| OpenWrt 防火墙配置 /etc/config/firewall | 您所在的位置:网站首页 › firewallrules 里面 360netrepair › OpenWrt 防火墙配置 /etc/config/firewall |
OpenWrt 防火墙配置 /etc/config/firewall
|
防火墙配置 /etc/config/firewall
OpenWrt 的防火墙管理应用fw3具有三种配置机制 配置文件: /etc/firewall.user/etc/config/firewall本 wiki 中的大部分信息将集中在配置文件和内容上。LuCI 和 UCI 接口是用户抽象,最终修改配置文件。 管理 主要的防火墙配置文件是/etc/config/firewall,编辑此文件以修改防火墙设置 在进行更改之前创建防火墙配置的备份 如果更改导致与路由器的连接丢失,您需要在故障安全模式下访问它以恢复备份 一旦设置被更改,并经过双重检查,通过/etc/init.d/firewall reload 重新加载防火墙 这是一个简单的 shell 脚本,调用fw3 reload,并将在解析新的防火墙配置时将诊断信息打印到控制台。 检查错误! # 开头用于注释,不解析 注释用于描述、解释或快速注释掉某个部分 /etc/config/firewall涵盖了合理的NetFilter规则子集,但并非全部 为了提供更多功能,UCI 防火墙配置中添加了一个include部分,用于加载包含本机 iptables 指令的文件 这是作为 shell 脚本处理的,允许向其中添加任何 shell 命令,但重点是通过添加 iptables 命令来使用 netfilter 子系统 用法见fw3配置示例 尽可能使用 fw3 防火墙 UCI 配置 有一些场景iptables需要命令 有关更多信息,请参阅OpenWrt 中的 Netfilter Web interface instructionsLuCI是一种很好的查看和修改防火墙配置的机制。 它位于**网络 → 防火墙下,**并与配置文件部分紧密映射。修改防火墙配置需要更长的时间,但比配置文件具有更高的组织级别。使用Save & Apply按钮进行更改并重新加载。 LuCI 将从中删除所有注释 [ #] 行/etc/config/firewall! Command-line instructionsUCI是对配置文件的低级抽象,可以通过SSH远程访问。 uci add firewall rule uci set firewall.@rule[-1].name='Reject VPN to LAN traffic' uci set firewall.@rule[-1].src='vpn' uci set firewall.@rule[-1].dest='lan' uci set firewall.@rule[-1].proto='all' uci set firewall.@rule[-1].target='REJECT' uci commit firewall service firewall restart显示防火墙配置: # uci show firewall firewall.@rule[20]=rule firewall.@rule[20].name='Reject VPN to LAN traffic' firewall.@rule[20].src='vpn' firewall.@rule[20].dest='lan' firewall.@rule[20].proto='all' firewall.@rule[20].target='REJECT' ...UCI对于查看防火墙配置很有用,但由于以下原因不能进行任何有意义的修改: 防火墙规则需要进入规则数组的位置以使其工作(类似于iptables -I)uci无法识别/etc/firewall.user脚本中的内容。uci commit需要保存更改,但仍需要/etc/init.d/firewall reload重新加载新表。 配置部分以下是可能在防火墙配置中定义的部分类型的概述。 路由器的最小防火墙配置通常包括一个默认部分、至少两个区域(lan和wan)和一个转发以允许从lan到 的流量wan。 当区域不超过两个时,转发部分不是严格要求的,因为可以将规则设置为该区域的“全局默认值”。 Defaults该defaults部分声明了不属于特定区域的全局防火墙设置 config defaults option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' option custom_chains '1' option drop_invalid '1' option syn_flood '1' option synflood_burst '50' option synflood_protect '1' option tcp_ecn '1' option tcp_syncookies '1' option tcp_window_scaling '1'Options NameTypeRequiredDefaultDescriptioninputstringnoREJECTSet policy for the INPUT chain of the filter table.forwardstringnoREJECTSet policy for the FORWARD chain of the filter table.outputstringnoREJECTSet policy for the OUTPUT chain of the filter table.drop_invalidbooleanno0Drop invalid packets (e.g. not matching any active connection).syn_floodbooleanno0Enable [SYN flood](https://en.wikipedia.org/wiki/SYN flood) protection (obsoleted by synflood_protect setting).synflood_protectbooleanno0Enable [SYN flood](https://en.wikipedia.org/wiki/SYN flood) protection.synflood_ratestringno25Set rate limit (packets/second) for SYN packets above which the traffic is considered a flood.synflood_burststringno50Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate.tcp_syncookiesbooleanno1Enable the use of [SYN cookies](https://en.wikipedia.org/wiki/SYN cookies).tcp_ecnbooleanno0Enable/Disable Explicit Congestion Notification. Implemented upstream in Linux Kernel. See ip-sysctl.txt.tcp_window_scalingbooleanno1Enable TCP window scaling.accept_redirectsbooleanno0Accepts redirects. Implemented upstream in Linux Kernel. See ip-sysctl.txt.accept_source_routebooleanno0Implemented upstream in Linux Kernel. See ip-sysctl.txt.custom_chainsbooleanno1Enable generation of custom rule chain hooks for user generated rules. User rules would be typically stored in firewall.user but some packages e.g. BCP38 also make use of these hooks.disable_ipv6booleanno0Disable IPv6 firewall rules.flow_offloadingbooleanno0Enable software flow offloading for connections. (decrease cpu load / increase routing throughput)flow_offloading_hwbooleanno0Enable hardware flow offloading for connections. (depends on flow_offloading and hw capability)tcp_reject_codereject_codeno0Defined in firewall3/options.h. Seems to determine method of packet rejection; (tcp reset, or drop, vs ICMP Destination Unreachable, or closed)any_reject_codereject_codeno1Defined in firewall3/options.h. Seems to determine method of packet rejection; (tcp reset, or drop, vs ICMP Destination Unreachable, or closed)auto_helperboolno1Enable Conntrack helpers Zones该zone 部分将一个或多个网络接口组合在一起,作为转发、规则和重定向的源或目的 config zone option name 'wan' option network 'wan wan6' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1'MASQUERADE (NAT) of outgoing traffic (WAN) is controlled on a per-zone basis on the outgoing interface. INPUT rules for a zone describe what happens to traffic trying to reach the router itself through an interface in that zone. OUTPUT rules for a zone describe what happens to traffic originating from the router itself going through an interface in that zone. FORWARD rules for a zone describe what happens to traffic passing between different interfaces belonging in the same zone. Options NameTypeRequiredDefaultDescriptionnamezone nameyes(none)Unique zone name. 11 characters is the maximum working firewall zone name length.networklistno(none)List of interfaces attached to this zone. If omitted and neither extra* options, subnets nor devices are given, the value of name is used by default. Alias interfaces defined in the network config cannot be used as valid ‘standalone’ networks. Use list syntax.masqbooleanno0Specifies whether outgoing zone traffic should be masqueraded. This is typically enabled on the wan zone.masq_srclist of subnetsno0.0.0.0/0Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed.masq_destlist of subnetsno0.0.0.0/0Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed.masq_allow_invalidbooleanno0Do not add DROP INVALID rules, if masquerading is used. The DROP rules are supposed to prevent NAT leakage (see commit in firewall3).mtu_fixbooleanno0Enable MSS clamping for outgoing zone traffic.inputstringnoDROPDefault policy (ACCEPT, REJECT, DROP) for incoming zone traffic.forwardstringnoDROPDefault policy (ACCEPT, REJECT, DROP) for forwarded zone traffic.outputstringnoDROPDefault policy (ACCEPT, REJECT, DROP) for outgoing zone traffic.familystringnoanyThe protocol family (ipv4, ipv6 or any) these iptables rules are for. Defaults to any, but automatically degrades to ipv4 or ipv6 if respective addresses are listed in the same section.logintno0Bit field to enable logging in the filter and/or mangle tables, bit 0 = filter, bit 1 = mangle. (Since r6397-7cc9914aae)log_limitstringno10/minuteLimits the amount of log messages per interval.devicelistno(none)List of L3 network interface names attached to this zone, e.g. tun+ or ppp+ to match any TUN or PPP interface. This is specifically suitable for undeclared interfaces which lack built-in netifd support such as OpenVPN. Otherwise network is preferable and device should be avoided.subnetlistno(none)List of IP subnets attached to this zone.extrastringno(none)Extra arguments passed directly to iptables. Note that these options are passed to both source and destination classification rules, therefor direction-specific options like --dport should not be used here - in this case the extra_src and extra_dest options should be used instead.extra_srcstringnoValue of extraExtra arguments passed directly to iptables for source classification rules.extra_deststringnoValue of extraExtra arguments passed directly to iptables for destination classification rules.custom_chainsboolno1Enable generation of custom rule chain hooks for user generated rules. Has no effect if disabled (0) in the defaults section (see above).enabledboolnoyesif set to 0, zone is disabledauto_helperboolno1 for non-masq zoneAdd CT helpers for zonehelpercthelperno(none)List of helpers to add to zone ForwardingsThe forwarding 控制 zone 之间的转发, and may enable MSS clamping for specific directions. config forwarding option src 'lan' option dest 'wan'一条forwarding规则只涵盖一个方向。为了允许两个区域之间的双向流量流,需要两个forwarding NameTypeRequiredDefaultDescriptionnameforward nameno(none)Unique forwarding name.srczone nameyes(none)Specifies the traffic source zone. Refers to one of the defined zone names. For typical port forwards this usually is ‘wan’.destzone nameyes(none)Specifies the traffic destination zone. Refers to one of the defined zone namesmtu_fixbooleanno0Enable MSS clamping for traffic flowing from the source zone to the destination zone (Deprecated and moved to zone sections in 8.09.2+)familystringnoanyProtocol family (ipv4, ipv6 or any) to generate iptables rules for.enabledboolnoyesif set to 0, forward is disabled Rules该rule部分用于定义基本的接受、丢弃或拒绝规则,以允许或限制对特定端口或主机的访问。 config rule option name 'Reject LAN to WAN for custom IP' option src 'lan' option src_ip '192.168.1.2' option src_mac '00:11:22:33:44:55' option src_port '80' option dest 'wan' option dest_ip '194.25.2.129' option dest_port '120' option proto 'tcp' option target 'REJECT'在fw3 中,src和dest与目标相关联: 如果给定src和dest,则规则匹配 forwarded traffic 如果仅有src, 则规则匹配 incoming traffic 如果仅有dest, 则规则匹配 outgoing traffic 如果既没有src也没有dest给出, 则规则匹配 outgoing traffic 端口范围用start:stop 指定,例如6666:6670 (类似于 iptables 语法)。 Options NameTypeRequiredDefaultDescriptionnamestringno(none)Name of rulesrczone nameno(none)Specifies the traffic source zone. Refers to one of the defined zone names, or * for any zone. If omitted, the rule applies to output traffic.src_ipip addressno(none)Match incoming traffic from the specified source IP addresssrc_macmac addressno(none)Match incoming traffic from the specified MAC addresssrc_portport or rangeno(none)Match incoming traffic from the specified source port or port range, if relevant proto is specified. Multiple ports can be specified like ‘80 443 465’ 1.protoprotocol name or numbernotcp udpMatch incoming traffic using the given protocol. Can be one (or several when using list syntax) of tcp, udp, udplite, icmp, esp, ah, sctp, or all or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. The number 0 is equivalent to all.icmp_typelist of type names or numbersnoanyFor protocol icmp select specific ICMP types to match. Values can be either exact ICMP type numbers or type names (see below).destzone nameno(none)Specifies the traffic destination zone. Refers to one of the defined zone names, or * for any zone. If specified, the rule applies to forwarded traffic; otherwise, it is treated as input rule.dest_ipip addressno(none)Match incoming traffic directed to the specified destination IP address. With no dest zone, this is treated as an input rule!dest_portport or rangeno(none)Match incoming traffic directed at the given destination port or port range, if relevant proto is specified. Multiple ports can be specified like ‘80 443 465’ 1.ipsetstringno(none)If specified, match traffic against the given ***ipset***. The match can be inverted by prefixing the value with an exclamation mark. You can specify the direction as ‘setname src’ or ‘setname dest’. The default if neither src nor dest are added is to assume srcmarkmark/maskno(none)If specified, match traffic against the given firewall mark, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. !0x10 to match all but mark #16.start_datedate (yyyy-mm-dd)no(always)If specifed, only match traffic after the given date (inclusive).stop_datedate (yyyy-mm-dd)no(always)If specified, only match traffic before the given date (inclusive).start_timetime (hh:mm:ss)no(always)If specified, only match traffic after the given time of day (inclusive).stop_timetime (hh:mm:ss)no(always)If specified, only match traffic before the given time of day (inclusive).weekdayslist of weekdaysno(always)If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on sundays, mondays, thursdays and Fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on Saturdays and sundays.monthdayslist of datesno(always)If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month.utc_timebooleanno0Treat all given time values as UTC time instead of local time.targetstringyesDROPFirewall action (ACCEPT, REJECT, DROP, MARK, NOTRACK) for matched trafficset_markmark/maskyes for target MARK(none)Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumedset_xmarkZeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumedfamilystringnoanyProtocol family (ipv4, ipv6 or any) to generate iptables rules for. Defaults to any, but automatically degrades to ipv4 or ipv6 if respective addresses are listed in the same section.limitstringno(none)Maximum average matching rate; specified as a number, with an optional /second, /minute, /hour or /day suffix. Examples: 3/minute, 3/min or 3/m.limit_burstintegerno5Maximum initial number of packets to match, allowing a short-term average above limitextrastringno(none)Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as -m policy --dir in for IPsec.enabledbooleannoyesEnable or disable rule.devicestringno[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-wv6nmfYf-1629945692459)(https://openwrt.org/lib/images/smileys/fixme.gif)] directiondirectionno[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-2QduvSFI-1629945692467)(https://openwrt.org/lib/images/smileys/fixme.gif)] direction_outset_helpercthelperno[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-5NeubI9B-1629945692472)(https://openwrt.org/lib/images/smileys/fixme.gif)]helpercthelperno[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-yhfVGShW-1629945692474)(https://openwrt.org/lib/images/smileys/fixme.gif)]
ICMP name types address-mask-replyhost-redirectpongtime-exceededaddress-mask-requesthost-unknownport-unreachabletimestamp-replyanyhost-unreachableprecedence-cutofftimestamp-requestcommunication-prohibitedip-header-badprotocol-unreachableTOS-host-redirectdestination-unreachablenetwork-prohibitedredirectTOS-host-unreachableecho-replynetwork-redirectrequired-option-missingTOS-network-redirectecho-requestnetwork-unknownrouter-advertisementTOS-network-unreachablefragmentation-needednetwork-unreachablerouter-solicitationttl-exceededhost-precedence-violationparameter-problemsource-quenchttl-zero-during-reassemblyhost-prohibitedpingsource-route-failedttl-zero-during-transit Redirects端口转发 (DNAT) 由redirect部分定义。 端口重定向通常也称为“端口转发”或“虚拟服务器”。 指定源区域上与给定规则匹配的所有传入流量都将被定向到指定的内部主机。端口范围被指定为start:stop,例如6666:6670 (类似于 iptables 语法)。Destination NAT config redirect option name 'DNAT WAN to LAN for SSH' option src 'wan' option src_dport '19900' option dest 'lan' option dest_ip '192.168.1.1' option dest_port '22' option proto 'tcp' option target 'DNAT'如果 src_dport 未包含在 config 部分中,则在任何 port 上与其他配置选项匹配的数据包将被转发到该 config 部分中指定的目标端口。 这可能会给目标端口上运行的应用程序带来安全风险。 测试此问题的一种方法是使用 Gibson Research Corporation’s ShieldsUP! service, 并探测路由器上所需的端口. 响应可以是 open, closed, or stealth (drop). 在端口打开或关闭的情况下,数据包到达目标主机,并发送回确认/回复数据包. 而隐身(stealth)端口会丢弃数据包;从探测系统 (Gibson Research) 的角度来看,该系统无法明确知道这些数据包是否可能到达目标主机 Source NAT 伪装(Masquerade )是最常见的 SNAT 形式,将WAN的流量源更改为路由器的公共IP。SNAT 也可以手动完成: config redirect option name 'SNAT DMZ 192.168.1.250 to WAN 1.2.3.4 for ICMP' option src 'dmz' option src_ip '192.168.1.250' option src_dip '1.2.3.4' option dest 'wan' option proto 'icmp' option target 'SNAT'Options See also: List of SNAT options @ OpenWrt SNAPSHOT NameTypeRequiredDefaultDescriptionnamestringnostringName of redirectsrczone nameyes for DNAT target(none)Specifies the traffic source zone. Refers to one of the defined zone names. For typical port forwards this usually is wan.src_ipip addressno(none)Match incoming traffic from the specified source IP address.src_dipip addressyes for SNAT target(none)For DNAT, match incoming traffic directed at the given destination IP address. For SNAT rewrite the source address to the given address.src_macmac addressno(none)Match incoming traffic from the specified MAC address.src_portport or rangeno(none)Match incoming traffic originating from the given source port or port range on the client host.src_dportport or rangeno(none)For DNAT, match incoming traffic directed at the given destination port or port range on this host. For SNAT rewrite the source ports to the given value.protoprotocol name or numbernotcp udpMatch incoming traffic using the given protocol. Can be one (or several when using list syntax) of tcp, udp, udplite, icmp, esp, ah, sctp, or all or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. The number 0 is equivalent to all.destzone nameyes for SNAT target(none)Specifies the traffic destination zone. Refers to one of the defined zone names. Irrelevant for DNAT target.dest_ipip addressno(none)For DNAT, redirect matches incoming traffic to the specified internal host. For SNAT, it matches traffic directed at the given address. For DNAT, if the dest_ip is not specified, the rule is translated in a iptables/REDIRECT rule, otherwise it is a iptables/DNAT rule.dest_portport or rangeno(none)For DNAT, redirect matched incoming traffic to the given port on the internal host. For SNAT, match traffic directed at the given ports. Only a single port or range can be specified, not disparate ports as with Rules (below).ipsetstringno(none)If specified, match traffic against the given ***ipset***. The match can be inverted by prefixing the value with an exclamation mark.markstringno(none)If specified, match traffic against the given firewall mark, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. !0x10 to match all but mark #16.start_datedate (yyyy-mm-dd)no(always)If specifed, only match traffic after the given date (inclusive).stop_datedate (yyyy-mm-dd)no(always)If specified, only match traffic before the given date (inclusive).start_timetime (hh:mm:ss)no(always)If specified, only match traffic after the given time of day (inclusive).stop_timetime (hh:mm:ss)no(always)If specified, only match traffic before the given time of day (inclusive).weekdayslist of weekdaysno(always)If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on Sundays, Mondays, Thursdays and Fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on Saturdays and sundays.monthdayslist of datesno(always)If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month.utc_timebooleanno0Treat all given time values as UTC time instead of local time.targetstringnoDNATNAT target (DNAT or SNAT) to use when generating the rule.familystringnoanyProtocol family (ipv4, ipv6 or any) to generate iptables rules for. Defaults to any, but automatically degrades to ipv4 since IPv6 DNAT is not supported by fw3.reflectionbooleanno1Activate NAT reflection for this redirect - applicable to DNAT targets.reflection_srcstringnointernalThe source address to use for NAT-reflected packets if reflection is 1. This can be internal or external, specifying which interface’s address to use. Applicable to DNAT targets.limitstringno(none)Maximum average matching rate; specified as a number, with an optional /second, /minute, /hour or /day suffix. Examples: 3/second, 3/sec or 3/s.limit_burstintegerno5Maximum initial number of packets to match, allowing a short-term average above limit.enabledstringno1 or yesEnable the redirect rule or not.helpercthelperno[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-m8DnXJut-1629945692476)(https://openwrt.org/lib/images/smileys/fixme.gif)]
IP sets
See also: fw3 IP set examples fw3 支持引用或创建IP 集以简化大型地址或端口列表的匹配,而无需为每个项目创建一个规则进行匹配。
Options NameTypeRequiredDefaultDescriptionenabledbooleanno1Allows to disable the declaration of the ipset without the need to delete the section.externalstringno(none)If the external option is set to a name, the firewall will simply reference an already existing ipset pointed to by the name. If the external option is unset, the firewall will create the ipset on start and destroy it on stop.namestringyes if external is unset no if external is set(none) if external is unset value of external if external is setSpecifies the firewall internal name of the ipset which is used to reference the set in rules or redirects.familystringnoipv4Protocol family (ipv4 or ipv6) to create ipset for. Only applicable to storage types hash and list, the bitmap type implies ipv4.storagestringnovariesSpecifies the storage method (bitmap, hash or list) used by the ipset, the default varies depending on the used datatypes (see match option below). In most cases the storage method can be automatically inferred from the datatype combination but in some cases multiple choices are possible (e.g. bitmap:ip vs. hash:ip).matchlist of direction/type tuplesyes(none)Specifies the matched data types (ip, port, mac, net or set) and their direction (src or dest). The direction is joined with the datatype by an underscore to form a tuple, e.g. src_port to match source ports or dest_net to match destination CIDR ranges. When using ipsets matching on multiple elements, e.g. hash:ip,port, specify the packet fields to match on in quotes or comma-separated (i.e. “match dest_ip dest_port”).iprangeIP rangeyes for storage type bitmap with datatype ip(none)Specifies the IP range to cover, see ipset(8). Only applicable to the hash storage type.portrangePort rangeyes for storage type bitmap with datatype port(none)Specifies the port range to cover, see ipset(8). Only applicable to the hash storage type.netmaskintegerno32If specified, network addresses will be stored in the set instead of IP host addresses. Value must be between 1 and 32, see ipset(8). Only applicable to the bitmap storage type with match ip or the hash storage type with match ip.maxelemintegerno65536Limits the number of items that can be added to the set, only applicable to the hash and list storage types.hashsizeintegerno1024Specifies the initial hash size of the set, only applicable to the hash storage type.timeoutintegerno0Specifies the default timeout for entries added to the set. A value of 0 means no timeout.entrysetentryno[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-T4Xep0Qh-1629945692479)(https://openwrt.org/lib/images/smileys/fixme.gif)]loadfilestringno[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-slc5pTfg-1629945692480)(https://openwrt.org/lib/images/smileys/fixme.gif)][外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Hqt1ssF4-1629945692481)(https://openwrt.org/lib/images/smileys/fixme.gif)]
Storage / Match Options 数据类型匹配的顺序很重要 FamilyStorageMatchNotesipv4bitmapipRequires iprange optionipv4bitmapip macRequires iprange optionipv4bitmapportRequires portrange optionanyhaship-anyhashnet-anyhaship port-anyhashnet port-anyhaship port ip-anyhaship port net--listsetMeta type to create a set-of-sets Includes用于添加自定义的防火墙脚本 config include option path '/etc/firewall.user' The /etc/firewall.user script is empty by default.Options NameTypeRequiredDefaultDescriptionenabledbooleanno1Allows to disable the corresponding include without having to delete the sectiontypestringnoscriptSpecifies the type of the include, can be script for traditional shell script includes or restore for plain files in iptables-restore formatpathfile nameyes/etc/firewall.userSpecifies a shell script to execute on boot or firewall restartsfamilystringnoanySpecifies the address family (ipv4, ipv6 or any) for which the include is calledreloadbooleanno0Specifies whether the include should be called on reload - this is only needed if the include injects rules into internal chainsIncludes of type script may contain arbitrary commands, for example advanced iptables rules or tc commands required for traffic shaping. [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-PX8hJeSH-1629945692482)(https://openwrt.org/lib/images/smileys/icon_exclaim.gif)] 由于自定义 iptables 规则比通用规则更具体,因此您必须确保使用-I *(insert)*而不是-A (append),以便规则出现在默认规则之前[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-WAicrzDn-1629945692483)(https://openwrt.org/lib/images/smileys/icon_exclaim.gif)] 如果规则存在于iptables中,则不会重新添加。一个标准的 iptables-I 或 -A会添加重复规则Example Here is an example of /etc/firewall.user script that allows to CloudFlare.com to access HTTP 80 and HTTPS 443 ports. Use if your uhttpd is hidden behind CF proxy. # Replace the ips-v4 with v6 if needed for ip in `wget -qO- http://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT doneNOTE: The example uses HTTP to get the list of IPs. Using HTTP makes us vulnerable to MITM attacks. To use the more secure HTTPS and avoid MITM risks, we need to install ca-certs. |
This needs the kmod-ipt-ipset kernel module installed.【本文地址】
公司简介
联系我们