我已经为我的 OpenWRT WiFi 路由器配置了两个无线接口:wlan0和wlan0-1. 我的 WAN 以太网接口是eth0.2.
如何防止连接到wlan0-1的设备访问互联网,例如使用iptables?
我的情况是我有一些设备(空气过滤器)可以通过 WiFi 访问以支持监控和控制,但是它们也将数据上传到云服务器,我想阻止这种情况。
br-lan Link encap:Ethernet HWaddr 70:4F:57:00:51:AE
inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fd76:9521:f357::1/60 Scope:Global
inet6 addr: fe80::724f:57ff:fe00:51ae/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:380362 errors:0 dropped:9 overruns:0 frame:0
TX packets:1678139 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:128540610 (122.5 MiB) TX bytes:1235755098 (1.1 GiB)
br-wan Link encap:Ethernet HWaddr 70:4F:57:00:51:AF
inet addr:192.168.178.20 Bcast:192.168.178.255 Mask:255.255.255.0
inet6 addr: fe80::724f:57ff:fe00:51af/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1684381 errors:0 dropped:10354 overruns:0 frame:0
TX packets:369066 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1209960142 (1.1 GiB) TX bytes:132041857 (125.9 MiB)
eth0 Link encap:Ethernet HWaddr 70:4F:57:00:51:AE
inet6 addr: fe80::724f:57ff:fe00:51ae/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1809158 errors:0 dropped:16 overruns:0 frame:0
TX packets:1611603 errors:1 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1276777715 (1.1 GiB) TX bytes:1193854987 (1.1 GiB)
Interrupt:5
eth0.1 Link encap:Ethernet HWaddr 70:4F:57:00:51:AE
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:106729 errors:0 dropped:0 overruns:0 frame:0
TX packets:1218251 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:33390921 (31.8 MiB) TX bytes:1054045465 (1005.2 MiB)
eth0.2 Link encap:Ethernet HWaddr 70:4F:57:00:51:AF
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1689922 errors:0 dropped:349 overruns:0 frame:0
TX packets:393339 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1210230806 (1.1 GiB) TX bytes:133360867 (127.1 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:642 errors:0 dropped:0 overruns:0 frame:0
TX packets:642 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:56074 (54.7 KiB) TX bytes:56074 (54.7 KiB)
wlan0 Link encap:Ethernet HWaddr 70:4F:57:00:51:AC
inet6 addr: fe80::724f:57ff:fe00:51ac/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:293895 errors:0 dropped:0 overruns:0 frame:0
TX packets:383702 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:99486914 (94.8 MiB) TX bytes:194289752 (185.2 MiB)
wlan0-1 Link encap:Ethernet HWaddr 72:4F:57:00:51:AC
inet6 addr: fe80::704f:57ff:fe00:51ac/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15014 errors:0 dropped:0 overruns:0 frame:0
TX packets:12335 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1962975 (1.8 MiB) TX bytes:2056310 (1.9 MiB)
到目前为止,我只能阻止来自单个 IP 地址的流量,但这很笨拙:
$ iptables -A forwarding_rule --source 192.168.1.110 --jump reject
使用输入和输出接口,br-wan或者eth0.2,都不起作用:
$ iptables -A forwarding_rule -i wlan0-1 -o br-wan --jump reject
编辑:添加输出iptables-save
# Generated by iptables-save v1.8.3 on Thu Oct 7 21:18:59 2021
*nat
:PREROUTING ACCEPT [29740:1906622]
:INPUT ACCEPT [1917:191180]
:OUTPUT ACCEPT [9468:913173]
:POSTROUTING ACCEPT [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i br-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o br-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Oct 7 21:18:59 2021
# Generated by iptables-save v1.8.3 on Thu Oct 7 21:18:59 2021
*mangle
:PREROUTING ACCEPT [408155:279582022]
:INPUT ACCEPT [31411:6614761]
:FORWARD ACCEPT [376252:272911158]
:OUTPUT ACCEPT [51318:6113468]
:POSTROUTING ACCEPT [402428:277911525]
-A FORWARD -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Oct 7 21:18:59 2021
# Generated by iptables-save v1.8.3 on Thu Oct 7 21:18:59 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A forwarding_rule -s 192.168.1.110/32 -j reject
-A forwarding_rule -s 192.168.1.111/32 -j reject
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o br-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o br-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Zone wan to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i br-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Oct 7 21:18:59 2021
编辑:添加输出uci export firewall
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
option network 'wan wan6 wwan1 wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'lan'
option src 'wan'
编辑:添加输出ip link:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000
link/ether 70:4f:57:00:51:ae brd ff:ff:ff:ff:ff:ff
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 70:4f:57:00:51:ae brd ff:ff:ff:ff:ff:ff
6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether 70:4f:57:00:51:ae brd ff:ff:ff:ff:ff:ff
7: br-wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 70:4f:57:00:51:af brd ff:ff:ff:ff:ff:ff
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-wan state UP qlen 1000
link/ether 70:4f:57:00:51:af brd ff:ff:ff:ff:ff:ff
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether 70:4f:57:00:51:ac brd ff:ff:ff:ff:ff:ff
10: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether 72:4f:57:00:51:ac brd ff:ff:ff:ff:ff:ff
编辑:添加输出brctl show:
bridge name bridge id STP enabled interfaces
br-lan 7fff.704f570051ae no eth0.1
wlan0
wlan0-1
br-wan 7fff.704f570051af no eth0.2
OpenWRT 运行的是 Linux 内核,但作为嵌入式系统,某些功能可能不可用,所以我不知道这个打算在具有类似于 OP 的配置的 Linux 系统上工作的答案是否可以工作。这需要:
ebtables: 可用的并且根据选择的解决方案,这可能还需要一些:
最后,系统将数据包从
br-lan接口路由到br-wan接口。在此步骤中,一旦帧离开初始网桥以获取其有效负载:IPv4,路由,帧使用br-lan接口网桥端口进入接口wlan0-1的事实就丢失了。所以初始动作必须在这个信息丢失之前发生:当帧还在br-lan网桥中时,在网桥路径中。文档可能暗示(提到了桥)可以使用 OpenWRT 的防火墙应用程序处理桥防火墙,但我对这部分一无所知。所以我会直接使用ebtables。
如果可以依靠了解br-lan (192.168.1.0/24) 上的 IP LAN 拓扑,那么这一切都可以通过一个ebtables规则简单地完成:
它丢弃从wlan0-1桥接端口接收的任何 IPv4 帧并桥接到在 192.168.1.0/24 内没有目标 IP 地址的主机(可能是为了它或为了进一步路由)。
如果 OpenWRT 的公共 IP 地址是静态的并且事先已知(例如:192.0.2.2),则可以选择在例外之前插入:
如果这没问题,则无需使用以下替代方法。
否则,如果规则必须保持通用而不涉及 LAN IP 地址,而只涉及接口(或需要在不知道其值的情况下接受 WAN IP 地址作为目标),则必须涉及路由,我建议使用ebtables标记帧在信息可用的桥接路径中,就在帧的有效负载(IPv4)即将被路由之前,然后一旦确定它被路由到互联网,就丢弃标记的数据包/帧。解封装帧或封装数据包时会保留该标记。OP 当前的iptables规则不使用任何标记,因此不会有不幸的交互。
在 OP 的情况下,用于路由的出口接口也是一个网桥(br-wan),为了限制与使用iptables管理防火墙的更高级别工具( firewall3 )的交互,可以在网桥路径中丢弃标记的帧而不是丢弃路由路径中标记的数据包:与iptables规则没有交互。
从 LAN 到 Internet 的流程如下:
这将标记从wlan0-1网桥端口接收到的帧:
然后,当通过br-wan网桥从主机发出之前标记的帧/数据包时,这将匹配并丢弃:
如果
--logical-out由于某种原因不可用,可以使用当前拓扑将其更改为br-wan的单输出桥端口:在这种情况下,当看到数据包进入和离开路由堆栈时,conntrack将为它创建一个条目,即使它随后会被丢弃。这样的条目将永远不会达到 ESTABLISHED 状态,因为没有任何东西会收到这个数据包和回复(另见注释)。
笔记:
如果 OpenWRT 被配置为有两个不同的 LAN(没有桥接或在单独的桥上,每个都参与路由),一个用于wlan0和eth0.1,另一个用于wlan0-1,具有不同的 IP 地址,那么标准路由将适用于任何地方,并且这个问题可以很容易地在iptables中解决,可能在firewall3中进行配置并且不需要ebtables 。
当前的iptables规则建议eth0.2可以用作(或曾经使用)作为标准(非桥接端口)接口。如果是这种情况,则必须更改第二种解决方案,并在iptables中包含一条等效规则,如果可能,该规则应集成到firewall3中。也可以将它用于br-wan (但只有在可以与firewall3集成时才值得):
此规则当前可以代替上面的ebtables OUTPUT 规则起作用:
并且使用 eth0.2 直接使用路由接口而不是桥接端口:
两者都可以同时放置,因为它目前在其他iptables规则中使用br-wan和eth0.2 完成。
在这里,由于数据包在iptables的路由路径中被丢弃,因此conntrack条目将不会被提交并且不会出现(例如:
cat /proc/net/nf_conntrack不会显示尝试)。当无法完全控制配置时,依靠特性在桥接路径中使用iptables
br_netfilter通常是个坏主意,并且在 OpenWRT 中默认禁用。所以不应该使用依赖于这个特性的iptables匹配(并且可能不可用)来解决这个问题。physdev由于这不是有状态的,从 Internet 到使用wlan0-1的系统的传入流量仍将被允许,但无法回复。无论如何,由于 LAN 是私有的,这将需要防火墙上的 DNAT 规则才能具有这种可能性(或者对于仍然创建conntrack条目的第二种解决方案,远程第 3 方盲目地同步到丢弃的尝试)。也可以放弃相反的方向:如果确实需要,使用与所提供的相同方法到wlan0-1的 Internet 流量。