Chinaunix首页 | 论坛 | 博客
  • 博客访问: 3167427
  • 博文数量: 685
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 5303
  • 用 户 组: 普通用户
  • 注册时间: 2014-04-19 14:17
个人简介

文章分类

全部博文(685)

文章存档

2015年(116)

2014年(569)

分类: 嵌入式

2014-09-28 18:46:22

原文地址:http://blog.appdevp.com/archives/282

OpenWrt默认安装自带了iptables防火墙,并且默认设置了不少规则和策略,尤其是自定义了很多用户规则链,看起来比较复杂。
用iptables -nL 查看,会发现特别多自定义用户链,
root@myopenwrt:~# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
bw_ingress all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
input_rule all — 0.0.0.0/0 0.0.0.0/0
input all — 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
bw_ingress all — 0.0.0.0/0 0.0.0.0/0
ingress_restrictions all — 0.0.0.0/0 0.0.0.0/0
egress_restrictions all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
forwarding_rule all — 0.0.0.0/0 0.0.0.0/0
forward all — 0.0.0.0/0 0.0.0.0/0
reject all — 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
output_rule all — 0.0.0.0/0 0.0.0.0/0
output all — 0.0.0.0/0 0.0.0.0/0

Chain bw_ingress (2 references)
target prot opt source destination
all — 0.0.0.0/0 0.0.0.0/0 bandwidth –id total1-download-2-449 –type combined –current_bandwidth 0 –reset_interval 2 –reset_time 2 –intervals_to_save 449
all — 0.0.0.0/0 0.0.0.0/0 match-set local_addr_set dst bandwidth –id bdist1-download-minute-15 –type individual_dst –reset_interval minute –intervals_to_save 15
all — 0.0.0.0/0 0.0.0.0/0 bandwidth –id total2-download-minute-359 –type combined –current_bandwidth 0 –reset_interval minute –intervals_to_save 359
all — 0.0.0.0/0 0.0.0.0/0 match-set local_addr_set dst bandwidth –id bdist2-download-900-24 –type individual_dst –reset_interval 900 –reset_time 900 –intervals_to_save 24
all — 0.0.0.0/0 0.0.0.0/0 bandwidth –id total3-download-180-479 –type combined –current_bandwidth 0 –reset_interval 180 –reset_time 180 –intervals_to_save 479
all — 0.0.0.0/0 0.0.0.0/0 match-set local_addr_set dst bandwidth –id bdist3-download-hour-24 –type individual_dst –reset_interval hour –intervals_to_save 24
all — 0.0.0.0/0 0.0.0.0/0 bandwidth –id total4-download-7200-359 –type combined –current_bandwidth 0 –reset_interval 7200 –reset_time 7200 –intervals_to_save 359
all — 0.0.0.0/0 0.0.0.0/0 match-set local_addr_set dst bandwidth –id bdist4-download-day-31 –type individual_dst –reset_interval day –intervals_to_save 31
all — 0.0.0.0/0 0.0.0.0/0 bandwidth –id total5-download-day-365 –type combined –current_bandwidth 0 –reset_interval day –intervals_to_save 365
all — 0.0.0.0/0 0.0.0.0/0 match-set local_addr_set dst bandwidth –id bdist5-download-month-12 –type individual_dst –reset_interval month –intervals_to_save 12

Chain egress_restrictions (1 references)
target prot opt source destination
egress_whitelist all — 0.0.0.0/0 0.0.0.0/0

Chain egress_whitelist (1 references)
target prot opt source destination

Chain forward (1 references)
target prot opt source destination

Chain forwarding_rule (1 references)
target prot opt source destination

Chain ingress_restrictions (1 references)
target prot opt source destination
ingress_whitelist all — 0.0.0.0/0 0.0.0.0/0

Chain ingress_whitelist (1 references)
target prot opt source destination

Chain input (1 references)
target prot opt source destination

Chain input_rule (1 references)
target prot opt source destination

Chain output (1 references)
target prot opt source destination

Chain output_rule (1 references)
target prot opt source destination

Chain pf_loopback_B (0 references)
target prot opt source destination

Chain reject (1 references)
target prot opt source destination
REJECT tcp — 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
REJECT all — 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

——————————————————————————————————-
上面的显示结果,是不是看着就有点懵了!建议直接清空好了,完全可以根据自己的需要重新配置iptables,可满足一般用户需求。
下面我们来一步一步设置,完全根据自身需要进行定制。

root@myopenwrt:~#vi /etc/firewall.user
用户自定义的防火墙规则可以存在/etc/firewall.user文件中,实际就是iptables具体的设置命令。

##首先清空系统默认规则(filter表)
iptables -F #删除所有规则链中的所有规则
iptables -X #删除用户自定义规则链
iptables -Z #计数清零

#设置各规则链的默认策略。
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i br-lan -j ACCEPT
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i br-lan -o pppoe-wan -j ACCEPT
iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -p tcp –dport 10080 -j ACCEPT
#iptables -A FORWARD -p udp –dport 10080 -j ACCEPT

##清空系统默认规则(nat表)
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

##pppoe拨号网络支持nat
iptables -t nat -A POSTROUTING -i br-lan -o pppoe-wan -j MASQUERADE
#iptables -t nat -A PREROUTING -p tcp –dport 10080 -j DNAT –to-destination 10.10.7.2
#iptables -t nat -A PREROUTING -p udp –dport 10080 -j DNAT –to-destination 10.10.7.3

##清空系统默认规则(mangle表)
#iptables -t mangle -F
#iptables -t mangle -X
#iptables -t mangle -Z
#iptables -t mangle -A PREROUTING -i pppoe-wan -j TTL –ttl-inc 1
#iptables -t mangle -A POSTROUTING -o pppoe-wan -j TTL –ttl-set 128
#iptables -t mangle -A POSTROUTING -o pppoe-wan -j IPID –ipid-pace 1
#iptables -I FORWARD -p tcp –tcp-flags RST RST -j DROP



阅读(15115) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~