飛狼實驗室[wp]

參考網址：https://dotblogs.com.tw/sideprogrammer/2019/02/17/raspberry-pi-set-ap

參考網址：https://www.cyberciti.biz/tips/linux-iptables-how-to-specify-a-range-of-ip-addresses-or-ports.html

For example, allow incoming request on a port 22 for source IP in the 192.168.1.100-192.168.1.200 range only. You need to add something as follows to your iptables script:
 

iptables -A INPUT -p tcp --destination-port 22 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT

Port range

if –protocol tcp (-p tcp) is specified, you can specify source port range with following syntax:

• –source-port port:port
• –sport port:port

And destination port range specification with following option :

• –destination-port port:port
• –dport port:port

For example block lock all incoming ssh access at port 22, for source port range 513:65535:

iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 195.55.55.78 --dport 22 -m state --state NEW,ESTABLISHED -j DROP

環境ubuntu 16.04
 

做為防火牆的主機需有兩張網卡
用ifconfig指令可以看到網卡名稱

現今ubuntu系統會以BIOS中網卡的名稱作為預設名稱
改法：
編輯/etc/default/grub
#GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash net.ifnames=0 biosdevname=0"
再執行
update-grub
reboot

eth0:192.168.1.11對外
eth1:192.168.0.3對內 不設通訊閘

clear.sh
 

#!/bin/sh
IPTABLES="/sbin/iptables"

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp

###-----------------------------------------------------###
# 打開 forward
###-----------------------------------------------------###
#echo "Enable ip_forward ......"
#echo

echo "1" > /proc/sys/net/ipv4/ip_forward

###-----------------------------------------------------###
# 清除先前的設定
###-----------------------------------------------------###
echo "Flush fiter table ......"
echo

# Flush filter
$IPTABLES -F
$IPTABLES -X

echo "Flush mangle table ......"
echo
# Flush mangle
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X


echo "Flush nat table ......"
echo
# Flush nat
$IPTABLES -F -t nat
$IPTABLES -t nat -X

###-----------------------------------------------------###
# 設定 filter table 的預設政策
###-----------------------------------------------------###
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

分享
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
 

DHCP
apt install isc-dhcp-server
編輯/etc/default下的isc-dhcp-server
INTERFACES="eth1"

/etc/dhcp/dhcpd.conf

subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.201 192.168.0.250;
  option domain-name-servers 168.95.1.1;
#  option domain-name "internal.example.org";
#  option subnet-mask 255.255.255.224;
  option routers 192.168.0.3;
  option broadcast-address 192.168.0.255;
  default-lease-time 600;
  max-lease-time 7200;
}

#subnet 192.168.1.0 netmask 255.255.255.0 {
#}

service isc-dhcp-server restart 重啟dhcpd

service isc-dhcp-server status 可以看到目前dhcpd的狀態

● isc-dhcp-server.service - ISC DHCP IPv4 server
   Loaded: loaded (/lib/systemd/system/isc-dhcp-server.service; enabled; vendor preset
   Active: active (running) since 日 2019-12-15 03:57:46 CST; 1h 26min ago
     Docs: man:dhcpd(8)
 Main PID: 1739 (dhcpd)
   CGroup: /system.slice/isc-dhcp-server.service
           └─1739 dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-server/dhcpd.pid -cf /etc/dhcp/dhcpd.conf eth1

12月 15 05:02:02 sa-5750G dhcpd[1739]: DHCPREQUEST for 192.168.0.201 from 94:de:80:xx:
12月 15 05:02:02 sa-5750G dhcpd[1739]: DHCPACK on 192.168.0.201 to 94:de:80:xx:xx:xx (
12月 15 05:07:02 sa-5750G dhcpd[1739]: DHCPREQUEST for 192.168.0.201 from 94:de:80:xx:
12月 15 05:07:02 sa-5750G dhcpd[1739]: DHCPACK on 192.168.0.201 to 94:de:80:xx:xx:xx (
12月 15 05:12:02 sa-5750G dhcpd[1739]: DHCPREQUEST for 192.168.0.201 from 94:de:80:xx:
12月 15 05:12:02 sa-5750G dhcpd[1739]: DHCPACK on 192.168.0.201 to 94:de:80:e9:5e:df (
12月 15 05:17:03 sa-5750G dhcpd[1739]: DHCPREQUEST for 192.168.0.201 from 94:de:80:xx:
12月 15 05:17:03 sa-5750G dhcpd[1739]: DHCPACK on 192.168.0.201 to 94:de:80:xx:xx:xx (
12月 15 05:22:03 sa-5750G dhcpd[1739]: DHCPREQUEST for 192.168.0.201 from 94:de:80:xx:
12月 15 05:22:03 sa-5750G dhcpd[1739]: DHCPACK on 192.168.0.201 to 94:de:80:xx:xx:xx (

配發的ip會記錄在/var/lib/dhcp/dhcpd.leases

iptables實作
iptables規則列撰原則
特例一
特例二
特例三
…….
預設規則

只允許可以上scratch.mit.edu

iptables -A FORWARD -o eth0 -p tcp -d scratch.mit.edu --dport 80 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp -d scratch.mit.edu --dport 443 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp --dport 80 -j DROP
iptables -A FORWARD -o eth0 -p tcp --dport 443 -j DROP

結果scratch.mit.edu是個龐大的網站有很多IP
連到首頁還可以，往下的連結會有問題

安裝iptraf檢視連線的IP
apt install iptraf

另一套檢視連線軟體
apt install tcptrack
tcptrack -i eth1

#!/bin/sh
iptables -A FORWARD -o eth0 -p tcp -d scratch.mit.edu --dport 80 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp -d scratch.mit.edu --dport 443 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp -d 151.101.230.133 --dport 80 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp -d 151.101.230.133 --dport 443 -j ACCEPT
#以下的IP也要開放才會正常(應該是google的IP)
iptables -A FORWARD -o eth0 -p tcp -d 172.217.0.0/16 --dport 443 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp --dport 80 -j DROP
iptables -A FORWARD -o eth0 -p tcp --dport 443 -j DROP

參考網址：https://ubuntuforums.org/showthread.php?t=2137578

sudo apt-get install bcmwl-kernel-source