Answers:
这是我的工作脚本..可能不正确...我不想在nat / etc的其余配置中弄乱该脚本之外的规则。这是一种消费类设备,不想放置超过需要。
#default deny guest
iptables -I FORWARD -i br1 -j DROP
#Removes guest access to physical network
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
#Removes guest access to the router's config GUI/ports
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
#guest allow dns to router
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
#Guest - allow explicit ports
#Guest to ftp
iptables -I FORWARD -i br1 -p tcp --dport 21 -m state --state NEW -m limit --limit 4/min -j ACCEPT
#guest to ssh
iptables -I FORWARD -i br1 -p tcp --dport 22 -m state --state NEW -m limit --limit 4/min -j ACCEPT
#guest to telnet
iptables -I FORWARD -i br1 -p tcp --dport 23 -m state --state NEW -m limit --limit 4/min -j ACCEPT
#guest to smtp/smtp+ssl
#iptables -I FORWARD -i br1 -p tcp --dport 25 -m state --state NEW -m limit --limit 4/min -j ACCEPT
iptables -I FORWARD -i br1 -p tcp --dport 2525 -m state --state NEW -m limit --limit 4/min -j ACCEPT
iptables -I FORWARD -i br1 -p tcp --dport 465 -m state --state NEW -m limit --limit 4/min -j ACCEPT
iptables -I FORWARD -i br1 -p tcp --dport 587 -m state --state NEW -m limit --limit 4/min -j ACCEPT
#guest to pop3/ssl
iptables -I FORWARD -i br1 -p tcp --dport 110 -m state --state NEW -m limit --limit 16/min -j ACCEPT
iptables -I FORWARD -i br1 -p tcp --dport 995 -m state --state NEW -m limit --limit 16/min -j ACCEPT
#guest to imap/ssl
iptables -I FORWARD -i br1 -p tcp --dport 143 -m state --state NEW -m limit --limit 16/min -j ACCEPT
iptables -I FORWARD -i br1 -p tcp --dport 993 -m state --state NEW -m limit --limit 16/min -j ACCEPT
#guest http/https
iptables -I FORWARD -i br1 -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -p tcp --dport 8080 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -p tcp --dport 8443 -m state --state NEW -j ACCEPT
#Guest - allow established connections
iptables -I FORWARD -i br1 -m state --state RELATED,ESTABLISHED -j ACCEPT
--state
条目,一旦我纠正了错误的语法,并调整了顺序,一切都在工作,请在下面回答我自己的问题。