我有一个 Ubuntu 盒子,DHCP 为其分配一个静态 IP 地址(基于其 MAC 地址)192.168.2.12本地网关为 192.168.2.1,我想阻止互联网流量进入和流出它, 但我愿意想本地 LAN 网络流量访问 Ubuntu 盒(仅限内部). 我该如何在iptables和AdvanceTomato 路由器脚本?
我尝试了下面的命令/语法:
######## block all internet to ip address but give access to LAN
iptables -I FORWARD -s 192.168.2.12 -j REJECT
####### Restarts the firewall to update iptables without reboot of router
service firewall restart
但似乎有消息泄露到了网上
$ ping att.com
PING att.com (144.160.36.42) 56(84) bytes of data.
From unknown (192.168.2.1) icmp_seq=1 Destination Port Unreachable
From unknown (192.168.2.1) icmp_seq=2 Destination Port Unreachable
From unknown (192.168.2.1) icmp_seq=3 Destination Port Unreachable
From unknown (192.168.2.1) icmp_seq=4 Destination Port Unreachable
64 bytes from att.com (144.160.36.42): icmp_seq=5 ttl=241 time=87.5 ms
From unknown (192.168.2.1) icmp_seq=6 Destination Port Unreachable
64 bytes from att.com (144.160.36.42): icmp_seq=7 ttl=241 time=64.8 ms
From unknown (192.168.2.1) icmp_seq=8 Destination Port Unreachable
64 bytes from att.com (144.160.36.42): icmp_seq=9 ttl=241 time=93.3 ms
我是否使用了正确的命令/语法来阻止 DHCP 分配的静态 IP 的互联网,但允许内部 LAN 网络访问该设备?
答案1
我知道 iptables 第一次使用时有点烦人,但是当你理解了链是什么之后,它就真的很容易使用了。你应该阅读一些如何使用 iptables 的教程。同时,你可以使用这个小的 iptables.sh 脚本,它应该是不言自明的。
#!/bin/bash
# set default chain policy to ACCEPT everything
/sbin/iptables --policy INPUT ACCEPT
/sbin/iptables --policy FORWARD ACCEPT
/sbin/iptables --policy OUTPUT ACCEPT
# accept all INPUT and OUTPUT from and to the loopback-interface
/sbin/iptables --insert INPUT --in-interface lo --jump ACCEPT
/sbin/iptables --insert OUTPUT --out-interface lo --jump ACCEPT
# rules for chain INPUT
# reject all INPUT which is not from network 192.168.2.0 with subnetmask 255.255.255.0
/sbin/iptables --append INPUT --source !192.168.2.0/24 --jump REJECT
# rules for chain FORWARD
# reject all FORWARD which is not from network 192.168.2.0 with subnetmask 255.255.255.0
/sbin/iptables --append FORWARD --source !192.168.2.0/24 --jump REJECT
# reject all FORWARD which goes not to network 192.168.2.0 with subnetmask 255.255.255.0
/sbin/iptables --append FORWARD --destination !192.168.2.0/24 --jump REJECT
# rules for chain OUTPUT
# reject all OUTPUT which goes not to network 192.168.2.0 with subnetmask 255.255.255.0
/sbin/iptables --append OUTPUT --destination !192.168.2.0/24 --jump REJECT
PS:我还没有测试过该脚本,但它应该可以工作。