江苏龙网

  1. 主页 > 生活百科 > >

用 Ubuntu 自己设定软路由,不用现成的软路由系统( 二 )

软路由


eap_reauth_period=360000000
ignore_broadcast_ssid=0
# enable 802.11n (n-mode)
ieee80211n=1
wmm_enabled=1
 
4. 安装 dnsmasq 作为 DNS 和 DHCP 服务器
 
apt-get install dnsmasq
修改 /etc/dnsmasq.conf
 
interface=lo,br0
dhcp-range=10.0.1.21,10.0.1.250,255.255.255.0,12h
cache-size=500 # 缓存多少个地址,按需要修改
 
DNS 服务器方面,我除了 dnsmasq 外,我还装了 dnscrypt-proxy 防止 dns 劫持 (dns 污染) 。但这帖子已经很长,所以这里不写了 。
现在重启路由后,手机等终端可以连接上路由了,可是还是不能上网 。因为还缺少了下一步的 MASQUERADE 。
5. iptables rules (firewall + Port Forwarding)
Debian/Ubuntu 的 iptables 教程,都是在 /etc/network/if-pre-up.d 里面加一个脚本来启动 iptables 规则 。因为我的 Port Forwarding rules 使用到 WAN 口的 地址,所以我把 iptables 分成 if-pre-up.d 和 if-up.d 两部分 。pre-up 时(eth0 还没 ip 地址 )启动 firewall filter 等,post-up 时(eth0 已经分配到 ip 地址)加上 port forwarding 规则 。
if-pre-up.d 部分,创建
/etc/network/if-pre-up.d/my-pre-up :
#!/bin/sh
EXTIF=eth0
if [ "$IFACE" = "$EXTIF" ]; then
/bin/sh /usr/myscripts/iptables/pre-up-rules
fi
 
创建
/usr/myscripts/iptables/pre-up-rules:
#!/bin/sh
EXTIF=eth0
INTIF=br0
LOG=/tmp/set-rules-router.log
WANIP=$(/sbin/ifconfig $EXTIF | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}')
echo "PRE-UP : `date`" | tee -a $LOG
echo "$IFACE pre-up, $EXTIF IP : $WANIP" | tee -a $LOG
echo | tee -a $LOG
SSHPORT=22222;
echo "Setting default policy and clearing all rules ..." | tee -a $LOG
# Default poliicy
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t raw -F
/sbin/iptables -t raw -X
echo "Setting up firewall rules..." | tee -a $LOG
# Ref : https://wiki.debian.org/DebianFirewall
echo -n '1' > /proc/sys/net/ipv4/ip_forward
echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_source_route
echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_redirects
echo -n '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo -n '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Chains :
/sbin/iptables -N syn_flood
## Protection 1 vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
# Openwrt : Drop XMAS, Null first, then invalid packets (these 3 come before other rules)
#
# XMAS packets
/sbin/iptables -t raw -A PREROUTING -p tcp -m tcp --tcp-flags ALL ALL -j DROP -m comment --comment "Drop XMAS packets"
# Drop all NULL packets
/sbin/iptables -t raw -A PREROUTING -p tcp -m tcp --tcp-flags ALL NONE -j DROP -m comment --comment "Drop all NULL packets"
##^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# Enable loopback traffic
/sbin/iptables -A INPUT -i lo -j ACCEPT
# Enable statefull rules (after that, only need to allow NEW conections)
/sbin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# eth0 - WAN, eth1 - LAN, this will allow your internal to access the external:
/sbin/iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
/sbin/iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# DNS - accept from LAN
/sbin/iptables -A INPUT -i $INTIF -p tcp --dport 53 -j ACCEPT -m comment --comment "Accept DNS from LAN"
/sbin/iptables -A INPUT -i $INTIF -p udp --dport 53 -j ACCEPT -m comment --comment "Accept DNS from LAN"
## Protection 2 vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
# Drop Invalid Packets
# Drop invalid state packets
/sbin/iptables -A INPUT -m conntrack --ctstate INVALID -j DROP -m comment --comment "Drop Invalid INPUT Packets"
/sbin/iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP -m comment --comment "Drop Invalid OUTPUT Packets"
/sbin/iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP -m comment --comment "Drop Invalid FORWARD Packets"
# Force Fragments packets check
/sbin/iptables -A INPUT -f -j DROP -m comment --comment "Force Fragments packets check"


推荐阅读


上一篇:行业大数据有哪些安全风险

下一篇:刷乳胶漆前如何遮挡家具,装修的时候要保护哪些东西