我们都有这样的用户,他们只需要访问网络中的某个范围的 IP,而每个人都可以访问互联网,所以......
# IP forward
echo "1" > /proc/sys/net/ipv4/ip_forward
# CleanUP
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
# Lets drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
# Masking
iptables -A POSTROUTING -t nat -o $IF_EXTERNAL -j MASQUERADE
# ALLOW ONLY ACCESS LIST TO 192.168.10.10 REST OF INTERNET IS BLOCKED
ALLOW_IP_RANGE="8.8.4.0/24 8.8.8.0/24 8.34.208.0/20 8.35.192.0/20 23.236.48.0/20"
iptables -N ALLOWIPRANGE
for IPLIST in $ALLOW_IP_RANGE; do
iptables -I FORWARD -m tcp -p tcp --destination $IPLIST -j ALLOWEDIPS
done
iptables -I ALLOWEDIPS -s 192.168.10.10 -j ACCEPT
iptables -A FORWARD -s 192.168.10.10 -j REJECT
# Forward the rest of internet to every one else
iptables -A FORWARD -i @IF_INTERNAL -j ACCEPT
这不起作用,我试图移动:
iptables -A 转发 -s 192.168.10.10 -j 拒绝
从头到尾,但 IP 仍然可以获得完整的互联网。
答案1
这可能不是一个干净的解决方案,但它会起作用
除受限用户外,所有用户都可以访问互联网
# Define variables
USER_IP=172.16.0.101
ALLOW_IPS="1.2.3.4 2.3.4.5 3.4.5.6"
IF_EXTERNAL=vmbr0
# Clearing iptables from previous allow ip rules by comment and masquerade
iptables-save | grep -v "userrestricted\|MASQUERADE" | iptables-restore
# Generate rules for masquerading from restricred user(ip)
for ALLOW_IP in $ALLOW_IPS
do
iptables -t nat -A POSTROUTING -s ${USER_IP} -d ${ALLOW_IP} -o ${IF_EXTERNAL} -j MASQUERADE -m comment --comment userrestricted
done
# Trick with SNAT will invalidating target packets
iptables -t nat -A POSTROUTING -s ${USER_IP} -o ${IF_EXTERNAL} -j SNAT --to 127.0.0.1 -m comment --comment userrestricted
# Get common masquerade rule back
iptables -t nat -A POSTROUTING -o ${IF_EXTERNAL} -j MASQUERADE
它对我有用,确保在限制用户规则之后有通用的伪装规则
请检查一下,如果这不是你想要的,我可以纠正答案