gijunior
(usa Outra)
Enviado em 19/09/2014 - 10:49h
Como faço isto e onde coloco esta informação? e em que parte do ipcop?
No rc.firewall vem assim conforme abaixo,
#!/bin/sh
#
# This file is part of the IPCop Firewall.
#
# IPCop is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# IPCop is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with IPCop. If not, see <http://www.gnu.org/licenses/>.
#
# (c) 2001-2012, the IPCop team
#
# $Id: rc.firewall 6828 2012-11-03 10:59:39Z owes $
#
eval $(/usr/local/bin/readhash /var/ipcop/ppp/settings)
eval $(/usr/local/bin/readhash /var/ipcop/ethernet/settings)
if [ -f /var/ipcop/red/iface ]; then
IFACE=`/bin/cat /var/ipcop/red/iface 2> /dev/null | /usr/bin/tr -d '{TTEXTO}12'`
fi
if [ -f /var/ipcop/red/device ]; then
DEVICE=`/bin/cat /var/ipcop/red/device 2> /dev/null | /usr/bin/tr -d '{TTEXTO}12'`
fi
iptables_init() {
# Flush all rules and delete all custom chains
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X
# Set up policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
# Empty LOG_DROP and LOG_REJECT chains
#~ /sbin/iptables -N LOG_DROP
#~ /sbin/iptables -A LOG_DROP -m limit --limit 10/minute -j LOG
#~ /sbin/iptables -A LOG_DROP -j DROP
#~ /sbin/iptables -N LOG_REJECT
#~ /sbin/iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG
#~ /sbin/iptables -A LOG_REJECT -j REJECT
# This chain will log, then DROPs packets with certain bad combinations
# of flags might indicate a port-scan attempt (xmas, null, etc)
/sbin/iptables -N PSCAN
/sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? "
/sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? "
/sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? "
/sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? "
/sbin/iptables -A PSCAN -j DROP
# New tcp packets without SYN set - could well be an obscure type of port scan
# that's not covered above, may just be a broken windows machine
/sbin/iptables -N NEWNOTSYN
/sbin/iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "NEW not SYN? "
/sbin/iptables -A NEWNOTSYN -j DROP
# Chain to contain all the rules relating to bad TCP flags
/sbin/iptables -N BADTCP
# Disallow packets frequently used by port-scanners
# nmap xmas
/sbin/iptables -A BADTCP -p tcp -m tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
# Null
/sbin/iptables -A BADTCP -p tcp -m tcp --tcp-flags ALL NONE -j PSCAN
# FIN
/sbin/iptables -A BADTCP -p tcp -m tcp --tcp-flags ALL FIN -j PSCAN
# SYN/RST (also catches xmas variants that set SYN+RST+...)
/sbin/iptables -A BADTCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
# SYN/FIN (QueSO or nmap OS probe)
/sbin/iptables -A BADTCP -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
# NEW TCP without SYN
/sbin/iptables -A BADTCP -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
/sbin/iptables -A INPUT -j BADTCP
/sbin/iptables -A FORWARD -j BADTCP
}
iptables_red() {
/sbin/iptables -F REDINPUT
/sbin/iptables -t nat -F REDNAT
# TODO: this is not needed for PPPoE, uncertain for PPTP
# # PPPoE / PPTP Device
# if [ "$IFACE" != "" ]; then
# # PPPoE / PPTP
# if [ "$DEVICE" != "" ]; then
# /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT
# fi
# if [ 0$RED_COUNT -gt 0 ]; then
# if [ "$RED_1_TYPE" == "PPTP" -o "$RED_1_TYPE" == "PPPOE" ]; then
# /sbin/iptables -A REDINPUT -i $RED_1_DEV -j ACCEPT
# fi
# fi
# fi
# PPTP over DHCP
# owes: this from ppp/settings, may need changing
if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then
/sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
fi
if [ "$IFACE" != "" -a -f /var/ipcop/red/active ]; then
# DHCP
if [ 0$RED_COUNT -gt 0 -a "$RED_1_TYPE" == "DHCP" ]; then
/sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
# owes: this from ppp/settings, may need changing
if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then
/sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
# Outgoing masquerading
/sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
fi
}
# See how we were called.
case "$1" in
start)
iptables_init
# chains for traffic accounting
/sbin/iptables -N ACCOUNT_INPUT
/sbin/iptables -A INPUT -j ACCOUNT_INPUT
/sbin/iptables -N ACCOUNT_FORWARD_IN
/sbin/iptables -A FORWARD -j ACCOUNT_FORWARD_IN
/sbin/iptables -N ACCOUNT_FORWARD_OUT
/sbin/iptables -A FORWARD -j ACCOUNT_FORWARD_OUT
/sbin/iptables -N ACCOUNT_OUTPUT
/sbin/iptables -A OUTPUT -j ACCOUNT_OUTPUT
# Fix for braindead ISP's
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# FW_MARK_IPSEC chain, used for marking outgoing (NETKEY) IPsec traffic
/sbin/iptables -N FW_MARK_IPSEC
/sbin/iptables -A FORWARD -j FW_MARK_IPSEC
# CUSTOM chains, can be used by the users themselves
/sbin/iptables -N CUSTOMINPUT
/sbin/iptables -A INPUT -j CUSTOMINPUT
/sbin/iptables -N CUSTOMFORWARD
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -N CUSTOMOUTPUT
/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
/sbin/iptables -t nat -N CUSTOMPREROUTING
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
/sbin/iptables -t nat -N CUSTOMPOSTROUTING
/sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
# INPUT chains for GUI entered rules
/sbin/iptables -N FW_ADMIN
/sbin/iptables -A INPUT -j FW_ADMIN
/sbin/iptables -N FW_INPUT
/sbin/iptables -A INPUT -j FW_INPUT
/sbin/iptables -N FW_XTACCESS
/sbin/iptables -A INPUT -j FW_XTACCESS
/sbin/iptables -N FW_IPCOP
/sbin/iptables -A INPUT -j FW_IPCOP
# FORWARD chains for GUI entered rules
/sbin/iptables -N FW_OUTGOING
/sbin/iptables -A FORWARD -j FW_OUTGOING
/sbin/iptables -N FW_IPCOP_FORWARD
/sbin/iptables -A FORWARD -j FW_IPCOP_FORWARD
# Accept everything connected
/sbin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
/sbin/iptables -A INPUT -s 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP # Loopback not on lo
/sbin/iptables -A INPUT -d 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
/sbin/iptables -A FORWARD -i lo -m conntrack --ctstate NEW -j ACCEPT
/sbin/iptables -A FORWARD -s 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
/sbin/iptables -A FORWARD -d 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
#~ /sbin/iptables -A INPUT -i $GREEN_1_DEV -m conntrack --ctstate NEW -j ACCEPT
#~ /sbin/iptables -A FORWARD -i $GREEN_1_DEV -m conntrack --ctstate NEW -j ACCEPT
# If a host on orange tries to initiate a connection to IPCop's red IP and
# the connection gets DNATed back through a port forward to a server on orange
# we end up with orange -> orange traffic passing through IPCop
[ 0$ORANGE_COUNT -gt 0 ] && /sbin/iptables -A FORWARD -i $ORANGE_1_DEV -o $ORANGE_1_DEV -m conntrack --ctstate NEW -j ACCEPT
#~ # allow DHCP on BLUE to be turned on/off
#~ /sbin/iptables -N DHCPBLUEINPUT
#~ /sbin/iptables -A INPUT -j DHCPBLUEINPUT
# Addressfilter chains
/sbin/iptables -N ADRFILTERINPUT
/sbin/iptables -N ADRFILTERFORWARD
# RED chain, used for the red interface
/sbin/iptables -N REDINPUT
/sbin/iptables -A INPUT -j REDINPUT
/sbin/iptables -t nat -N REDNAT
/sbin/iptables -t nat -A POSTROUTING -j REDNAT
iptables_red
# FW_PINHOLES pinhole chain, used for internal traffic from ORANGE/BLUE/GREEN to ORANGE/BLUE/GREEN
/sbin/iptables -N FW_PINHOLES
# PORTFWACCESS chain, used for portforwarding
/sbin/iptables -N PORTFWACCESS
/sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j PORTFWACCESS
# Custom prerouting chains (for ntp redirect, transparent proxy and port forwarding)
/sbin/iptables -t nat -N NTP
/sbin/iptables -t nat -A PREROUTING -j NTP
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -d ! 200.201.174.0/24 -p tcp --dport 80 -j SQUID
#/sbin/iptables -t nat -A PREROUTING -j SQUID
/sbin/iptables -t nat -N PORTFW
/sbin/iptables -t nat -A PREROUTING -j PORTFW
# Custom mangle/nat chains for port forwarding
/sbin/iptables -t mangle -N PORTFWMANGLE
/sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE
/sbin/iptables -t nat -N PORTFWNAT
/sbin/iptables -t nat -A POSTROUTING -j PORTFWNAT
#Regras para conectividade social
/sbin/iptables -t nat -I PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
/sbin/iptables -I FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -d ! 200.201.174.207 --dport 80 -j REDIRECT --to-port 3128
# last rule in input and forward chain is for logging and block.
/sbin/iptables -N FW_LOG
/sbin/iptables -A INPUT -j FW_LOG
/sbin/iptables -A FORWARD -j FW_LOG
# Apply our policies here, updated later in case of red up/down etc.
/usr/local/bin/setfwrules --all
# run local firewall configuration, if present
if [ -x /etc/rc.d/rc.firewall.local ]; then
/etc/rc.d/rc.firewall.local start
fi
#~ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
#~ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
;;
stop)
iptables_init
# Accept everyting connected
/sbin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_1_DEV -m conntrack --ctstate NEW -j ACCEPT
# run local firewall configuration, if present
if [ -x /etc/rc.d/rc.firewall.local ]; then
/etc/rc.d/rc.firewall.local stop
fi
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
;;
reload)
iptables_red
# Update all rules
/usr/local/bin/setfwrules --all
# run local firewall configuration, if present
if [ -x /etc/rc.d/rc.firewall.local ]; then
/etc/rc.d/rc.firewall.local reload
fi
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|reload|restart}"
exit 1
;;
esac
exit 0
saitam escreveu:
adicione as regras abaixo no script firewall com Iptables.
iptables -I FORWARD -m string --algo bm --string "youtube.com" -j DROP
iptables -I FORWARD -m string --algo bm --string "facebook.com" -j DROP