Assuming doesn't matter how many interfaces do you have, you can block all except traffic to and from your LAN network address subnet by using:
iptables -A INPUT -s $NETWORK_ADDRESS/$MASK -j ACCEPT
iptables -A INPUT -s $ANOTHER_NETWORK_ADDRESS/$MASK -j ACCEPT
iptables -A INPUT -j DROP</code>
iptables -A OUTPUT -d $NETWORK_ADDRESS/$MASK -j ACCEPT
iptables -A OUTPUT -d $ANOTHER_NETWORK_ADDRESS/$MASK -j ACCEPT
iptables -A OUTPUT -j DROP
You can find the network addresses and the network mask directly connected to your interfaces by typing:
ip r l | grep -v "default" | grep "proto kernel" | awk '{print $1}'
Replace $NETWORK_ADDRESS/$MASK from the iptables commands with those provided by the ip r l command.
Assuming that you may have a DHCP Server on the LAN, you may want to allow this specific traffic in order to obtain an IP Address from the server.
In order to accomplish that you need to add more rules to IPTABLES:
iptables -I INPUT 1 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
Explanation:
You need to accept incoming and outgoing traffic from your network address space and after that, you can DROP everything else.
DHCP 客户端的规则将被首先插入,即使它是在最后执行的,因为-I(insert) INPUT "1"。通过这种方式,您可以确保从 DHCP 服务器获取 IP 地址。