@orangleliu
2016-09-23T10:17:26.000000Z
字数 1709
阅读 4014
物联网 openwrt
openwrt监控某个ip添加一个新的iptables chainiptables -N P45往刚才建的P45和delegate_forward添加rules,ip换成你想监控的iptables -I P45 -s 192.168.111.115 -j ACCEPTiptables -I P45 -d 192.168.111.115 -j ACCEPTiptables -I forwarding_rule -s 192.168.111.115 -j P45iptables -I forwarding_rule -d 192.168.111.115 -j P45-I 代表chain-s source-d destination-j 如果符合就# iptables -nvL forwarding_rule|grep 192.168.111.11519657 20M P45 all -- * * 0.0.0.0/0 192.168.111.11520214 2172K P45 all -- * * 192.168.111.115 0.0.0.0/0-n 显示端口号-L 规则-v 显示计数
监控本机某个IP和端口
iptables -I INPUT -d 45.78.37.246 -p tcp --dport 9999iptables -I OUTPUT -s 45.78.37.246 -p tcp --sport 9999iptables -I INPUT -d 45.78.37.246iptables -I OUTPUT -s 45.78.37.246iptables -nvL删除不需要的链iptables -n -L -v --line-numbersiptables -D INPUT 1
非转发
禁止某个MACiptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP只让某个mac访问某个端口iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT
openwrt 认证使用 Wifidog类似
还没认证iptables -F forwarding_ruleiptables -t nat -F prerouting_ruleiptables -I forwarding_rule -s 192.168.111.0/24 -j DROPiptables -t nat -I prerouting_rule -p tcp -s 192.168.111.0/24 --dport 80 -j DNAT --to 192.168.111.1:81while listiptables -I forwarding_rule -d 115.29.203.45 -j ACCEPTiptables -t nat -I prerouting_rule -p tcp -d 115.29.203.45 --dport 80 -j ACCEPTiptables -I forwarding_rule -d mapi.alipay.com -j ACCEPTiptables -t nat -I prerouting_rule -p tcp -d mapi.alipay.com --dport 80 -j ACCEPT开启某个MAC上网iptables -I forwarding_rule -m mac --mac-source a4:5e:60:cd:b3:d9 -j ACCEPTiptables -t nat -I prerouting_rule -p tcp -m mac --mac-source a4:5e:60:cd:b3:d9 --dport 80 -j ACCEPT
多个dport怎么办?
iptables -A INPUT -p tcp --match multiport --dports 110,143,993,995 -j ACCEPT