【OpenWRT】——Firewall
[i=s] 本帖最後由 角色 於 2013-3-3 22:36 編輯 [/i]在了解OpenWRT Firewall,但看【1】是很难明白,因为【1】是假设你明白Firewall的原理,还有知道每一个tables和流程。为了深入了解,从网上看到鸟哥的文章【2】后,对Firewall有了基本的概念后,再看【1】就比较好。
【1】[url]http://wiki.openwrt.org/doc/uci/firewall[/url]
【2】[url]http://linux.vbird.org/linux_server/0250simple_firewall.php[/url][code]
+------------+ +---------+ +-------------+
Packet -| PREROUTING |--- routing-----| FORWARD |-------+-------| POSTROUTING |- Packets
input +------------+ decision +---------+ | +-------------+ out
| |
+-------+ +--------+
| INPUT |---- Local process -| OUTPUT |
+-------+ +--------+
[/code] [i=s] 本帖最後由 角色 於 2013-3-2 12:16 編輯 [/i]
Default /etc/config/firewall (removed settings for IP6)[code]config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
config zone
option name lan
option network 'lan'
option input ACCEPT
option output ACCEPT
option forward REJECT
config zone
option name wan
option network 'wan'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
[/code]但是用iptables -L去查看整个firewall是怎样,真的吓一大跳![code]root@OpenWrt:/etc/config# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
input_rule all -- anywhere anywhere
input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
forward all -- anywhere anywhere
reject all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
output_rule all -- anywhere anywhere
output all -- anywhere anywhere
Chain forward (1 references)
target prot opt source destination
zone_lan_forward all -- anywhere anywhere
zone_wan_forward all -- anywhere anywhere
Chain forwarding_lan (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
nat_reflection_fwd all -- anywhere anywhere
Chain forwarding_wan (1 references)
target prot opt source destination
Chain input (1 references)
target prot opt source destination
zone_lan all -- anywhere anywhere
zone_wan all -- anywhere anywhere
Chain input_lan (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan (1 references)
target prot opt source destination
Chain nat_reflection_fwd (1 references)
target prot opt source destination
Chain output (1 references)
target prot opt source destination
zone_lan_ACCEPT all -- anywhere anywhere
zone_wan_ACCEPT all -- anywhere anywhere
Chain output_rule (1 references)
target prot opt source destination
Chain reject (5 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all -- anywhere anywhere
Chain zone_lan (1 references)
target prot opt source destination
input_lan all -- anywhere anywhere
zone_lan_ACCEPT all -- anywhere anywhere
Chain zone_lan_ACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_lan_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_lan_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_lan_forward (1 references)
target prot opt source destination
zone_wan_ACCEPT all -- anywhere anywhere
forwarding_lan all -- anywhere anywhere
zone_lan_REJECT all -- anywhere anywhere
Chain zone_wan (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT icmp -- anywhere anywhere icmp echo-request
input_wan all -- anywhere anywhere
zone_wan_REJECT all -- anywhere anywhere
Chain zone_wan_ACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_wan_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_wan_REJECT (2 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_wan_forward (1 references)
target prot opt source destination
forwarding_wan all -- anywhere anywhere
zone_wan_REJECT all -- anywhere anywhere
root@OpenWrt:/etc/config#
[/code] [i=s] 本帖最後由 角色 於 2013-3-5 02:04 編輯 [/i]
Linux network commands
[url]http://www.linuxtopia.org/Linux_Firewall_iptables/index.html[/url] 备用帖子。 备用帖子。 如果它自己的firewall搞到很复杂!如果要VLAN这类的东西,就要用netfilter command,如iptables。 [i=s] 本帖最後由 角色 於 2013-2-25 01:06 編輯 [/i]
iptables简单实用方式:
[url]http://eduunix.ccut.edu.cn/index2/pdf/iptables-HOWTO.pdf[/url]
[url]http://cooker.techsnail.com/index.php/IPTables[/url] 可能不太明白基本的firewall,所以OpenWRT也不太明白。 [i=s] 本帖最後由 角色 於 2013-3-2 10:24 編輯 [/i]
怎样把Openwrt全stop?
例如router admin IP是192.168.10.1
1. /etc/init.d/firewall stop (用putting进入192.168.10.1)
2. 我们用browser,打开192.168.10.1,Status->Firewall
[attach]2250[/attach]
3. Firewall里有四个Tables,分别为 Filter,NAT,Mangle,Raw。不过它们的关系是怎样呢? 一般firewall有下面的contents:
Table: Filter
Chain INPUT (Policy: ACCEPT)
Chain FORWARD (Policy: DROP)
Chain OUTPUT (Policy: ACCEPT)
Chain forward
Chain forwading_rules
Chain input
Chain output
Chain reject
Chain syn_flood
Chain zone_ABC
Chain zone_ABC_ACCEPT
Chain zone_ABC_DROP
Chain zone_ABC_REJECT
Chain zone_ABC_forward
Table: NAT
Chain PREROUTING (Policy: ACCEPT)
Chain POSTROUTING (Policy: ACCEPT)
Chain postrouting_rule
Chain zone_ABC_prerouting
Chain zone_WAN_nat
Chian zone_WAN_prerouting
Table: Mangle
Chain FORWARD (Policy ACCEPT)
Chain zone_WAN_MSSFIX
Table: Raw
Chain PREROUTING (Policy ACCEPT) 不能把firewall全删掉——导致browser和putty都不能进入系统。
要用Failsafe mode去重置router到default settings:router IP=192.168.1.1,然后client's IP用router的DHCP server。
頁:
[1]