fnxxr
(usa Ubuntu)
Enviado em 29/06/2015 - 14:05h
Bom Primeiramente boa tarde galera, estou com uma duvida simples mais nao consigo resolver...
Enfim tenho um roteador rodando squid e iptables e queria bloquear o acesso da porta 443 "ultrasurf" e outos, ja fiz com o fail2ban, mais o mais eficiente e o bloqueio da porta 443...
Ja fiz de várias formas e essa bendita porta continua navegando... pois o bloqueio dela deveria parar acesso a sites https
vou postar meu script do iptables...
iptables_start(){
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t filter -F
iptables -t filter -X
iptables -t mangle -F
iptables -t mangle -X
modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
##############################
# BLOQUEIO DE PORTAS SSL 443
##############################
iptables -A FORWARD -p tcp -s 192.168.0.0 --dport 443 -j DROP
#libera acesso aos bloqueados a urls especificas
#Bloqueia toda a requisição a porta 443
iptables -I FORWARD -p tcp --dport 443 -j DROP
Bloqueia a nova porta utilizada pelo UltraSurf 10.05
iptables -I FORWARD -p tcp --dport 25101 -j DROP
#Define o local onde está o arquivo com a lista de URLs liberados para a porta 443
for URL in `grep -v "^#" /etc/squid3/liberados_443`; do
#Libera o acesso a toda a rede para a lista de URLs definidas
iptables -I FORWARD -p tcp --dport 443 -d $URL -j ACCEPT
done
#Libera acesso total ao ssl 443
#PC-01
#Permite o acesso a porta 443 pelo ip em questão sem qualquer restrição
#adicione os endereços ips que você não pretende restringir o acesso ao UltraSurf.
iptables -I FORWARD -s 192.168.0.2 -p tcp --dport 443 -j ACCEPT
###############################################################################################################################
#ATIVA REGRA SQUID
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" < /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/eth1/accept_source_route
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#################################################################
#LIBERA ACESSO PARA REDE
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --syn -s 192.168.0.0/255.255.255.0 -j ACCEPT
#################################################################
#Aqui poderão ser inseridas regras para bloqueios Ex: torrents, P2P,...
## Libera portas pop e smtp
iptables -A FORWARD -p tcp -s 192.168.0.0 --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0 --dport 111 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0 --dport 113 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0 --dport 143 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0 --dport 465 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0 --dport 587 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0 --dport 993 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0 --dport 995 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0 --dport 25 -j ACCEPT
#################################################################
#REGRAS DE EXCESSÃ(ACESSO LIVRE DO FIREWALL) Permite aceeso sem passar pelas regras
#################################################################
#iptables -t nat -I PREROUTING 1 -p tcp -s 192.168.0.100 --dport 1:65334 -j ACCEPT
#################################################################
echo 1 > /proc/sys/net/ipv4/ip_forward
}
iptables_stop(){
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}
case "$1" in
"start")
iptables_start
;;
"stop")
iptables_stop
echo "O iptables esta sendo desativado"
sleep 2
echo "ok"
;;
"restart")
echo "O iptables esta sendo desativado"\e sleep 1
echo "ok"
iptables_stop; iptables_start
;;
*)
iptables -L -n
esac
Ajudem por favor