我有 VyOS 路由器,我想阻止 p2p 流量。必须阻止哪些端口?我试过 6881-6999,但没有用。提前感谢您的帮助
set firewall name "FIREWALL-IN"
set firewall name "FIREWALL-IN" default-action drop
set firewall name "FIREWALL-IN" rule 10 action accept
set firewall name "FIREWALL-IN" rule 10 state established enable
set firewall name "FIREWALL-IN" rule 10 state related enable
set firewall name "FIREWALL-IN" rule 100
set firewall name "FIREWALL-IN" rule 100 description "p2p - block 6881-6999"
set firewall name "FIREWALL-IN" rule 100 action drop
set firewall name "FIREWALL-IN" rule 100 protocol tcp_udp
set firewall name "FIREWALL-IN" rule 100 source port 6881-6999
set firewall name "FIREWALL-IN" rule 100 state established enable
set firewall name "FIREWALL-IN" rule 100 state related enable
更新1
A
set firewall name "FIREWALL-IN" rule 100
set firewall name "FIREWALL-IN" rule 100 description "p2p - block 6881-6999"
set firewall name "FIREWALL-IN" rule 100 action drop
set firewall name "FIREWALL-IN" rule 100 protocol tcp_udp
set firewall name "FIREWALL-IN" rule 100 source port 6881-6999
乙
set firewall name "FIREWALL-OUT" rule 100
set firewall name "FIREWALL-OUT" rule 100 description "p2p - block 6881-6999"
set firewall name "FIREWALL-OUT" rule 100 action drop
set firewall name "FIREWALL-OUT" rule 100 protocol tcp_udp
set firewall name "FIREWALL-OUT" rule 100 source port 6881-6999
更新2
set firewall name "FIREWALL-IN"
set firewall name "FIREWALL-IN" default-action drop
set firewall name "FIREWALL-IN" rule 1 action accept
set firewall name "FIREWALL-IN" rule 1 state established enable
set firewall name "FIREWALL-IN" rule 1 state related enable
set firewall name "FIREWALL-IN" rule 10
set firewall name "FIREWALL-IN" rule 10 description "Allow http, https"
set firewall name "FIREWALL-IN" rule 10 action accept
set firewall name "FIREWALL-IN" rule 10 protocol tcp
set firewall name "FIREWALL-IN" rule 10 destination port 80,443
set firewall name "FIREWALL-IN" rule 10 state new enable
set firewall name "FIREWALL-IN" rule 10 state established enable
set firewall name "FIREWALL-IN" rule 10 state related enable
set firewall name "FIREWALL-IN" rule 15
set firewall name "FIREWALL-IN" rule 15 description "Allow dns"
set firewall name "FIREWALL-IN" rule 15 action accept
set firewall name "FIREWALL-IN" rule 15 protocol tcp_udp
set firewall name "FIREWALL-IN" rule 15 destination port 53
set firewall name "FIREWALL-IN" rule 15 state new enable
set firewall name "FIREWALL-IN" rule 15 state established enable
set firewall name "FIREWALL-IN" rule 15 state related enable
set firewall name "FIREWALL-IN" rule 20
set firewall name "FIREWALL-IN" rule 20 description "pop3,imap"
set firewall name "FIREWALL-IN" rule 20 action accept
set firewall name "FIREWALL-IN" rule 20 protocol tcp
set firewall name "FIREWALL-IN" rule 20 destination port 110,993,995
set firewall name "FIREWALL-IN" rule 20 state new enable
set firewall name "FIREWALL-IN" rule 20 state established enable
set firewall name "FIREWALL-IN" rule 20 state related enable
set firewall name "FIREWALL-IN" rule 30
set firewall name "FIREWALL-IN" rule 30 description "smtp"
set firewall name "FIREWALL-IN" rule 30 action accept
set firewall name "FIREWALL-IN" rule 30 protocol tcp
set firewall name "FIREWALL-IN" rule 30 destination port 25,587,465
set firewall name "FIREWALL-IN" rule 30 state new enable
set firewall name "FIREWALL-IN" rule 30 state established enable
set firewall name "FIREWALL-IN" rule 30 state related enable
set firewall name "FIREWALL-IN" rule 100 description "p2p - block 6881-6999"
set firewall name "FIREWALL-IN" rule 100 action drop
set firewall name "FIREWALL-IN" rule 100 protocol tcp_udp
set firewall name "FIREWALL-IN" rule 100 destination port 6881-6999
set firewall name "FIREWALL-IN" rule 100 state established enable
set firewall name "FIREWALL-IN" rule 100 state related enable
答案1
我试过 6881-6999,但是不起作用
你能解释一下它为什么不起作用吗?
一般来说,您可能希望拒绝所有未明确授权的出站连接 - 换句话说,将连接列入白名单,而不是允许所有例外(即黑名单)。
此外,您只阻止入站流量,但应该阻止出站连接(通过 FORWARD 或 OUTPUT 链,取决于您的情况 - 我认为 FORWARD 是合适的,假设我了解您的设置(LAN 和您的 VyOS 路由器保护它))。
这是因为 P2P 客户端可能正在建立连接,而不是仅仅等待传入的连接 - 请记住 P2P 主要使用 UDP,这意味着实际上任一端都可以建立连接。
为了有效,你真的需要确保您的出口规则尽可能简单。
基本上:
- 你可能必须允许 HTTP 和 HTTPS,
tcp/80例如tcp/443 - 您可能需要允许 DNS 输出,例如
udp/53到tcp/53专门指定的服务器(即,仅允许 DNS 流向您同意客户端使用的服务器)。 - 您可能还需要允许一些与邮件相关的流程,例如提交(
tcp/587)、SMTPS(tcp/465)。
您已经编辑了输出规则,但如果是我,我会编辑您的前向规则,使其看起来像这样:
-A FORWARD -m state --state ESTABLISHED -j ACCEPT -A FORWARD -m tcp -p tcp -m state --state NEW -m multiport --dports 80,443,587 -j ACCEPT -A FORWARD -m udp -p udp -m state --state NEW -d 8.8.8.8 -p 53 -j ACCEPT -A FORWARD -j DROP