Bloquear MSN no Iptables ou Squid e liberar para IP's ou Usuarios

1. Bloquear MSN no Iptables ou Squid e liberar para IP's ou Usuarios

Felipe
felipepetitto

(usa Outra)

Enviado em 04/08/2012 - 17:00h

Boa tarde,

Estou tendo problemas ao configurar meu firewall para bloquear todos de entrarem no MSN com exceção dos usuários e/ou IP's que eu colocar.
No caso não estou conseguindo nem bloquear a entrada do MSN por isso não criei a regra de IP's liberados.

Por favor, me ajudem! Preciso desse firewall rodando na segunda-feira e é só o que resta pra ser feito.

Segue abaixo os confs do Squid e Firewall:

FIREWALL:

#!/bin/sh
#Configuracao de Variaveis.
IPT=/sbin/iptables
NET=eth0
REDE=eth1

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
fi

#Ativando syn cookies protecao no kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi

#Setando o kernel para dinamico IP masquerado
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]
then
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
fi

#Flushing all e criando chains.

$IPT -F
$IPT -F -t nat
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -t mangle -F
$IPT -t nat -F
$IPT -X

modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_tables
modprobe sch_htb

$IPT --flush
$IPT --table nat --flush
$IPT --table mangle --flush
$IPT --table filter --flush
$IPT --delete-chain
$IPT --table nat --delete-chain
$IPT --table mangle --delete-chain
$IPT --table filter --delete-chain

#Bloqueaia tudo
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP


$IPT -A FORWARD -p tcp -m tcp ! --syn -m state --state NEW -j DROP

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

$IPT -N TRINOO
$IPT -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
$IPT -A TRINOO -j DROP
$IPT -A INPUT -p TCP -i $NET --dport 27444 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 27665 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 31335 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 34555 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 35555 -j TRINOO

$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

$IPT -N TROJAN
$IPT -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
$IPT -A TROJAN -j DROP
$IPT -A INPUT -p TCP -i $NET --dport 666 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 666 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 4000 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 6000 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 6006 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 16660 -j TROJAN

$IPT -A FORWARD -p tcp --dport 1214 -j REJECT
$IPT -A FORWARD -p udp --dport 1214 -j REJECT
$IPT -A FORWARD -d 213.248.112.0/24 -j REJECT
$IPT -A FORWARD -d 206.142.53.0/24 -j REJECT
$IPT -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -N SCANNER

# Capturando o IP da Internet
ipnet=$1
ipnet=`ifconfig $NET| grep addr:| cut -f2 -d:| cut -f1 -d " "`
echo $ipnet

# Liberando as PORTAS
INTERNAS="5222,5223,22,3128,9090,10000,80,139,445"
EXTERNAS="22,10000"

$IPT -A INPUT -p tcp -m multiport --dport $INTERNAS -i $REDE -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dport $INTERNAS -i $REDE -j ACCEPT

#Para IP especifico: $IPT -A INPUT -p tcp --dport 22 -i $REDE -j ACCEPT -s 10.10.0.1

$IPT -A INPUT -p tcp -m multiport --dport $EXTERNAS -i $NET -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dport $EXTERNAS -i $NET -j ACCEPT

#Liberar um IP - LIBERAR UM IP NO FIREWALL (AD, SERVIDORES, DIRETORIA)
$IPT -t nat -A PREROUTING -i $REDE -p tcp -s 192.168.0.16 -j RETURN

# Desvios do SISTEMA
$IPT -t nat -A PREROUTING -i $REDE -p tcp --dport 80 -j REDIRECT --to-port 3128

# Desvios Externos
$IPT -t nat -A PREROUTING -d $ipnet -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.16
$IPT -t nat -A PREROUTING -d $ipnet -p udp --dport 3389 -j DNAT --to-destination 192.168.0.16

$IPT -t nat -A PREROUTING -d $ipnet -p tcp --dport 10000 -j DNAT --to-destination 192.168.0.50
$IPT -t nat -A PREROUTING -d $ipnet -p udp --dport 10000 -j DNAT --to-destination 192.168.0.50

# Compartilha a Internet
$IPT -t nat -A POSTROUTING -o $NET -j MASQUERADE
$IPT -A FORWARD -i $NET -j ACCEPT




SQUID:

acl all src all
acl manager proto cache_object
acl localhost src 192.168.0.0/24
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

############################### Autenticacao via passwd ##########################
access_log /var/log/squid/access.log squid
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off
#auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
#auth_param basic realm Digite seu Login
#acl autenticacao proxy_auth REQUERID
###################################################################################

############################## Autenticacao via AD ###############################
auth_param basic program /usr/lib/squid/ldap_auth -R -b "dc=************,dc=com,dc=br" -D "cn=Linux,cn=Users,dc=**********,dc=com,dc=br" -w "******" -f sAMAccountName=%s -h 192.168.0.16
auth_param basic realm Acesso Controlado
auth_param basic children 5
auth_param basic credentialsttl 400 minutes
acl password proxy_auth REQUIRED
##################################################################################


#################################### ACLS #########################################
acl dld urlpath_regex -i "/ikd/squid/dld"
acl padrao url_regex -i "/ikd/squid/padrao"
acl blnivel1 url_regex -i "/ikd/squid/blnivel1"
acl blnivel2 url_regex -i "/ikd/squid/blnivel2"
acl liberados url_regex -i "/ikd/squid/liberados"
acl ipliberado src "/ikd/squid/ipliberado"
external_acl_type checa_diretoria %LOGIN /ikd/squid/diretoria.sh
acl diretoria external checa_diretoria "/ikd/squid/diretoria"

external_acl_type checa_n1 %LOGIN /ikd/squid/n1.sh
acl nivel1 external checa_n1 "/ikd/squid/nivel1"

external_acl_type checa_n2 %LOGIN /ikd/squid/n2.sh
acl nivel2 external checa_n2 "/ikd/squid/nivel2"

###################################################################################


##################################### teste apagar ############################
external_acl_type passa_url %URI /ikd/squid/videos.sh
acl videos external passa_url "/ikd/squid/videos"

##############################################################################
#portas confiáveis de sites

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#####################################
http_access deny padrao
http_access allow diretoria
http_access allow ipliberado
http_access allow videos
http_access deny dld
http_access deny blnivel1 !liberados
http_access allow nivel1
http_access deny blnivel2 !liberados
http_access allow nivel2

#####################################
http_access allow localhost
http_port 3128 transparent

coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
error_directory /usr/share/squid/errors/Portuguese


Obrigado!
Felipe


  


2. Complemento

Felipe
felipepetitto

(usa Outra)

Enviado em 04/08/2012 - 17:37h

Galera... a parte do acesso remoto na porta 3389 também estou com problema, se puderem ajudar também!

Obrigado






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts