把树莓派4设置成路由器和热点

树莓派4的性能非常好,内置千兆网卡和AC无线,非常合适做路由器和热点,加上USB 3.0的接口,做NAS也绰绰有余。

iptables

# Generated by xtables-save v1.8.2 on Mon Feb 17 14:33:31 2020
*mangle
:PREROUTING ACCEPT [274685:225391364]
:INPUT ACCEPT [228566:199191351]
:FORWARD ACCEPT [24215:22886563]
:OUTPUT ACCEPT [177353:197982323]
:POSTROUTING ACCEPT [223529:224189656]
:SS-UDP - [0:0]
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
-A SS-UDP -d 0.0.0.0/8 -j RETURN
-A SS-UDP -d 127.0.0.0/8 -j RETURN
-A SS-UDP -d 10.0.0.0/8 -j RETURN
-A SS-UDP -d 169.254.0.0/16 -j RETURN
-A SS-UDP -d 172.16.0.0/12 -j RETURN
-A SS-UDP -d 224.0.0.0/4 -j RETURN
-A SS-UDP -d 240.0.0.0/4 -j RETURN
-A SS-UDP -d 116.251.211.71/32 -j RETURN
-A SS-UDP -d 116.251.211.137/32 -j RETURN
-A SS-UDP -d 118.140.65.222/32 -j RETURN
-A SS-UDP -d 120.25.56.28/32 -j RETURN
-A SS-UDP -m set --match-set chnip dst -j RETURN
-A SS-UDP -i wlan0 -p udp -j TPROXY --on-port 10080 --on-ip 127.0.0.1 --tproxy-mark 0x2333/0x2333
COMMIT
# Completed on Mon Feb 17 14:33:31 2020
# Generated by xtables-save v1.8.2 on Mon Feb 17 14:33:31 2020
*filter
:INPUT ACCEPT [228554:199190659]
:FORWARD ACCEPT [46087:26195207]
:OUTPUT ACCEPT [177353:197982323]
-A INPUT -s 125.22.54.211/32 -j DROP
COMMIT
# Completed on Mon Feb 17 14:33:31 2020
# Generated by xtables-save v1.8.2 on Mon Feb 17 14:33:31 2020
*nat
:PREROUTING ACCEPT [4388:446682]
:INPUT ACCEPT [4491:449514]
:POSTROUTING ACCEPT [5624:405297]
:OUTPUT ACCEPT [5620:405065]
:SS-TCP - [0:0]
-A PREROUTING -s 192.168.0.0/24 -p tcp -j SS-TCP
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A OUTPUT -p tcp -j SS-TCP
-A SS-TCP -d 0.0.0.0/8 -j RETURN
-A SS-TCP -d 127.0.0.0/8 -j RETURN
-A SS-TCP -d 10.0.0.0/8 -j RETURN
-A SS-TCP -d 192.168.0.0/16 -j RETURN
-A SS-TCP -d 224.0.0.0/4 -j RETURN
-A SS-TCP -d 240.0.0.0/4 -j RETURN
-A SS-TCP -d 120.25.56.28/32 -j RETURN
-A SS-TCP -d 116.251.211.71/32 -j RETURN
-A SS-TCP -d 116.251.211.137/32 -j RETURN
-A SS-TCP -d 118.140.65.222/32 -j RETURN
-A SS-TCP -d 120.25.56.2/32 -j RETURN
-A SS-TCP -m set --match-set chnip dst -j RETURN
-A SS-TCP -i wlan0 -p tcp -m tcp -j REDIRECT --to-ports 10080
COMMIT

See also