我正在尝试转换这里的脚本从原始 iptables 到防火墙丰富的规则。例如,这些规则:
# Mark packets from $VPNUSER
iptables -t mangle -A OUTPUT ! --dest $LAN_NETWORK -m owner --uid-owner $VPNUSER -j MARK --set-mark $MARK_ID -m comment --comment "${COMMENT}"
iptables -t mangle -A OUTPUT --dest $LAN_NETWORK -p udp --dport $DNS_PORT -m owner --uid-owner $VPNUSER -j MARK --set-mark $MARK_ID -m comment --comment "${COMMENT}"
iptables -t mangle -A OUTPUT --dest $LAN_NETWORK -p tcp --dport $DNS_PORT -m owner --uid-owner $VPNUSER -j MARK --set-mark $MARK_ID -m comment --comment "${COMMENT}"
iptables -t mangle -A OUTPUT ! --src $LAN_NETWORK -j MARK --set-mark $MARK_ID -m comment --comment "${COMMENT}"
# Allow responses
iptables -A INPUT -i $VPNIF -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "${COMMENT}"
# Allow bittorrent
iptables -A INPUT -i $VPNIF -p tcp --match multiport --dport $BITTORRENT_LISTEN_PORTS -j ACCEPT -m comment --comment "${COMMENT}"
iptables -A INPUT -i $VPNIF -p udp --match multiport --dport $BITTORRENT_LISTEN_PORTS -j ACCEPT -m comment --comment "${COMMENT}"
# Block everything incoming on $VPNIF
iptables -A INPUT -i $VPNIF -j REJECT -m comment --comment "${COMMENT}"
# Set DNS for $VPNUSER
iptables -t nat -A OUTPUT --dest $LAN_NETWORK -p udp --dport $DNS_PORT -m owner --uid-owner $VPNUSER -j DNAT --to-destination $DNS_IP1 -m comment --comment "${COMMENT}"
iptables -t nat -A OUTPUT --dest $LAN_NETWORK -p tcp --dport $DNS_PORT -m owner --uid-owner $VPNUSER -j DNAT --to-destination $DNS_IP1 -m comment --comment "${COMMENT}"
iptables -t nat -A OUTPUT --dest $LAN_NETWORK -p udp --dport $DNS_PORT -m owner --uid-owner $VPNUSER -j DNAT --to-destination $DNS_IP2 -m comment --comment "${COMMENT}"
iptables -t nat -A OUTPUT --dest $LAN_NETWORK -p tcp --dport $DNS_PORT -m owner --uid-owner $VPNUSER -j DNAT --to-destination $DNS_IP2 -m comment --comment "${COMMENT}"
# Let $VPNUSER access lo and $VPNIF
iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT -m comment --comment "${COMMENT}"
iptables -A OUTPUT -o $VPNIF -m owner --uid-owner $VPNUSER -j ACCEPT -m comment --comment "${COMMENT}"
# All packets on $VPNIF needs to be masqueraded
iptables -t nat -A POSTROUTING -o $VPNIF -j MASQUERADE -m comment --comment "${COMMENT}"
# Reject connections from predator ip going over $NETIF
iptables -A OUTPUT ! --src $LAN_NETWORK -o $NETIF -j REJECT -m comment --comment "${COMMENT}"
手册页firewalld.richlanguage没有提及--uid-owner或--ctstate。文档中有一句话介绍了“mark”操作:
With mark all packets will be marked in the PREROUTING chain in the mangle table with the mark and mask combination.
“Direct”接口的文档说整个接口已被策略取代。firewalld 策略的文档引用了firewalld.richlanguage。这就是我在这里问的原因。