OpenWrt路由器iptables防火墙自行手工设置示例 | APP-DEV-P|各种乱789知识积累

OpenWrt路由器iptables防火墙自行手工设置示例 | APP-DEV-P|各种乱789知识积累

OpenWrt路由器iptables防火墙自行手工设置示例

OpenWrt默认安装自带了iptables防火墙,并且默认设置了不少规则和策略,尤其是自定义了很多用户规则链,看起来比较复杂。
用iptables -nL 查看,会发现特别多自定义用户链,
root@myopenwrt:~# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
bw_ingress all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
input_rule all — 0.0.0.0/0 0.0.0.0/0
input all — 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
bw_ingress all — 0.0.0.0/0 0.0.0.0/0
ingress_restrictions all — 0.0.0.0/0 0.0.0.0/0
egress_restrictions all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
forwarding_rule all — 0.0.0.0/0 0.0.0.0/0
forward all — 0.0.0.0/0 0.0.0.0/0
reject all — 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
output_rule all — 0.0.0.0/0 0.0.0.0/0
output all — 0.0.0.0/0 0.0.0.0/0

Chain bw_ingress (2 references)
target prot opt source destination
all — 0.0.0.0/0 0.0.0.0/0 bandwidth –id total1-download-2-449 –type combined –current_bandwidth 0 –reset_interval 2 –reset_time 2 –intervals_to_save 449
all — 0.0.0.0/0 0.0.0.0/0 match-set local_addr_set dst bandwidth –id bdist1-download-minute-15 –type individual_dst –reset_interval minute –intervals_to_save 15
all — 0.0.0.0/0 0.0.0.0/0 bandwidth –id total2-download-minute-359 –type combined –current_bandwidth 0 –reset_interval minute –intervals_to_save 359
all — 0.0.0.0/0 0.0.0.0/0 match-set local_addr_set dst bandwidth –id bdist2-download-900-24 –type individual_dst –reset_interval 900 –reset_time 900 –intervals_to_save 24
all — 0.0.0.0/0 0.0.0.0/0 bandwidth –id total3-download-180-479 –type combined –current_bandwidth 0 –reset_interval 180 –reset_time 180 –intervals_to_save 479
all — 0.0.0.0/0 0.0.0.0/0 match-set local_addr_set dst bandwidth –id bdist3-download-hour-24 –type individual_dst –reset_interval hour –intervals_to_save 24
all — 0.0.0.0/0 0.0.0.0/0 bandwidth –id total4-download-7200-359 –type combined –current_bandwidth 0 –reset_interval 7200 –reset_time 7200 –intervals_to_save 359
all — 0.0.0.0/0 0.0.0.0/0 match-set local_addr_set dst bandwidth –id bdist4-download-day-31 –type individual_dst –reset_interval day –intervals_to_save 31
all — 0.0.0.0/0 0.0.0.0/0 bandwidth –id total5-download-day-365 –type combined –current_bandwidth 0 –reset_interval day –intervals_to_save 365
all — 0.0.0.0/0 0.0.0.0/0 match-set local_addr_set dst bandwidth –id bdist5-download-month-12 –type individual_dst –reset_interval month –intervals_to_save 12

Chain egress_restrictions (1 references)
target prot opt source destination
egress_whitelist all — 0.0.0.0/0 0.0.0.0/0

Chain egress_whitelist (1 references)
target prot opt source destination

Chain forward (1 references)
target prot opt source destination

Chain forwarding_rule (1 references)
target prot opt source destination

Chain ingress_restrictions (1 references)
target prot opt source destination
ingress_whitelist all — 0.0.0.0/0 0.0.0.0/0

Chain ingress_whitelist (1 references)
target prot opt source destination

Chain input (1 references)
target prot opt source destination

Chain input_rule (1 references)
target prot opt source destination

Chain output (1 references)
target prot opt source destination

Chain output_rule (1 references)
target prot opt source destination

Chain pf_loopback_B (0 references)
target prot opt source destination

Chain reject (1 references)
target prot opt source destination
REJECT tcp — 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
REJECT all — 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

——————————————————————————————————-
上面的显示结果,是不是看着就有点懵了!建议直接清空好了,完全可以根据自己的需要重新配置iptables,可满足一般用户需求。
下面我们来一步一步设置,完全根据自身需要进行定制。

root@myopenwrt:~#vi /etc/firewall.user
用户自定义的防火墙规则可以存在/etc/firewall.user文件中,实际就是iptables具体的设置命令。

##首先清空系统默认规则(filter表)
iptables -F #删除所有规则链中的所有规则
iptables -X #删除用户自定义规则链
iptables -Z #计数清零

#设置各规则链的默认策略。
iptables -P INPUT   DROP
iptables -P OUTPUT  ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i br-lan -j ACCEPT
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i br-lan -o pppoe-wan  -j ACCEPT
iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -p tcp –dport 10080 -j ACCEPT
#iptables -A FORWARD -p udp –dport 10080 -j ACCEPT

##清空系统默认规则(nat表)
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z

iptables -t nat -P PREROUTING  ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT      ACCEPT

##pppoe拨号网络支持nat
iptables -t nat -A POSTROUTING -i br-lan -o pppoe-wan -j MASQUERADE
#iptables -t nat -A PREROUTING -p tcp  –dport 10080  -j DNAT –to-destination 10.10.7.2
#iptables -t nat -A PREROUTING -p udp  –dport 10080  -j DNAT –to-destination 10.10.7.3

##清空系统默认规则(mangle表)
#iptables -t mangle -F
#iptables -t mangle -X
#iptables -t mangle -Z
#iptables -t mangle -A PREROUTING  -i pppoe-wan -j TTL –ttl-inc 1
#iptables -t mangle -A POSTROUTING -o pppoe-wan -j TTL –ttl-set 128
#iptables -t mangle -A POSTROUTING -o pppoe-wan -j IPID –ipid-pace 1
#iptables -I FORWARD -p tcp –tcp-flags RST RST -j DROP