DD-WRT网站白名单设置
2013-02-21 20:13
204 查看
目前公司有需求实现仅允许部分网站的访问,以及短地址访问,经过很多尝试,终于搞定,记录下来备忘。
1、DD-WRT官网找到一篇wiki,不过脚本有些小问题,经过修改可满足需求,脚本文件如下:
官网地址:http://www.dd-wrt.com/wiki/index.php/Blocking_URLs/IPs#White_Listing
(官方脚本有个参数错误,以及最后一条全部DROP的策略会导致DHCP失败,新修改的脚本无此问题。)
#!/bin/sh
# IP Tables White Listing script by phuzi0n -Tek @ http://www.dd-wrt.com/phpBB2/viewtopic.php?t=56588
# This Wiki Page http://www.dd-wrt.com/wiki/index.php/Blocking_URLs/IPs#White_Listing
# Version 5. Please increment version number with subsequent modifications. GeeTek.
# Set up the chain
iptables -N wanout
iptables -I INPUT -i `nvram get lan_ifname` -j wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout
# Create whitelist 'function' script
WOUT="/tmp/wanout"
echo 'iptables -I wanout $1 -j ACCEPT' > $WOUT
chmod 777 $WOUT
# Exempt Machine MAC
# load xt_mac instead of ipt_mac on k2.6 builds
# Exempt Machine IP
# Allow everyone access to these sites (DNS lookup only happens once when rule is inserted and stays that single IP)
$WOUT '-d wpa.qq.com'
$WOUT '-d hm.baidu.com'
$WOUT '-d s.mzstatic.com'
$WOUT '-d ssl.apple.com'
$WOUT '-d images.apple.com'
$WOUT '-d a1813.phobos.apple.com'
$WOUT '-d a1488.phobos.apple.com'
$WOUT '-d a856.phobos.apple.com'
$WOUT '-d a1671.phobos.apple.com'
$WOUT '-d a1.mzstatic.com'
$WOUT '-d a5.mzstatic.com'
$WOUT '-d a2.mzstatic.com'
$WOUT '-d a3.mzstatic.com'
$WOUT '-d a4.mzstatic.com'
$WOUT '-d a63.phobos.apple.com'
$WOUT '-d securemetrics.apple.com'
$WOUT '-d ax.init.itunes.apple.com'
$WOUT '-d metrics.apple.com'
$WOUT '-d 30-courier.push.apple.com'
# Allow everyone access to these IP addresses/netmask
$WOUT '-d 202.106.0.20'
$WOUT '-d 8.8.8.8'
#Allow everyone access to specific destination ports
# Everything else gets blocked
iptables -A wanout -i `nvram get lan_ifname` -o `nvram get wan_ifname` -j REJECT --reject-with icmp-proto-unreachable
2、添加自启动
官方wiki上说可通过设置nvram set rc_startup来设置开机脚本,但反复尝试N次均不生效,后来将上述脚本文件改名为*.wanup,放入/jffs/etc/config下,启动成功。这里也怀疑是路由器刚开机后网卡和防火墙还没启动,所以导致通过rc_startup设置开机脚本启动失败。(.wanup是在网卡及防火墙启动之后执行,startup是之前执行)
3、通过DNSmasq设置短域名
在管理页面--服务中,选择启用dnsmasq,在附加选项中如下填写,保存,重启
address=/ubox.mini/10.0.0.1
通过折腾这个无线路由也算是学习了iptables,嘿嘿。
1、DD-WRT官网找到一篇wiki,不过脚本有些小问题,经过修改可满足需求,脚本文件如下:
官网地址:http://www.dd-wrt.com/wiki/index.php/Blocking_URLs/IPs#White_Listing
(官方脚本有个参数错误,以及最后一条全部DROP的策略会导致DHCP失败,新修改的脚本无此问题。)
#!/bin/sh
# IP Tables White Listing script by phuzi0n -Tek @ http://www.dd-wrt.com/phpBB2/viewtopic.php?t=56588
# This Wiki Page http://www.dd-wrt.com/wiki/index.php/Blocking_URLs/IPs#White_Listing
# Version 5. Please increment version number with subsequent modifications. GeeTek.
# Set up the chain
iptables -N wanout
iptables -I INPUT -i `nvram get lan_ifname` -j wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout
# Create whitelist 'function' script
WOUT="/tmp/wanout"
echo 'iptables -I wanout $1 -j ACCEPT' > $WOUT
chmod 777 $WOUT
# Exempt Machine MAC
# load xt_mac instead of ipt_mac on k2.6 builds
# Exempt Machine IP
# Allow everyone access to these sites (DNS lookup only happens once when rule is inserted and stays that single IP)
$WOUT '-d wpa.qq.com'
$WOUT '-d hm.baidu.com'
$WOUT '-d s.mzstatic.com'
$WOUT '-d ssl.apple.com'
$WOUT '-d images.apple.com'
$WOUT '-d a1813.phobos.apple.com'
$WOUT '-d a1488.phobos.apple.com'
$WOUT '-d a856.phobos.apple.com'
$WOUT '-d a1671.phobos.apple.com'
$WOUT '-d a1.mzstatic.com'
$WOUT '-d a5.mzstatic.com'
$WOUT '-d a2.mzstatic.com'
$WOUT '-d a3.mzstatic.com'
$WOUT '-d a4.mzstatic.com'
$WOUT '-d a63.phobos.apple.com'
$WOUT '-d securemetrics.apple.com'
$WOUT '-d ax.init.itunes.apple.com'
$WOUT '-d metrics.apple.com'
$WOUT '-d 30-courier.push.apple.com'
# Allow everyone access to these IP addresses/netmask
$WOUT '-d 202.106.0.20'
$WOUT '-d 8.8.8.8'
#Allow everyone access to specific destination ports
# Everything else gets blocked
iptables -A wanout -i `nvram get lan_ifname` -o `nvram get wan_ifname` -j REJECT --reject-with icmp-proto-unreachable
2、添加自启动
官方wiki上说可通过设置nvram set rc_startup来设置开机脚本,但反复尝试N次均不生效,后来将上述脚本文件改名为*.wanup,放入/jffs/etc/config下,启动成功。这里也怀疑是路由器刚开机后网卡和防火墙还没启动,所以导致通过rc_startup设置开机脚本启动失败。(.wanup是在网卡及防火墙启动之后执行,startup是之前执行)
3、通过DNSmasq设置短域名
在管理页面--服务中,选择启用dnsmasq,在附加选项中如下填写,保存,重启
address=/ubox.mini/10.0.0.1
通过折腾这个无线路由也算是学习了iptables,嘿嘿。
相关文章推荐
- DD-WRT网站白名单控制续--防火墙脚本自动更新
- dd-wrt达到300Mbps的关键设置
- 思科E3200 路由器 DD-WRT 设置花生壳和3322.org动态域名(DDNS)
- DD-WRT v24-sp2的WDS中继设置
- DD-WRT v24-sp2的WDS中继设置
- 思科E3200 路由器 DD-WRT 设置花生壳和3322.org动态域名(DDNS)
- DD-WRT路由器无线中继桥设置
- 通过网站不能跳转登录的案例来看IP白名单的设置 推荐
- dd-wrt 设置
- dd-wrt设置说明截图
- 两DD-WRT组建WDS设置
- 两DD-WRT组建WDS设置
- 如何在自己的网站中设置qq客服
- asp.net网站加入收藏和设置主页,兼容ie和firefox
- SharePoint Online 设置网站集
- 您的安全设置不允许网站使用计算机上已安装的ActiveX 控件。可能无法正确显示此页。。。
- 使用apache设置绑定多个域名或网站
- 合理设置的MTU值,解决“部分网站打不开”“上网速度慢”等问题,并且可以适当提升上网速度