iptables 阻止客户端 ip 互联网访问并保持 LAN 访问

iptables 阻止客户端 ip 互联网访问并保持 LAN 访问

随着具有网络访问权限的电器数量增加以及黑客入侵的可能性,我想阻止特定 IP 地址访问互联网,但允许 LAN 访问。例如,我使用 Logitech Harmony 遥控器通过 1 个按钮控制我的立体声音响、卫星和电视。我也可以通过本地网络使用 iPad 来控制它。但我不想让黑客操作我的电视,所以我想用我的 IP Tables 防火墙阻止分配给 Harmony 遥控器的 IP 地址。

这是我用来编辑 IP 表配置的当前脚本。它在我的 Fedora 20 机器上运行,有 2 个网卡。第 6 部分是我尝试插入规则的地方。其他一切都按预期工作。我附上整个脚本,希望它能帮助其他人,即使与我的问题无关。毕竟,这一切都是基于我自己搜索获得的知识而建立的!


#!/bin/sh
#
# A script for creating an iptables firewall
#

#
# Start by clearing iptables
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

#
# Define our interfaces, Squid IP, and Squid port
#
WAN="p4p1"
LAN="p4p2"
SQUIDIP="192.168.10.10"
SQUIDPORT="3129"

#
# Create log files to help troubleshooting. (We can comment out when not needed)
#
# iptables -A OUTPUT -j LOG
# iptables -A INPUT -j LOG
# iptables -A FORWARD -j LOG

#
# Now to create the Routing Firewall
#

#
# (1) Create the default policies (DROP)
#
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#
# (2) User-defined chain called "okay" for ACCEPTed TCP packets
#
iptables -N okay
iptables -A okay -p tcp --syn -j ACCEPT
iptables -A okay -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p tcp -j DROP

#
# (3) INPUT rules
#
######  (A) Rules for incoming packets from the LAN
iptables -A INPUT -p ALL -i $LAN -s 192.168.10.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.10.10 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.10 -j ACCEPT
iptables -A INPUT -p ALL -i $LAN -d 192.168.10.255 -j ACCEPT

##### (B) Rules for incoming packets from the Internet

######          (i) Packets for established connections
iptables -A INPUT -p ALL -d 192.168.1.10 -m state --state ESTABLISHED,RELATED -j ACCEPT

#####           (ii) TCP rules  ## Opens the server port to any TCP from the internet
iptables -A INPUT -p tcp -i $WAN -s 0/0 –dport 22 -j okay

#####           (iii) UDP rules ## Opens the server port to any UDP from the internet
# iptables -A INPUT -p udp -i $WAN -s 0/0 –dport 53 -j okay

#####          (iv) ICMP rules
iptables -A INPUT -p icmp -i $WAN -s 0/0 --icmp-tpe 8 -j ACCEPT
iptables -A INPUT -p icmp -i $WAN -s 0/0 --icmp-tpe 11 -j ACCEPT

#
# Creates the router between the 2 ethernet cards to accept the packets we want to forward
#
iptables -A FORWARD -i $LAN -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# (5) OUTPUT rules
# Only output packets with local addresses (no spoofing)
#
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.10.10 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.1.10 -j ACCEPT

#
# (6) OUTPUT rule to allow a client LAN access, but DROP internet access
# I use this to prevent various home appliances from accessing the internet
#
iptables -A OUTPUT -s 192.168.10.110 -j DROP

#
# (7) PREROUTING rules to allow a client to bypass our Squid proxy
# (NetFlix works better when it bypasses the proxy)
iptables -t nat -A PREROUTING -s 192.168.10.204 -j ACCEPT # BluRay player
iptables -t nat -A PREROUTING -s 192.168.10.205 -j ACCEPT # Sony TV

#
# (8) PREROUTING rules for transparent Squid proxy (also requires changes in the squid configuration file)
# (from: http://wiki.squidcache.org/ConfigExamples/Intercept/LinuxRedirect)
#
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP

#
# (9) POSTROUTING chain rules. SNAT is for static IP, MASQUERADE is for dynamic IP
#
iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to-source 192.168.1.10
# iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

#
# Last, but not least, save the new configuration in /etc/sysconfig/iptables
#
service iptables save

#
# EOF
#

答案1

这行不通。

#
# (6) OUTPUT rule to allow a client LAN access, but DROP internet access
# I use this to prevent various home appliances from accessing the internet
# iptables -A OUTPUT -s 192.168.10.110 -j DROP

它不起作用的原因是 OUTPUT 表仅过滤来自路由器的流量,而不是通过路由器的流量。您希望将规则应用到 FORWARD 表,如下所示:

iptables -A FORWARD -s 192.168.10.110 -j DROP

但它可能不会永远存在,因为分配给设备的 IP 地址会随着 DHCP 而改变。所以我建议你改为按 mac 地址进行过滤。

就像是:

/sbin/iptables -A PREROUTING -i $LAN -m mac --mac-source ff:ff:ff:ff:ff:ff -j DROP

ff:ff:ff:ff:ff:ff您想要过滤的 Harmony 遥控器或其他设备的 MAC 地址在 哪里?

注意:正如评论中指出的那样,MAC 地址仅在第 2 层起作用。我见过的示例表明,由于过滤器应用于 LAN 接口,因此上述操作应该可以工作。请测试一下,然后让我知道它是否按预期工作。

我还想补充一点:

#
# Creates the router between the 2 ethernet cards to accept the packets we want to forward
#
iptables -A FORWARD -i $LAN -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

不,它不会在 2 个以太网卡之间创建路由器。当启用 IP 转发时,路由由内核自动完成。

上述 iptables 规则表示接受或允许来自 $LAN 的数据包通过任何接口。并保持通过前向链进入路由器的已建立/相关会话的状态,这些会话不是来自 $LAN。因为这会触发第一条规则并停止。

答案2

谢谢 Matt!我以为这会是一件很简单的事情。所以我需要使用 FORWARD 规则,而不是 OUTPUT!我不必担心 IP 地址更改,因为此服务器还提供 DHCP,我根据 MA​​C 地址将它们分配给设备。但我知道您的建议在不同情况下会如何发挥作用。

至于路由注释...我是一名剪切粘贴程序员。自从多年前从“RedHat 8 圣经”中复制以来,我一直在使用脚本的这一部分,那时 RedHat 还没有从 Fedora 中分离出来。虽然注释不在原始脚本中,但我尝试根据自己的理解进行注释。书中的实际注释指出:


“FOWARD 链式规则 - 因为防火墙也充当路由器,所以需要 FORWARD 规则来限制防火墙在两个网络(Internet 和 LAN)之间传递和不传递的内容”


该评论是我对所读内容的误解。我很抱歉。这是经过更正的脚本,其中 Matt 更改了 FORWARD 规则。此外,它现在移到了 FORWARD 部分的顶部,并且我已更新评论以反映我获得原始脚本的书中实际说的内容。

所需 IP 现在可以访问本地网络,但不能访问互联网。

#!/bin/sh
#
# A script for creating an iptables firewall
#

#
# Start by clearing iptables
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

#
# Define our interfaces, Squid IP, and Squid port
#
WAN="p4p1"
LAN="p4p2"
SQUIDIP="192.168.10.10"
SQUIDPORT="3129"

#
# Create log files to help troubleshooting. Comment out when not needed.
#
# iptables -A OUTPUT -j LOG
# iptables -A INPUT -j LOG
# iptables -A FORWARD -j LOG


# Turn on ip forwarding in the kernel with:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# or edit /etc/sysctl.conf and add: "net.ipv4.ip_forward = 1"

#
##### Now to create the Routing Firewall
#

#
# (1) Create the default policies (DROP)
#
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#
# (2) User-defined chain called "okay" for ACCEPTed TCP packets
#
iptables -N okay
iptables -A okay -p tcp --syn -j ACCEPT
iptables -A okay -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p tcp -j DROP

#
# (3) INPUT rules
#
######  (A) Rules for incoming packets from the LAN
iptables -A INPUT -p ALL -i $LAN -s 192.168.10.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.10.10 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.10 -j ACCEPT
iptables -A INPUT -p ALL -i $LAN -d 192.168.10.255 -j ACCEPT

##### (B) Rules for incoming packets from the Internet

######      (i) Packets for established connetions
iptables -A INPUT -p ALL -d 192.168.1.10 -m state --state ESTABLISHED,RELATED -j ACCEPT

#####       (ii) TCP rules  ## Opens the server port to any TCP from the internet
iptables -A INPUT -p tcp -i $WAN -s 0/0 --dport 22 -j okay

#####       (iii) UDP rules ## Opens the server port to any UDP from the internet
# iptables -A INPUT -p udp -i $WAN -s 0/0 --dport 53 -j okay

#####       (iv) ICMP rules
iptables -A INPUT -p icmp -i $WAN -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p icmp -i $WAN -s 0/0 --icmp-type 11 -j ACCEPT

#
# (4) FORWARD rules
# 
#####   (A) FORWARD rule to allow a client LAN access, but DROP internet access
#####   I use this to prevent various home appliances from accessing the internet
#
iptables -A FORWARD -s 192.168.10.110 -j DROP

#####   (B) Since this firewall is also a router, limit what packets are forwarded
#####   between the 2 ethernet cards
#
iptables -A FORWARD -i $LAN -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# (5) OUTPUT rules
# Only output packets with local addresses (no spoofing)
#
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.10.10 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.1.10 -j ACCEPT

#
# (6) PREROUTING rules to allow a client to bypass our Squid proxy
# (NetFlix works better when it bypasses the proxy)
iptables -t nat -A PREROUTING -s 192.168.10.204 -j ACCEPT # BluRay player
iptables -t nat -A PREROUTING -s 192.168.10.205 -j ACCEPT # Sony TV

#
# (7) PREROUTING rules for transparent Squid proxy
# Also requires changes in the squid configuration file
# (from: http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect)
#
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP 

#
# (8) POSTROUTING chain rules. SNAT is for static IP, MASQUERADE is for dynamic IP
#
iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to-source 192.168.1.10
# iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

#
# Last, but not least, save the new configuration in /etc/sysconfig/iptables
#
service iptables save

#
# EOF
# 

相关内容