Linux
如何阻止連接到特定無線介面的設備訪問網際網路?
我已經為我的 OpenWRT WiFi 路由器配置了兩個無線介面:
wlan0和wlan0-1. 我的 WAN 乙太網介面是eth0.2.如何防止連接到
wlan0-1的設備訪問網際網路,例如使用iptables?我的情況是我有一些設備(空氣過濾器)可以通過 WiFi 訪問以支持監控和控制,但是它們也將數據上傳到雲伺服器,我想阻止這種情況。
br-lan Link encap:Ethernet HWaddr 70:4F:57:00:51:AE inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fd76:9521:f357::1/60 Scope:Global inet6 addr: fe80::724f:57ff:fe00:51ae/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:380362 errors:0 dropped:9 overruns:0 frame:0 TX packets:1678139 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:128540610 (122.5 MiB) TX bytes:1235755098 (1.1 GiB) br-wan Link encap:Ethernet HWaddr 70:4F:57:00:51:AF inet addr:192.168.178.20 Bcast:192.168.178.255 Mask:255.255.255.0 inet6 addr: fe80::724f:57ff:fe00:51af/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1684381 errors:0 dropped:10354 overruns:0 frame:0 TX packets:369066 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1209960142 (1.1 GiB) TX bytes:132041857 (125.9 MiB) eth0 Link encap:Ethernet HWaddr 70:4F:57:00:51:AE inet6 addr: fe80::724f:57ff:fe00:51ae/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1809158 errors:0 dropped:16 overruns:0 frame:0 TX packets:1611603 errors:1 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1276777715 (1.1 GiB) TX bytes:1193854987 (1.1 GiB) Interrupt:5 eth0.1 Link encap:Ethernet HWaddr 70:4F:57:00:51:AE UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:106729 errors:0 dropped:0 overruns:0 frame:0 TX packets:1218251 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:33390921 (31.8 MiB) TX bytes:1054045465 (1005.2 MiB) eth0.2 Link encap:Ethernet HWaddr 70:4F:57:00:51:AF UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1689922 errors:0 dropped:349 overruns:0 frame:0 TX packets:393339 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1210230806 (1.1 GiB) TX bytes:133360867 (127.1 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:642 errors:0 dropped:0 overruns:0 frame:0 TX packets:642 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:56074 (54.7 KiB) TX bytes:56074 (54.7 KiB) wlan0 Link encap:Ethernet HWaddr 70:4F:57:00:51:AC inet6 addr: fe80::724f:57ff:fe00:51ac/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:293895 errors:0 dropped:0 overruns:0 frame:0 TX packets:383702 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:99486914 (94.8 MiB) TX bytes:194289752 (185.2 MiB) wlan0-1 Link encap:Ethernet HWaddr 72:4F:57:00:51:AC inet6 addr: fe80::704f:57ff:fe00:51ac/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:15014 errors:0 dropped:0 overruns:0 frame:0 TX packets:12335 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1962975 (1.8 MiB) TX bytes:2056310 (1.9 MiB)到目前為止,我只能阻止來自單個 IP 地址的流量,但這很笨拙:
$ iptables -A forwarding_rule --source 192.168.1.110 --jump reject使用輸入和輸出介面,
br-wan或者eth0.2,都不起作用:$ iptables -A forwarding_rule -i wlan0-1 -o br-wan --jump reject編輯:添加輸出
iptables-save# Generated by iptables-save v1.8.3 on Thu Oct 7 21:18:59 2021 *nat :PREROUTING ACCEPT [29740:1906622] :INPUT ACCEPT [1917:191180] :OUTPUT ACCEPT [9468:913173] :POSTROUTING ACCEPT [0:0] :postrouting_lan_rule - [0:0] :postrouting_rule - [0:0] :postrouting_wan_rule - [0:0] :prerouting_lan_rule - [0:0] :prerouting_rule - [0:0] :prerouting_wan_rule - [0:0] :zone_lan_postrouting - [0:0] :zone_lan_prerouting - [0:0] :zone_wan_postrouting - [0:0] :zone_wan_prerouting - [0:0] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting -A PREROUTING -i br-wan -m comment --comment "!fw3" -j zone_wan_prerouting -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting -A POSTROUTING -o br-wan -m comment --comment "!fw3" -j zone_wan_postrouting -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule -A zone_lan_postrouting -m comment --comment "!fw3" -j MASQUERADE -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule COMMIT # Completed on Thu Oct 7 21:18:59 2021 # Generated by iptables-save v1.8.3 on Thu Oct 7 21:18:59 2021 *mangle :PREROUTING ACCEPT [408155:279582022] :INPUT ACCEPT [31411:6614761] :FORWARD ACCEPT [376252:272911158] :OUTPUT ACCEPT [51318:6113468] :POSTROUTING ACCEPT [402428:277911525] -A FORWARD -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -i br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu COMMIT # Completed on Thu Oct 7 21:18:59 2021 # Generated by iptables-save v1.8.3 on Thu Oct 7 21:18:59 2021 *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :forwarding_lan_rule - [0:0] :forwarding_rule - [0:0] :forwarding_wan_rule - [0:0] :input_lan_rule - [0:0] :input_rule - [0:0] :input_wan_rule - [0:0] :output_lan_rule - [0:0] :output_rule - [0:0] :output_wan_rule - [0:0] :reject - [0:0] :syn_flood - [0:0] :zone_lan_dest_ACCEPT - [0:0] :zone_lan_forward - [0:0] :zone_lan_input - [0:0] :zone_lan_output - [0:0] :zone_lan_src_ACCEPT - [0:0] :zone_wan_dest_ACCEPT - [0:0] :zone_wan_forward - [0:0] :zone_wan_input - [0:0] :zone_wan_output - [0:0] :zone_wan_src_REJECT - [0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input -A INPUT -i br-wan -m comment --comment "!fw3" -j zone_wan_input -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward -A FORWARD -i br-wan -m comment --comment "!fw3" -j zone_wan_forward -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward -A FORWARD -m comment --comment "!fw3" -j reject -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output -A OUTPUT -o br-wan -m comment --comment "!fw3" -j zone_wan_output -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output -A forwarding_rule -s 192.168.1.110/32 -j reject -A forwarding_rule -s 192.168.1.111/32 -j reject -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN -A syn_flood -m comment --comment "!fw3" -j DROP -A zone_lan_dest_ACCEPT -o br-lan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT -A zone_wan_dest_ACCEPT -o br-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP -A zone_wan_dest_ACCEPT -o br-wan -m comment --comment "!fw3" -j ACCEPT -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT -A zone_wan_forward -m comment --comment "!fw3: Zone wan to lan forwarding policy" -j zone_lan_dest_ACCEPT -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT -A zone_wan_src_REJECT -i br-wan -m comment --comment "!fw3" -j reject -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject COMMIT # Completed on Thu Oct 7 21:18:59 2021編輯:添加輸出
uci export firewallpackage firewall config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' option masq '1' option network 'lan' config zone option name 'wan' option input 'REJECT' option output 'ACCEPT' option masq '1' option mtu_fix '1' option forward 'ACCEPT' option network 'wan wan6 wwan1 wwan' config forwarding option src 'lan' option dest 'wan' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-IGMP' option src 'wan' option proto 'igmp' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fc00::/6' option dest_ip 'fc00::/6' option dest_port '546' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-MLD' option src 'wan' option proto 'icmp' option src_ip 'fe80::/10' list icmp_type '130/0' list icmp_type '131/0' list icmp_type '132/0' list icmp_type '143/0' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-IPSec-ESP' option src 'wan' option dest 'lan' option proto 'esp' option target 'ACCEPT' config rule option name 'Allow-ISAKMP' option src 'wan' option dest 'lan' option dest_port '500' option proto 'udp' option target 'ACCEPT' config include option path '/etc/firewall.user' config forwarding option dest 'lan' option src 'wan'**編輯:**添加輸出
ip link:1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000 link/ether 70:4f:57:00:51:ae brd ff:ff:ff:ff:ff:ff 5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000 link/ether 70:4f:57:00:51:ae brd ff:ff:ff:ff:ff:ff 6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000 link/ether 70:4f:57:00:51:ae brd ff:ff:ff:ff:ff:ff 7: br-wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000 link/ether 70:4f:57:00:51:af brd ff:ff:ff:ff:ff:ff 8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-wan state UP qlen 1000 link/ether 70:4f:57:00:51:af brd ff:ff:ff:ff:ff:ff 9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000 link/ether 70:4f:57:00:51:ac brd ff:ff:ff:ff:ff:ff 10: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000 link/ether 72:4f:57:00:51:ac brd ff:ff:ff:ff:ff:ff**編輯:**添加輸出
brctl show:bridge name bridge id STP enabled interfaces br-lan 7fff.704f570051ae no eth0.1 wlan0 wlan0-1 br-wan 7fff.704f570051af no eth0.2
OpenWRT 執行的是 Linux 核心,但作為嵌入式系統,某些功能可能不可用,所以我不知道這個打算在具有類似於 OP 的配置的 Linux 系統上工作的答案是否可以工作。這需要:
ebtables: 可用的並且根據選擇的解決方案,這可能還需要一些:
最後,系統將數據包從
br-lan介面路由到br-wan介面。在此步驟中,一旦幀離開初始網橋以獲取其有效負載:IPv4,路由,幀使用br-lan介面網橋埠進入介面wlan0-1的事實就失去了。所以初始動作必須在這個資訊失去之前發生:當幀還在br-lan網橋中時,在網橋路徑中。文件可能暗示(提到了橋)可以使用 OpenWRT 的防火牆應用程序處理橋防火牆,但我對這部分一無所知。所以我會直接使用ebtables。
如果可以依靠了解br-lan (192.168.1.0/24) 上的 IP LAN 拓撲,那麼這一切都可以通過一個ebtables規則簡單地完成:
ebtables -A INPUT -p IPv4 -i wlan0-1 --ip-dst ! 192.168.1.0/24 -j DROP它丟棄從wlan0-1橋接埠接收的任何 IPv4 幀並橋接到在 192.168.1.0/24 內沒有目標 IP 地址的主機(可能是為了它或為了進一步路由)。
如果 OpenWRT 的公共 IP 地址是靜態的並且事先已知(例如:192.0.2.2),則可以選擇在例外之前插入:
ebtables -I INPUT -p IPv4 -i wlan0-1 --ip-dst 192.0.2.2 -j ACCEPT如果這沒問題,則無需使用以下替代方法。
否則,如果規則必須保持通用而不涉及 LAN IP 地址,而只涉及介面(或需要在不知道其值的情況下接受 WAN IP 地址作為目標),則必須涉及路由,我建議使用ebtables標記幀在資訊可用的橋接路徑中,就在幀的有效負載(IPv4)即將被路由之前,然後一旦確定它被路由到網際網路,就丟棄標記的數據包/幀。解封裝幀或封裝數據包時會保留該標記。OP 目前的iptables規則不使用任何標記,因此不會有不幸的互動。
在 OP 的情況下,用於路由的出口介面也是一個網橋(br-wan),為了限制與使用iptables管理防火牆的更高級別工具( firewall3 )的互動,可以在網橋路徑中丟棄標記的幀而不是丟棄路由路徑中標記的數據包:與iptables規則沒有互動。
從 LAN 到 Internet 的流程如下:
🠄───── eth0.1 🠄─────── good bad ──────🠆 wlan0-1 ──────🠆 br-lan bridge 🠄────── wlan0 🠄─────── good │ │ Ethernet frame INPUT (ebtables firewall here) frame marked when from wlan0-1 M │ 🠇 br-lan frame is decapsulated to self interface IPv4. Mark is preserved │ │ IPv4 packet routing (iptables firewall here) │ │ 🠇 br-wan packet is encapsulated in self interface Ethernet. Mark is preserved │ │ Ethernet frame OUTPUT (ebtables firewall here) frame dropped if marked X │ 🠇 br-wan bridge ──────🠆 eth0.2 ──────🠆 Internet這將標記從wlan0-1網橋埠接收到的幀:
ebtables -A INPUT -i wlan0-1 -j mark --mark-set 0xbad然後,當通過br-wan網橋從主機發出之前標記的幀/數據包時,這將匹配並丟棄:
ebtables -A OUTPUT --logical-out br-wan --mark 0xbad -j DROP如果
--logical-out由於某種原因不可用,可以使用目前拓撲將其更改為br-wan的單輸出橋埠:ebtables -A OUTPUT -o eth0.2 --mark 0xbad -j DROP在這種情況下,當看到數據包進入和離開路由堆棧時,conntrack將為它創建一個條目,即使它隨後會被丟棄。這樣的條目將永遠不會達到 ESTABLISHED 狀態,因為沒有任何東西會收到這個數據包和回复(另見註釋)。
筆記:
- 如果 OpenWRT 被配置為有兩個不同的 LAN(沒有橋接或在單獨的橋上,每個都參與路由),一個用於wlan0和eth0.1,另一個用於wlan0-1,具有不同的 IP 地址,那麼標準路由將適用於任何地方,並且這個問題可以很容易地在iptables中解決,可能在firewall3中進行配置並且不需要ebtables 。
- 目前的iptables規則建議eth0.2可以用作(或曾經使用)作為標準(非橋接埠)介面。如果是這種情況,則必須更改第二種解決方案,並在iptables中包含一條等效規則,如果可能,該規則應集成到firewall3中。也可以將它用於br-wan (但只有在可以與**firewall3集成時才值得):
此規則目前可以代替上面的ebtables OUTPUT 規則起作用:
iptables -I FORWARD -o br-wan -m mark --mark 0xbad -j DROP並且使用 eth0.2 直接使用路由介面而不是橋接埠:
iptables -I FORWARD -o eth0.2 -m mark --mark 0xbad -j DROP兩者都可以同時放置,因為它目前在其他iptables規則中使用br-wan和eth0.2 完成。
在這裡,由於數據包在iptables的路由路徑中被丟棄,因此conntrack條目將不會被送出並且不會出現(例如:
cat /proc/net/nf_conntrack不會顯示嘗試)。
- 當無法完全控製配置時,依靠特性在橋接路徑中使用iptables
br_netfilter通常是個壞主意,並且在 OpenWRT 中預設禁用。所以不應該使用依賴於這個特性的iptables匹配(並且可能不可用)來解決這個問題。physdev- 由於這不是有狀態的,從 Internet 到使用wlan0-1的系統的傳入流量仍將被允許,但無法回复。無論如何,由於 LAN 是私有的,這將需要防火牆上的 DNAT 規則才能具有這種可能性(或者對於仍然創建conntrack條目的第二個解決方案,遠端第 3 方盲目地同步到丟棄的嘗試)。也可以放棄相反的方向:如果確實需要,使用與所提供的相同方法到wlan0-1的 Internet 流量。