防火墙(VyOS)阻止p2p

Question

我有VyOS路由器，我想阻止p2p流量。哪些端口必须被封锁？我试过6881-6999，但不起作用。预先感谢您的帮助

set firewall name "FIREWALL-IN" 

set firewall name "FIREWALL-IN" default-action drop

set firewall name "FIREWALL-IN" rule 10 action accept
set firewall name "FIREWALL-IN" rule 10 state established enable
set firewall name "FIREWALL-IN" rule 10 state related enable


set firewall name "FIREWALL-IN" rule 100
set firewall name "FIREWALL-IN" rule 100 description "p2p - block 6881-6999"
set firewall name "FIREWALL-IN" rule 100 action drop
set firewall name "FIREWALL-IN" rule 100 protocol tcp_udp
set firewall name "FIREWALL-IN" rule 100 source port 6881-6999
set firewall name "FIREWALL-IN" rule 100 state established enable
set firewall name "FIREWALL-IN" rule 100 state related enable

UPDATE1

A

set firewall name "FIREWALL-IN" rule 100
set firewall name "FIREWALL-IN" rule 100 description "p2p - block 6881-6999"
set firewall name "FIREWALL-IN" rule 100 action drop
set firewall name "FIREWALL-IN" rule 100 protocol tcp_udp
set firewall name "FIREWALL-IN" rule 100 source port 6881-6999

B

set firewall name "FIREWALL-OUT" rule 100
set firewall name "FIREWALL-OUT" rule 100 description "p2p - block 6881-6999"
set firewall name "FIREWALL-OUT" rule 100 action drop
set firewall name "FIREWALL-OUT" rule 100 protocol tcp_udp
set firewall name "FIREWALL-OUT" rule 100 source port 6881-6999

更新2

set firewall name "FIREWALL-IN" 

set firewall name "FIREWALL-IN" default-action drop

set firewall name "FIREWALL-IN" rule 1 action accept
set firewall name "FIREWALL-IN" rule 1 state established enable
set firewall name "FIREWALL-IN" rule 1 state related enable

set firewall name "FIREWALL-IN" rule 10
set firewall name "FIREWALL-IN" rule 10 description "Allow http, https"
set firewall name "FIREWALL-IN" rule 10 action accept
set firewall name "FIREWALL-IN" rule 10 protocol tcp
set firewall name "FIREWALL-IN" rule 10 destination port 80,443
set firewall name "FIREWALL-IN" rule 10 state new enable
set firewall name "FIREWALL-IN" rule 10 state established enable
set firewall name "FIREWALL-IN" rule 10 state related enable

set firewall name "FIREWALL-IN" rule 15
set firewall name "FIREWALL-IN" rule 15 description "Allow dns"
set firewall name "FIREWALL-IN" rule 15 action accept
set firewall name "FIREWALL-IN" rule 15 protocol tcp_udp
set firewall name "FIREWALL-IN" rule 15 destination port 53
set firewall name "FIREWALL-IN" rule 15 state new enable
set firewall name "FIREWALL-IN" rule 15 state established enable
set firewall name "FIREWALL-IN" rule 15 state related enable

set firewall name "FIREWALL-IN" rule 20
set firewall name "FIREWALL-IN" rule 20 description "pop3,imap"
set firewall name "FIREWALL-IN" rule 20 action accept
set firewall name "FIREWALL-IN" rule 20 protocol tcp
set firewall name "FIREWALL-IN" rule 20 destination port 110,993,995
set firewall name "FIREWALL-IN" rule 20 state new enable
set firewall name "FIREWALL-IN" rule 20 state established enable
set firewall name "FIREWALL-IN" rule 20 state related enable

set firewall name "FIREWALL-IN" rule 30
set firewall name "FIREWALL-IN" rule 30 description "smtp"
set firewall name "FIREWALL-IN" rule 30 action accept
set firewall name "FIREWALL-IN" rule 30 protocol tcp
set firewall name "FIREWALL-IN" rule 30 destination port 25,587,465
set firewall name "FIREWALL-IN" rule 30 state new enable
set firewall name "FIREWALL-IN" rule 30 state established enable
set firewall name "FIREWALL-IN" rule 30 state related enable

set firewall name "FIREWALL-IN" rule 100 description "p2p - block 6881-6999"
set firewall name "FIREWALL-IN" rule 100 action drop
set firewall name "FIREWALL-IN" rule 100 protocol tcp_udp
set firewall name "FIREWALL-IN" rule 100 destination port 6881-6999
set firewall name "FIREWALL-IN" rule 100 state established enable
set firewall name "FIREWALL-IN" rule 100 state related enable

Answer 1

我试过6881-6999，但不起作用。

你能解释一下它怎么不起作用吗？

一般情况下，您可能会想要拒绝所有除特定授权的出站连接-换句话说，白名单连接，而不是允许所有例外(即黑名单)。

另外，您只阻塞入站通信，但应该阻塞出站连接(根据您的情况，通过前向或输出链)--我认为向前是合适的，假设我理解您的设置( VyOS路由器保护它的局域网)。

这是因为P2P客户端可能会主动建立连接，而不仅仅是等待传入的连接--记住P2P主要使用UDP，这意味着在实践中，任何一端都可以建立连接。

换句话说，您需要执行出口过滤，以及入口过滤

要想有效，你真的需要确保你的出口规则尽可能的少。

基本上：

• 您可能必须允许HTTP和HTTPS退出，例如tcp/80和tcp/443
• 您可能需要允许DNS退出，例如udp/53和tcp/53到特定指定的服务器(即只允许DNS流到您的客户端可以使用的服务器)。
• 您还可能需要允许一些与邮件相关的流，例如提交(tcp/587)、SMTPS (tcp/465)。

您已经编辑了输出规则，但如果我是您，我将编辑您的前向规则，如下所示：

-A FORWARD -m state --state ESTABLISHED -j ACCEPT -A FORWARD -m tcp -p tcp -m state --state NEW -m multiport --dports 80,443,587 -j ACCEPT -A FORWARD -m udp -p udp -m state --state NEW -d 8.8.8.8 -p 53 -j ACCEPT -A FORWARD -j DROP