我如何将此 iptables 标记用户规则转换为防火墙丰富语言?

tag-icon tag-icon iptables firewalld
我如何将此 iptables 标记用户规则转换为防火墙丰富语言?

我正在尝试转换这里的脚本从原始 iptables 到防火墙丰富的规则。例如,这些规则:

# Mark packets from $VPNUSER
iptables -t mangle -A OUTPUT ! --dest $LAN_NETWORK  -m owner --uid-owner $VPNUSER -j MARK --set-mark $MARK_ID -m comment --comment "${COMMENT}"
iptables -t mangle -A OUTPUT --dest $LAN_NETWORK -p udp --dport $DNS_PORT -m owner --uid-owner $VPNUSER -j MARK --set-mark $MARK_ID -m comment --comment "${COMMENT}"
iptables -t mangle -A OUTPUT --dest $LAN_NETWORK -p tcp --dport $DNS_PORT -m owner --uid-owner $VPNUSER -j MARK --set-mark $MARK_ID -m comment --comment "${COMMENT}"
iptables -t mangle -A OUTPUT ! --src $LAN_NETWORK -j MARK --set-mark $MARK_ID -m comment --comment "${COMMENT}"

# Allow responses
iptables -A INPUT -i $VPNIF -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "${COMMENT}"

# Allow bittorrent
iptables -A INPUT -i $VPNIF -p tcp --match multiport --dport $BITTORRENT_LISTEN_PORTS -j ACCEPT -m comment --comment "${COMMENT}"
iptables -A INPUT -i $VPNIF -p udp --match multiport --dport $BITTORRENT_LISTEN_PORTS -j ACCEPT -m comment --comment "${COMMENT}"

# Block everything incoming on $VPNIF
iptables -A INPUT -i $VPNIF -j REJECT -m comment --comment "${COMMENT}"

# Set DNS for $VPNUSER
iptables -t nat -A OUTPUT --dest $LAN_NETWORK -p udp --dport $DNS_PORT -m owner --uid-owner $VPNUSER -j DNAT --to-destination $DNS_IP1 -m comment --comment "${COMMENT}"
iptables -t nat -A OUTPUT --dest $LAN_NETWORK -p tcp --dport $DNS_PORT -m owner --uid-owner $VPNUSER -j DNAT --to-destination $DNS_IP1 -m comment --comment "${COMMENT}"
iptables -t nat -A OUTPUT --dest $LAN_NETWORK -p udp --dport $DNS_PORT -m owner --uid-owner $VPNUSER -j DNAT --to-destination $DNS_IP2 -m comment --comment "${COMMENT}"
iptables -t nat -A OUTPUT --dest $LAN_NETWORK -p tcp --dport $DNS_PORT -m owner --uid-owner $VPNUSER -j DNAT --to-destination $DNS_IP2 -m comment --comment "${COMMENT}"

# Let $VPNUSER access lo and $VPNIF
iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT -m comment --comment "${COMMENT}"
iptables -A OUTPUT -o $VPNIF -m owner --uid-owner $VPNUSER -j ACCEPT -m comment --comment "${COMMENT}"

# All packets on $VPNIF needs to be masqueraded
iptables -t nat -A POSTROUTING -o $VPNIF -j MASQUERADE -m comment --comment "${COMMENT}"

# Reject connections from predator ip going over $NETIF
iptables -A OUTPUT ! --src $LAN_NETWORK -o $NETIF -j REJECT -m comment --comment "${COMMENT}"

手册页firewalld.richlanguage没有提及--uid-owner或--ctstate。文档中有一句话介绍了“mark”操作:

With mark all packets will be marked in the PREROUTING chain in the mangle table with the mark and mask combination.

“Direct”接口的文档说整个接口已被策略取代。firewalld 策略的文档引用了firewalld.richlanguage。这就是我在这里问的原因。

相关内容