay

#####       (iii) UDP rules ## Opens the server port to any UDP from the internet
# iptables -A INPUT -p udp -i $WAN -s 0/0 --dport 53 -j okay

#####       (iv) ICMP rules
iptables -A INPUT -p icmp -i $WAN -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p icmp -i $WAN -s 0/0 --icmp-type 11 -j ACCEPT

#
# (4) FORWARD rules
# 
#####   (A) FORWARD rule to allow a client LAN access, but DROP internet access
#####   I use this to prevent various home appliances from accessing the internet
#
iptables -A FORWARD -s 192.168.10.110 -j DROP

#####   (B) Since this firewall is also a router, limit what packets are forwarded
#####   between the 2 ethernet cards
#
iptables -A FORWARD -i $LAN -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# (5) OUTPUT rules
# Only output packets with local addresses (no spoofing)
#
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.10.10 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.1.10 -j ACCEPT

#
# (6) PREROUTING rules to allow a client to bypass our Squid proxy
# (NetFlix works better when it bypasses the proxy)
iptables -t nat -A PREROUTING -s 192.168.10.204 -j ACCEPT # BluRay player
iptables -t nat -A PREROUTING -s 192.168.10.205 -j ACCEPT # Sony TV

#
# (7) PREROUTING rules for transparent Squid proxy
# Also requires changes in the squid configuration file
# (from: http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect)
#
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP 

#
# (8) POSTROUTING chain rules. SNAT is for static IP, MASQUERADE is for dynamic IP
#
iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to-source 192.168.1.10
# iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

#
# Last, but not least, save the new configuration in /etc/sysconfig/iptables
#
service iptables save

#
# EOF
#