【轉】Openwrt iptables分析

轉自：https://www.cnblogs.com/tanhangbo/p/4550455.html

 

重點學習如何一步步畫出iptables關聯表

 

這裏將載有Openwrt的WR841N的路由表dump出來分析一下。

這個是dump出iptables的命令

root@OpenWrt:/etc/config# iptables-save

 

這裏分爲4部分：

1.NAT表

*nat
:PREROUTING ACCEPT [37930:3638072]
:INPUT ACCEPT [440:34479]
:OUTPUT ACCEPT [1004:101848]
:POSTROUTING ACCEPT [149:36868]
:MINIUPNPD - [0:0]
:delegate_postrouting - [0:0]
:delegate_prerouting - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j delegate_prerouting 
-A POSTROUTING -j delegate_postrouting 
-A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule 
-A delegate_postrouting -o br-lan -j zone_lan_postrouting 
-A delegate_postrouting -o eth0 -j zone_wan_postrouting 
-A delegate_postrouting -o pppoe-wan -j zone_wan_postrouting 
-A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule 
-A delegate_prerouting -i br-lan -j zone_lan_prerouting 
-A delegate_prerouting -i eth0 -j zone_wan_prerouting 
-A delegate_prerouting -i pppoe-wan -j zone_wan_prerouting 
-A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule 
-A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule 
-A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule 
-A zone_wan_postrouting -j MASQUERADE 
-A zone_wan_prerouting -j MINIUPNPD 
-A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule 
COMMIT

其中方括號裏面的數據是當前所使用的流量（數據包數和byte數）。

 

總結爲下圖：

 

其中從LAN口流入的流量遞交給了miniupnpd處理，這個工具備益於P2P下載。

往WAN口去的流量使用了MASQUERADE，是SNAT的加強型，能夠轉換源IP地址，這樣的話就能夠發揮路由器的NAT功能了，同時

支持多個客戶端。

 

2.RAW表

*raw
:PREROUTING ACCEPT [3358190:2718603756]
:OUTPUT ACCEPT [14202:1858213]
:notrack - [0:0]
-A PREROUTING -j notrack 
COMMIT

 

這裏基本上沒有作什麼，不進行分析

 

 

3.MANGLE表

*mangle
:PREROUTING ACCEPT [3358190:2718603756]
:INPUT ACCEPT [14538:1853317]
:FORWARD ACCEPT [3342456:2716312729]
:OUTPUT ACCEPT [14202:1858213]
:POSTROUTING ACCEPT [3356900:2718229627]
:ASSIGNOUT - [0:0]
:NWANOUT - [0:0]
:NWANPOS - [0:0]
:NWANPRE - [0:0]
:fwmark - [0:0]
:mssfix - [0:0]
-A PREROUTING -j ASSIGNOUT 
-A PREROUTING -j NWANPRE 
-A PREROUTING -j fwmark 
-A FORWARD -j mssfix 
-A OUTPUT -j NWANOUT 
-A POSTROUTING -j NWANPOS 
-A ASSIGNOUT -m state --state RELATED,ESTABLISHED -j RETURN 
-A NWANOUT -m conntrack --ctstate RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff 
-A NWANPOS -o pppoe-wan -m state --state NEW -j CONNMARK --set-xmark 0xa/0xffffffff 
-A NWANPRE -i pppoe-wan -m state --state NEW -j CONNMARK --set-xmark 0xa/0xffffffff 
-A NWANPRE -i br-lan -m conntrack --ctstate RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff 
-A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu 
-A mssfix -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu 
COMMIT

 

 

這裏在prerouting，output和postrouting的時候作了CONNMRK，用於鏈接管理，好比作QOS管理。在轉發的時候修改了MSS。

 

4.FILTER表

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_lan_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -j delegate_input 
-A FORWARD -j delegate_forward 
-A OUTPUT -j delegate_output 
-A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule 
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A delegate_forward -i br-lan -j zone_lan_forward 
-A delegate_forward -i eth0 -j zone_wan_forward 
-A delegate_forward -i pppoe-wan -j zone_wan_forward 
-A delegate_forward -j reject 
-A delegate_input -i lo -j ACCEPT 
-A delegate_input -m comment --comment "user chain for input" -j input_rule 
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood 
-A delegate_input -i br-lan -j zone_lan_input 
-A delegate_input -i eth0 -j zone_wan_input 
-A delegate_input -i pppoe-wan -j zone_wan_input 
-A delegate_output -o lo -j ACCEPT 
-A delegate_output -m comment --comment "user chain for output" -j output_rule 
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A delegate_output -o br-lan -j zone_lan_output 
-A delegate_output -o eth0 -j zone_wan_output 
-A delegate_output -o pppoe-wan -j zone_wan_output 
-A reject -p tcp -j REJECT --reject-with tcp-reset 
-A reject -j REJECT --reject-with icmp-port-unreachable 
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN 
-A syn_flood -j DROP 
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT 
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule 
-A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT 
-A zone_lan_forward -j zone_lan_src_REJECT 
-A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule 
-A zone_lan_input -j zone_lan_src_ACCEPT 
-A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule 
-A zone_lan_output -j zone_lan_dest_ACCEPT 
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT 
-A zone_lan_src_REJECT -i br-lan -j reject 
-A zone_wan_dest_ACCEPT -o eth0 -j ACCEPT 
-A zone_wan_dest_ACCEPT -o pppoe-wan -j ACCEPT 
-A zone_wan_forward -j MINIUPNPD 
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule 
-A zone_wan_forward -j zone_wan_src_REJECT 
-A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule 
-A zone_wan_input -p tcp -m tcp --dport 51413 -m comment --comment "51413" -j ACCEPT 
-A zone_wan_input -p udp -m udp --dport 51413 -m comment --comment "51413" -j ACCEPT 
-A zone_wan_input -p tcp -m tcp --dport 9091 -m comment --comment "9091" -j ACCEPT 
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "Allow-DHCP-Renew" -j ACCEPT 
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "Allow-Ping" -j ACCEPT 
-A zone_wan_input -j zone_wan_src_REJECT 
-A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule 
-A zone_wan_output -j zone_wan_dest_ACCEPT 
-A zone_wan_src_REJECT -i eth0 -j reject 
-A zone_wan_src_REJECT -i pppoe-wan -j reject 
COMMIT

 

 

這裏先不考慮eth0，從WAN口輸入的數據要重點過濾，由於不能讓internet的電腦隨意攻擊路由器，這裏容許了ICMP，

5141三、9091端口和transmission下載工具備關，68端口和DHCP服務有關。

對於FORWARD的流量，這裏基本上已經所有屏蔽了。

對於王WAN口發送的流量所有放行。

 

5.總結

 

總的來講，這裏作了SNAT實現路由器的基本功能，對鏈接跟蹤能夠管理各個鏈接。另外的一些策略有助於下載工具的運行。