路由策略请教！

ssffzz1

哦对了，没做策略路由之类的吧。

另外帖iptables-save 看看。

goon86

路由器的
/ # ifconfig
eth1      Link encap:Ethernet  HWaddr 00:11:C3:00:4A:A8  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:16 Base address:0x8000

eth1:1    Link encap:Ethernet  HWaddr 00:11:C3:00:4A:A8  
          inet addr:10.10.189.1  Bcast:10.10.10.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:16 Base address:0x8000

eth2      Link encap:Ethernet  HWaddr 00:12:7B:40:28:1F  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42 errors:2 dropped:2 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1312 (1.2 KiB)  TX bytes:2135 (2.0 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ppp0      Link encapoint-Point Protocol  
          inet addr:10.71.6.106  P-t-P:192.200.1.21  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:3 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:54 (54.0 B)  TX bytes:98 (98.0 B)


/ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.200.1.21    *               255.255.255.255 UH    0      0        0 ppp0
192.168.2.0     *               255.255.255.0   U     0      0        0 eth2
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
10.10.189.0     *               255.255.255.0   U     0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.200.1.21    0.0.0.0         UG    0      0        0 ppp0
/ #

goon86

arp 也没有

goon86

#!/bin/ash
# Soho Router Firewall Script for Kendin Project
#   by Hui Jia (hjia@kendin.com)
#
#
# Assumptions:
#      the internal network is 192.168.1.0/24 on eth1
#      the internet IP is DHCP assigned
#
# Additonally:
#      you have another internal network, a DMZ: 192.168.2.0/24 on eth2
#      you have mail server on 192.168.1.10
#      you have web access on 192.168.0.100
#

LANIPC=$(/bin/sysconfig -p -L | cut -d. -f3)
LANIPC=192.168."$LANIPC"
SYS26=26
WLANIP=192.168.2.1

SERHARIP=$(/bin/sysconfig -p -t)
if [ "$SERHARIP" = "YES" ]; then
SERIP="$LANIPC".2
else
SERIP=$(/bin/sysconfig -p -q)
fi

BLOCK=$(/bin/sysconfig -p -X)
if [ "$BLOCK" = "YES" ]; then
/bin/cp /web/disnat_mlTree.html /web/mlTree.html
/bin/cp /web/disnat_index.html /web/index.html
/usr/bin/killall -9 udhcpd > /dev/null 2>&1
echo nat is disable
/sbin/ifconfig eth1 192.168.10.1
exit
fi
if [ "$BLOCK" = "NO" ]; then
/bin/cp /web/en_mlTree.html /web/mlTree.html
/bin/cp /web/ennat_index.html /web/index.html

fi



WLAN=$(/bin/sysconfig -p -VWLANBRSTARTED)
if [ "$WLAN" = "1" ]; then
   FACE=br0
else
   FACE=eth1
fi

LANIP=$(/sbin/ifconfig "$FACE" | grep addr: | cut -d. -f1-3 | cut -d: -f2)
LAN=$LANIP.0/$(/sbin/ifconfig "$FACE" | grep Mask | cut -d: -f4)
PPPOE=$(/bin/sysconfig -p -Es)
G3=$(/bin/sysconfig -p -Cc)

if [ "$PPPOE" = "YES" ]; then
   ETH0=ppp0
   MTU=$(/bin/sysconfig -p -J)
else
        if [ "$G3" = "3g" ]; then
                ETH0=ppp0
                PPPOE=YES
           MTU=$(/bin/sysconfig -p -J)
  else
   ETH0=eth0
   MTU=$(/bin/sysconfig -p -u)
  fi
fi

if [ "$PPPOE" = "YES" ]; then
  WANIP=$(/sbin/ifconfig $ETH0 | grep addr: | cut -d: -f2 | cut -dP -f1) > /dev/null 2>&1
else
  WANIP=$(/sbin/ifconfig $ETH0 | grep addr: | cut -d: -f2 | cut -dB -f1) > /dev/null 2>&1
fi

if [ -z "$WANIP" ]; then
   echo "WAN Port is not assigned an IP address, firewall is not set, exit"
   sysconfig -w -VFIREON=NO
   exit 1
fi


#check DHCP server  //move by goon86 here from godhcp
#needed with dhcp-2.0pl5, source come with RedHat 7.1
#Socket filtering need to be turned on for kernel build

DHCPS=$(/bin/sysconfig -p -Cs)
if [ "$DHCPS" = "YES" ] ; then
  /bin/sysconfig -c
  touch /var/lib/misc/udhcpd.leases
  if [ -f /var/run/udhcpd.pid ]
  then
  /usr/bin/killall udhcpd
  fi
  udhcpd
fi


IPTABLES=/sbin/iptables

#clean up everything first each time any of the rule has been changed

$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

# Set default policies for packets going through this firewall box

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -P FORWARD ACCEPT

# Set default policies for packet entering this box
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT

# Kill spoofed packets

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
     echo 1 > $f
done

BLOCK=$(/bin/sysconfig -p -X)
if [ "$BLOCK" = "YES" ]; then
/bin/cp /web/disnat_mlTree.html /web/mlTree.html
echo nat is disable
exit
fi



PPPOE=$(/bin/sysconfig -p -Es)
if [ "$PPPOE" = "YES" ]; then
   MTU=$(/bin/sysconfig -p -J)
else
   MTU=$(/bin/sysconfig -p -u)
fi

MAX=1492
if [ "$MTU" -ge "$MAX" ]; then
        if [ "$PPPOE" = "YES" ]; then
           MTU=1492
        fi
fi
MSS=$(expr $MTU - 40)
#echo GOON86$MSS
#MSS=$(($MTU - 40))


/sbin/ifconfig $ETH0 mtu $MTU

$IPTABLES -t mangle -A PREROUTING -j TCPMSS -p tcp --syn --set-mss $MSS
$IPTABLES -t mangle -A PREROUTING -j TCPMSS -p tcp --tcp-flags SYN,ACK SYN,ACK --set-mss $MSS
#echo $IPTABLES -t mangle -A PREROUTING -j TCPMSS -p tcp --syn --set-mss $MSS
#echo $IPTABLES -t mangle -A PREROUTING -j TCPMSS -p tcp --tcp-flags SYN,ACK SYN,ACK --set-mss $MSS


$IPTABLES -I FORWARD -p tcp -s 192.168.1.0/24 --dport 1723 -j ACCEPT
$IPTABLES -I FORWARD -p 47 -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -I FORWARD -p 47 -d 192.168.1.0/24 -j ACCEPT

FIRE=$(/bin/sysconfig -p -VFIREON)
if [ "$FIRE" = "NO" ]; then
$IPTABLES -t nat -A PREROUTING -p 47 -i $ETH0  -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p tcp -i $ETH0 --dport 5039 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p tcp -i $ETH0 --dport 1723 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport 3176 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport 5060 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport 4569 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport 10000:20000 -j DNAT --to $SERIP
  $IPTABLES -t nat -A POSTROUTING -o $ETH0 -j MASQUERADE
  echo "1" >/proc/sys/net/ipv4/ip_forward
  echo "1" >/proc/sys/net/ipv4/ip_dynaddr
  echo "firewall is not enabled but NAT is on."
  exit
fi

$IPTABLES -A FORWARD -i eth1 -s ! $LAN -j DROP

# Anything coming from the Internet should have a real Internet address
#$IPTABLES -A FORWARD -i $ETH0 -s 192.168.1.0/16 -j DROP #del by goon86 for lan
#$IPTABLES -A FORWARD -i $ETH0 -s 172.16.0.0/12 -j DROP
#$IPTABLES -A FORWARD -i $ETH0 -s 10.0.0.0/8 -j DROP

# Note:There are more "reserved" networks, but these are the classical ones.

# Block outgoing network filesharing protocols that aren't designed
# to leave the LAN

# SMB / Windows filesharing
$IPTABLES -A FORWARD -p tcp --sport 137:139 -j DROP
$IPTABLES -A FORWARD -p udp --sport 137:139 -j DROP

#  NFS Mount Service (TCP/UDP 635)
$IPTABLES -A FORWARD -p tcp --sport 635 -j DROP
$IPTABLES -A FORWARD -p udp --sport 635 -j DROP

#  NFS (TCP/UDP 2049)
$IPTABLES -A FORWARD -p tcp --sport 2049 -j DROP
$IPTABLES -A FORWARD -p udp --sport 2049 -j DROP

#  Portmapper (TCP/UDP 111)
$IPTABLES -A FORWARD -p tcp --sport 111 -j DROP
$IPTABLES -A FORWARD -p udp --sport 111 -j DROP

PING=$(/bin/sysconfig -p -B)
if [ "$PING" = "YES" ]; then
#  $IPTABLES -A FORWARD -i $ETH0 -p icmp --icmp-type echo-request -j DROP
  $IPTABLES -A INPUT -i $ETH0 -p icmp --icmp-type echo-request -j DROP
  echo "Disable pinging from outside. Interface=$ETH0"
fi  

# Block incoming syslog, lpr, rsh, rexec...
BLOCK=$(/bin/sysconfig -p -X)
if [ "$BLOCK" = "YES" ]; then
  $IPTABLES -A FORWARD -i $ETH0 -p tcp --dport 515 -j DROP
  $IPTABLES -A FORWARD -i $ETH0 -p tcp --dport 514 -j DROP
  $IPTABLES -A FORWARD -i $ETH0 -p tcp --dport 512 -j DROP
fi

# Transparently forward all outgoing mail to a relay host

#SMTP=192.168.1.10
#$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to $SMTP


RADM=$(/bin/sysconfig -p -A)
SIP=$(/sbin/ifconfig "$FACE" | grep addr: | cut -d: -f2 | cut -d" " -f1)
if [ "$RADM" = "YES" ]; then
    $IPTABLES -t nat -A PREROUTING -i $ETH0 -d $WANIP \
              -p tcp --dport 80 -j DNAT --to $SIP
    #echo "Enable remote access to Webserver. Interface=$ETH0 WANIP=$WANIP SIP=$SIP"
else
    $IPTABLES -A INPUT -i $ETH0 -p tcp --dport 80 -j DROP
    echo "Disable remote access to Webserver. Interface=$ETH0"
fi

# Transparently redirect web connections from outside to the DMZ web
# server

for INDX in 1 2 3 4 5
do
  DPORT=$(/bin/sysconfig -p -Z "n$INDX" | cut -d: -f2)
  DIP=$(/bin/sysconfig -p -Z "n$INDX" | cut -d: -f1)
  if [ "$DPORT" != "END" ]; then
    $IPTABLES -t nat -A PREROUTING -i $ETH0 -d $WANIP \
              -p tcp --dport $DPORT -j DNAT --to $DIP
  fi
done

# Source NAT to get Internet traffic through
# $IPTABLES -t nat -A POSTROUTING -o $ETH0 -j SNAT --to $WANIP

$IPTABLES -t nat -A POSTROUTING -o $ETH0 -j MASQUERADE


# Finally let all estalished and related connections go through to the
# internal network.
# Let new connection request, related and estalished connections from
# internal network go through to the outside

# this the mac filter
FIP="1"
for IP in 1 2 3 4 5
do
   FIP=$(/bin/sysconfig -p -M s="n$IP")
   if [ "$FIP" != "END" ]; then
     FIP=$(/bin/sysconfig -p -M s="n$IP" | cut -d" " -f1)
     if [ "$FIP" != "0.0.0.0.0.0" ]; then
#       $IPTABLES -A FORWARD -m mac --mac-source $FIP -j DROP
#       $IPTABLES -A INPUT -m mac --mac-source $FIP -j DROP
                        $IPTABLES -t nat -I PREROUTING -m mac --mac-source $FIP -j DROP
     else
       echo "Invalid MAC address"       
     fi
     FIP=$(/bin/sysconfig -p -M s="n$IP" | cut -d" " -f2)
     if [ "$FIP" != " " ] && [ "$FIP" != "0.0.0.0.0.0" ] ; then
        $IPTABLES -t nat -I PREROUTING -m mac --mac-source $FIP -j DROP
     fi
   fi
done

# IP filter
# source ip filter

echo cir port vvv

FIP="1"
for IP in 1 2 3 4 5 6 7 8 9 10
do
   FIP=$(/bin/sysconfig -p -R "n$IP" | cut -d. -f4)
   
   PORT=$(/bin/sysconfig -p -R "n$IP" | cut -d- -f1 )
   JUST=$(/bin/echo $PORT | cut -c1,2)
   if [ "$FIP" != "END" ]; then
     PROT=$(/bin/sysconfig -p -R "n$IP" | cut -d" " -f3)
     if [ "$PROT" = "all" ]; then

                         if [ "$JUST" = "47" ]; then
                              $IPTABLES -t nat -A PREROUTING -p 47 -i ppp0  -j DNAT --to $LANIPC.$FIP
              else
       $IPTABLES -t nat -A PREROUTING -p tcp -i $ETH0 --dport $PORT -j DNAT --to $LANIPC.$FIP
       $IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport $PORT -j DNAT --to $LANIPC.$FIP
               
       fi
     else
              if [ "$JUST" = "47" ]; then
                              $IPTABLES -t nat -A PREROUTING -p 47 -i ppp0  -j DNAT --to $LANIPC.$FIP
              else
                       $IPTABLES -t nat -A PREROUTING -p $PROT -i $ETH0 --dport $PORT -j DNAT --to $LANIPC.$FIP
       fi
     fi
   fi
done

#$IPTABLES -t nat -A PREROUTING -p tcp -i $ETH0 --dport 21 -j DNAT --to $SERIP
#echo goon86666666666666 $IPTABLES -t nat -A PREROUTING -p tcp -i $ETH0 --dport 21 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p 47 -i $ETH0  -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p tcp -i $ETH0 --dport 5039 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p tcp -i $ETH0 --dport 1723 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport 3176 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport 5060 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport 4569 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport 10000:20000 -j DNAT --to $SERIP


# destination ip filter

GIP="1"
for IP in 1 2 3 4 5
do
   GIP=$(/bin/sysconfig -p -F s="n$IP")
   if [ "$GIP" != "END" ]; then
     FIP=$(/bin/sysconfig -p -F s="n$IP" | cut -d" " -f3)
#     GIP=$(echo $GIP | sed s/\\/255.255.255/-$LANIPC/)
     if [ "$FIP" = "all" ]; then
       FIP=$(/bin/sysconfig -p -F s="n$IP" | sed s/\\/255.255.255/-$LANIPC/ | sed s/all/tcp/)
       $IPTABLES -A FORWARD -m iprange --src-range $FIP -j DROP
       FIP=$(/bin/sysconfig -p -F s="n$IP" | sed s/\\/255.255.255/-$LANIPC/ | sed s/all/udp/)
       $IPTABLES -A FORWARD -m iprange --src-range $FIP -j DROP
     else
              FIP=$(/bin/sysconfig -p -F s="n$IP" | sed s/\\/255.255.255/-$LANIPC/)
       $IPTABLES -A FORWARD -m iprange --src-range $FIP -j DROP
     fi
   fi
done

# port forwarding

FIP="1"
for IP in 1 2 3 4 5
do
   FIP=$(/bin/sysconfig -p -F d="n$IP")
   if [ "$FIP" != "END" ]; then
     $IPTABLES -A FORWARD -d $FIP -j DROP
   fi
done

#RLQ, port filtering
for ENTRY in 1 2 3 4 5
do
   VAL=$(sysconfig -p -Ts="n$ENTRY")
   if [ "$VAL" != "END" ]; then
     PORT=$(sysconfig -p -Ts="n$ENTRY" | grep p | cut -d- -f1)
     PRO=$(sysconfig -p -Ts="n$ENTRY" | grep p | cut -d- -f2)
     $IPTABLES -A FORWARD -$PRO --dport $PORT -j DROP
   fi
done

$IPTABLES -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -s $LAN -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -s ! $LAN -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -d $LAN -j ACCEPT

$IPTABLES -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -s $WLANIP -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -s ! $WLANIP -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -d $WLANIP -j ACCEPT

# Activate ip forwarding!
echo "1" >/proc/sys/net/ipv4/ip_forward
echo "1" >/proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -t mangle -A PREROUTING -j TCPMSS -p tcp --syn --set-mss 1400
$IPTABLES -t mangle -A PREROUTING -j TCPMSS -p tcp --tcp-flags SYN,ACK SYN,ACK --set-mss 1400

ssffzz1

哥哥，这是个什么脚本啊。晕死了。iptables-save 直接这样看看。

goon86

只有这个了，在嵌入式下都给改过了。。iptables的所有的都在这里了

goon86

只有这个了，在嵌入式下都给改过了。。iptables的所有的都在这里了。。，没有iptables-save
/ # iptables-save
/bin/sh: iptables-save: not found

goon86

/ # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere            tcp dpt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     47   --  anywhere             192.168.1.0/24      
ACCEPT     47   --  192.168.1.0/24       anywhere            
ACCEPT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:1723
DROP       all  -- !192.168.1.0/24       anywhere            
DROP       tcp  --  anywhere             anywhere            tcp spts:137:139
DROP       udp  --  anywhere             anywhere            udp spts:137:139
DROP       tcp  --  anywhere             anywhere            tcp spt:635
DROP       udp  --  anywhere             anywhere            udp spt:635
DROP       tcp  --  anywhere             anywhere            tcp spt:2049
DROP       udp  --  anywhere             anywhere            udp spt:2049
DROP       tcp  --  anywhere             anywhere            tcp spt:111
DROP       udp  --  anywhere             anywhere            udp spt:111
ACCEPT     all  --  192.168.1.0/24       anywhere            state NEW,RELATED,ESTABLISHED
ACCEPT     all  -- !192.168.1.0/24       anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             192.168.1.0/24      state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.2.1          anywhere            state NEW,RELATED,ESTABLISHED
ACCEPT     all  -- !192.168.2.1          anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             192.168.2.1         state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
/ #

ssffzz1

你把ICMP完全放开，再此时一次试试。太奇怪了。

goon86

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

还是不行