有人知道如何禁用 IP 转发吗永久在 Ubuntu 18 上?我不希望通过 Ubuntu Hotspot 连接的任何设备能够访问任何远程子网,甚至互联网也不行。
我手动编辑了 /etc/sysctl.conf,如下所示:net.ipv4.ip_forward = 0,然后重新加载 NT 管理器,这样我就可以得到
$sysctl net.ipv4/ip_forward
net.ipv4.ip_forward = 0
此后,我测试了配置。我创建了一个 WiFi 热点,得到了以下信息:
$sysctl net.ipv4/ip_forward
net.ipv4.ip_forward = 1
和
$cat /proc/sys/net/ipv4/ip_forward
1
这不是我想要的。那么,我该如何禁用 IP 转发永久?
iptables 也不起作用。
我可以:
iptables -P FORWARD REJECT
root@lnx:/home# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
//****
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@lnx:/home#
but I cannot save the configuration. After a reboot, I get this:
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 10.42.0.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 10.42.0.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
我尝试保存配置:
root@lnx:/home/# !84
apt install dkms
Reading package lists... Done
Building dependency tree
Reading state information... Done
dkms is already the newest version (2.3-3ubuntu9.4).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@lnx:/home/# service iptables-persistent start
Failed to start iptables-persistent.service: Unit iptables-persistent.service not found.
root@lnx:/home/#
或者:
root@lnx:/home/# !218
netfilter-persistent save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save
root@lnx:/home/#
和:
iptables-save > /etc/network/iptables.rules
iptables-save > /etc/iptables/rules.v4
iptables-save > /etc/iptables/rules.v6
root@lnx:/home/# cat /etc/network/iptables.rules
# Generated by iptables-save v1.6.1 on Wed Jul 31 12:45:55 2019
*filter
:INPUT ACCEPT [841:192269]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [246:48142]
-A INPUT -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
COMMIT
# Completed on Wed Jul 31 12:45:55 2019
# Generated by iptables-save v1.6.1 on Wed Jul 31 12:45:55 2019
*nat
:PREROUTING ACCEPT [191:20296]
:INPUT ACCEPT [171:19282]
:OUTPUT ACCEPT [1081:87886]
:POSTROUTING ACCEPT [1073:87291]
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Jul 31 12:45:55 2019
root@lnx:/home/# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.1 on Wed Jul 31 12:46:02 2019
*filter
:INPUT ACCEPT [849:194382]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [246:48142]
-A INPUT -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
COMMIT
# Completed on Wed Jul 31 12:46:02 2019
# Generated by iptables-save v1.6.1 on Wed Jul 31 12:46:02 2019
*nat
:PREROUTING ACCEPT [192:20372]
:INPUT ACCEPT [172:19358]
:OUTPUT ACCEPT [1081:87886]
:POSTROUTING ACCEPT [1073:87291]
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Jul 31 12:46:02 2019
root@lnx:/home/# cat /etc/iptables/rules.v6
# Generated by iptables-save v1.6.1 on Wed Jul 31 12:46:05 2019
*filter
:INPUT ACCEPT [852:195255]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [246:48142]
-A INPUT -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
COMMIT
# Completed on Wed Jul 31 12:46:05 2019
# Generated by iptables-save v1.6.1 on Wed Jul 31 12:46:05 2019
*nat
:PREROUTING ACCEPT [192:20372]
:INPUT ACCEPT [172:19358]
:OUTPUT ACCEPT [1081:87886]
:POSTROUTING ACCEPT [1073:87291]
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Jul 31 12:46:05 2019
还:
lug 31 13:01:30 lnx systemd[1]: Starting netfilter persistent configuration...
lug 31 13:01:30 lnx netfilter-persistent[4071]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-
lug 31 13:01:30 lnx netfilter-persistent[4071]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-
lug 31 13:01:30 lnx systemd[1]: netfilter-persistent.service: Failed with result 'exit-code'.
lug 31 13:01:30 lnx systemd[1]: Failed to start netfilter persistent configuration.
**更新:更新:我通过清除并重新安装 netfilter-persistent 包修复了 netfilter 持久配置。但这并没有改变任何东西。重启后,我的 iptables 被重置了
答案1
似乎创建热点会以某种方式重新启用 IP 转发。不知道是否有办法改变此行为,但作为一种解决方法,您可以在 FORWARD 链中添加 iptable 规则,以丢弃来自连接到热点的客户端的所有流量。