请问各位大神,怎么用 iptables 拦截安卓热点上的数据包?
比如禁止访问某些网站,我用这个命令可以禁止安卓手机本地的网络: iptables -A OUTPUT -m string --string "youtube.com" --algo bm --to 65535 -j DROP
但是连上这个手机的热点的设备不起作用,一样可以访问 youtube.com ,我添加以下规则也是不行: wlan1 是热点的网络接口。 iptables -A OUTPUT -o wlan1 -m string --string "youtube.com" --algo bm --to 65535 -j DROP
1
sujin190 2022-05-30 10:16:29 +08:00
应该添加在 forward 链上吧
|
2
louiswong2099 OP @sujin190 不知道为什么,刚刚试了一下,日志都没有:
iptables -I FORWARD -i wlan1 -o wlan0 -j LOG --log-prefix "mylog:" |
3
louiswong2099 OP @sujin190 iptables -I OUTPUT -o wlan1 -j LOG --log-prefix "mylog:" ,我添加了一条规则用于查看 log ,发现 wlan1 出去的流量只有 UDP 53 端口的,TCP 都不知道跑哪里去了
[244292.000365] mylog:IN= OUT=wlan1 SRC=192.168.43.172 DST=192.168.43.117 LEN=246 TOS=0x00 PREC=0x00 TTL=64 ID=21389 DF PROTO=UDP SPT=53 DPT=51128 LEN=226 MARK=0xf0063 [244292.018519] mylog:IN= OUT=wlan1 SRC=192.168.43.172 DST=192.168.43.117 LEN=164 TOS=0x00 PREC=0x00 TTL=64 ID=21392 DF PROTO=UDP SPT=53 DPT=14121 LEN=144 MARK=0xf0063 [244295.033912] mylog:IN= OUT=wlan1 SRC=192.168.43.172 DST=192.168.43.117 LEN=195 TOS=0x00 PREC=0x00 TTL=64 ID=21685 DF PROTO=UDP SPT=53 DPT=49837 LEN=175 MARK=0xf0063 [244295.998582] mylog:IN= OUT=wlan1 SRC=192.168.43.172 DST=192.168.43.117 LEN=194 TOS=0x00 PREC=0x00 TTL=64 ID=21891 DF PROTO=UDP SPT=53 DPT=46547 LEN=174 MARK=0xf0063 [244297.041486] mylog:IN= OUT=wlan1 SRC=192.168.43.172 DST=192.168.43.117 LEN=166 TOS=0x00 PREC=0x00 TTL=64 ID=21910 DF PROTO=UDP SPT=53 DPT=50082 LEN=146 MARK=0xf0063 |
4
louiswong2099 OP @sujin190 不知道是否跟这个 nat 表的规则有关:
2|crosshatch:/ # iptables -t nat -nvL --line-numbers Chain PREROUTING (policy ACCEPT 11182 packets, 1042K bytes) num pkts bytes target prot opt in out source destination 1 11188 1044K oem_nat_pre all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 9073 packets, 877K bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2463 packets, 341K bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 9 packets, 1652 bytes) num pkts bytes target prot opt in out source destination 1 3438 403K tetherctrl_nat_POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 Chain oem_nat_pre (1 references) num pkts bytes target prot opt in out source destination Chain tetherctrl_nat_POSTROUTING (1 references) num pkts bytes target prot opt in out source destination 1 3169 386K MASQUERADE all -- * wlan0 0.0.0.0/0 0.0.0.0/0 |