openwrt减少端口暴露

我最终选择了防火墙的方案,只指定部分mac地址访问我的77端口即可:

  1. 配置允许访问的端口(这一步应该先进行,否则就无法访问Web服务了)

2021-05-14-18-27-03

2021-05-14-18-27-24


# 192.168.13.113
# Base(192.168.13.68)
# Node1(192.168.13.195)
# Node2(192.168.13.83)
# Node3(192.168.13.32)
# Node4(192.168.13.105)
# Node5(192.168.13.236)
iptables -I INPUT -s 192.168.13.113 -j ACCEPT
iptables -I INPUT -s 192.168.13.68 -j ACCEPT
iptables -I INPUT -s 192.168.13.195 -j ACCEPT
iptables -I INPUT -s 192.168.13.83 -j ACCEPT
iptables -I INPUT -s 192.168.13.32 -j ACCEPT
iptables -I INPUT -s 192.168.13.105 -j ACCEPT
iptables -I INPUT -s 192.168.13.236 -j ACCEPT

iptables -I INPUT -s 192.168.28.118 -j ACCEPT

  1. 设置lan口的入站规则为拒绝

2021-05-14-19-37-05

Web服务(作废,不优雅,麻烦)

  1. 编辑/etc/config/uhttpd

config uhttpd 'main'
	list listen_http '0.0.0.0:80'
	list listen_http '[::]:80'
	list listen_https '0.0.0.0:443'
	list listen_https '[::]:443'
	option redirect_https '0'
	option home '/www'
	option rfc1918_filter '1'
	option max_requests '3'
	option max_connections '100'
	option cert '/etc/uhttpd.crt'
	option key '/etc/uhttpd.key'
	option cgi_prefix '/cgi-bin'
	list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
	option script_timeout '60'
	option network_timeout '30'
	option http_keepalive '20'
	option tcp_keepalive '1'
	option ubus_prefix '/ubus'

config cert 'defaults'
	option days '730'
	option key_type 'ec'
	option bits '2048'
	option ec_curve 'P-256'
	option country 'ZZ'
	option state 'Somewhere'
	option location 'Unknown'
	option commonname 'OpenWrt'

  1. 重启该服务

/etc/init.d/uhttpd restart

参考资料

  1. Openwrt 修改Web页面默认访问端口