Bloqueio de Facebook e youtube no IPCOP

gijunior
(usa Outra)

Enviado em 19/09/2014 - 09:34h

Bom dia caro amigos, gostaria de uma ajuda como faço para bloquear o facebook e youtube no ipcop que seja https.. No ipcop onde adiciono as informações *.sh para executar o script automaticamente tb.

Já tem algum script pronto que posso usar tipo para contabilidade que usa muito caixa, sefip etc...

saitam
(usa Slackware)

Enviado em 19/09/2014 - 10:45h

adicione as regras abaixo no script firewall com Iptables.

iptables -I FORWARD -m string --algo bm --string "youtube.com" -j DROP



iptables -I FORWARD -m string --algo bm --string "facebook.com" -j DROP

 

gijunior
(usa Outra)

Enviado em 19/09/2014 - 10:49h

Como faço isto e onde coloco esta informação? e em que parte do ipcop?

No rc.firewall vem assim conforme abaixo,


#!/bin/sh
#
# This file is part of the IPCop Firewall.
#
# IPCop is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# IPCop is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with IPCop. If not, see <http://www.gnu.org/licenses/>.
#
# (c) 2001-2012, the IPCop team
#
# $Id: rc.firewall 6828 2012-11-03 10:59:39Z owes $
#

eval $(/usr/local/bin/readhash /var/ipcop/ppp/settings)
eval $(/usr/local/bin/readhash /var/ipcop/ethernet/settings)
if [ -f /var/ipcop/red/iface ]; then
IFACE=`/bin/cat /var/ipcop/red/iface 2> /dev/null | /usr/bin/tr -d '{TTEXTO}12'`
fi
if [ -f /var/ipcop/red/device ]; then
DEVICE=`/bin/cat /var/ipcop/red/device 2> /dev/null | /usr/bin/tr -d '{TTEXTO}12'`
fi

iptables_init() {
# Flush all rules and delete all custom chains
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X

# Set up policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

# Empty LOG_DROP and LOG_REJECT chains
#~ /sbin/iptables -N LOG_DROP
#~ /sbin/iptables -A LOG_DROP -m limit --limit 10/minute -j LOG
#~ /sbin/iptables -A LOG_DROP -j DROP
#~ /sbin/iptables -N LOG_REJECT
#~ /sbin/iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG
#~ /sbin/iptables -A LOG_REJECT -j REJECT

# This chain will log, then DROPs packets with certain bad combinations
# of flags might indicate a port-scan attempt (xmas, null, etc)
/sbin/iptables -N PSCAN
/sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? "
/sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? "
/sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? "
/sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? "
/sbin/iptables -A PSCAN -j DROP

# New tcp packets without SYN set - could well be an obscure type of port scan
# that's not covered above, may just be a broken windows machine
/sbin/iptables -N NEWNOTSYN
/sbin/iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "NEW not SYN? "
/sbin/iptables -A NEWNOTSYN -j DROP

# Chain to contain all the rules relating to bad TCP flags
/sbin/iptables -N BADTCP

# Disallow packets frequently used by port-scanners
# nmap xmas
/sbin/iptables -A BADTCP -p tcp -m tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
# Null
/sbin/iptables -A BADTCP -p tcp -m tcp --tcp-flags ALL NONE -j PSCAN
# FIN
/sbin/iptables -A BADTCP -p tcp -m tcp --tcp-flags ALL FIN -j PSCAN
# SYN/RST (also catches xmas variants that set SYN+RST+...)
/sbin/iptables -A BADTCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
# SYN/FIN (QueSO or nmap OS probe)
/sbin/iptables -A BADTCP -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
# NEW TCP without SYN
/sbin/iptables -A BADTCP -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN

/sbin/iptables -A INPUT -j BADTCP
/sbin/iptables -A FORWARD -j BADTCP

}

iptables_red() {
/sbin/iptables -F REDINPUT
/sbin/iptables -t nat -F REDNAT

# TODO: this is not needed for PPPoE, uncertain for PPTP
# # PPPoE / PPTP Device
# if [ "$IFACE" != "" ]; then
# # PPPoE / PPTP
# if [ "$DEVICE" != "" ]; then
# /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT
# fi
# if [ 0$RED_COUNT -gt 0 ]; then
# if [ "$RED_1_TYPE" == "PPTP" -o "$RED_1_TYPE" == "PPPOE" ]; then
# /sbin/iptables -A REDINPUT -i $RED_1_DEV -j ACCEPT
# fi
# fi
# fi

# PPTP over DHCP
# owes: this from ppp/settings, may need changing
if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then
/sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
fi

if [ "$IFACE" != "" -a -f /var/ipcop/red/active ]; then
# DHCP
if [ 0$RED_COUNT -gt 0 -a "$RED_1_TYPE" == "DHCP" ]; then
/sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
# owes: this from ppp/settings, may need changing
if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then
/sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi

# Outgoing masquerading
/sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
fi
}

# See how we were called.
case "$1" in
start)
iptables_init

# chains for traffic accounting
/sbin/iptables -N ACCOUNT_INPUT
/sbin/iptables -A INPUT -j ACCOUNT_INPUT
/sbin/iptables -N ACCOUNT_FORWARD_IN
/sbin/iptables -A FORWARD -j ACCOUNT_FORWARD_IN
/sbin/iptables -N ACCOUNT_FORWARD_OUT
/sbin/iptables -A FORWARD -j ACCOUNT_FORWARD_OUT
/sbin/iptables -N ACCOUNT_OUTPUT
/sbin/iptables -A OUTPUT -j ACCOUNT_OUTPUT

# Fix for braindead ISP's
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# FW_MARK_IPSEC chain, used for marking outgoing (NETKEY) IPsec traffic
/sbin/iptables -N FW_MARK_IPSEC
/sbin/iptables -A FORWARD -j FW_MARK_IPSEC

# CUSTOM chains, can be used by the users themselves
/sbin/iptables -N CUSTOMINPUT
/sbin/iptables -A INPUT -j CUSTOMINPUT
/sbin/iptables -N CUSTOMFORWARD
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -N CUSTOMOUTPUT
/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
/sbin/iptables -t nat -N CUSTOMPREROUTING
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
/sbin/iptables -t nat -N CUSTOMPOSTROUTING
/sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING

# INPUT chains for GUI entered rules
/sbin/iptables -N FW_ADMIN
/sbin/iptables -A INPUT -j FW_ADMIN
/sbin/iptables -N FW_INPUT
/sbin/iptables -A INPUT -j FW_INPUT
/sbin/iptables -N FW_XTACCESS
/sbin/iptables -A INPUT -j FW_XTACCESS
/sbin/iptables -N FW_IPCOP
/sbin/iptables -A INPUT -j FW_IPCOP
# FORWARD chains for GUI entered rules
/sbin/iptables -N FW_OUTGOING
/sbin/iptables -A FORWARD -j FW_OUTGOING
/sbin/iptables -N FW_IPCOP_FORWARD
/sbin/iptables -A FORWARD -j FW_IPCOP_FORWARD

# Accept everything connected
/sbin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
/sbin/iptables -A INPUT -s 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP # Loopback not on lo
/sbin/iptables -A INPUT -d 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
/sbin/iptables -A FORWARD -i lo -m conntrack --ctstate NEW -j ACCEPT
/sbin/iptables -A FORWARD -s 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
/sbin/iptables -A FORWARD -d 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
#~ /sbin/iptables -A INPUT -i $GREEN_1_DEV -m conntrack --ctstate NEW -j ACCEPT
#~ /sbin/iptables -A FORWARD -i $GREEN_1_DEV -m conntrack --ctstate NEW -j ACCEPT

# If a host on orange tries to initiate a connection to IPCop's red IP and
# the connection gets DNATed back through a port forward to a server on orange
# we end up with orange -> orange traffic passing through IPCop
[ 0$ORANGE_COUNT -gt 0 ] && /sbin/iptables -A FORWARD -i $ORANGE_1_DEV -o $ORANGE_1_DEV -m conntrack --ctstate NEW -j ACCEPT

#~ # allow DHCP on BLUE to be turned on/off
#~ /sbin/iptables -N DHCPBLUEINPUT
#~ /sbin/iptables -A INPUT -j DHCPBLUEINPUT

# Addressfilter chains
/sbin/iptables -N ADRFILTERINPUT
/sbin/iptables -N ADRFILTERFORWARD

# RED chain, used for the red interface
/sbin/iptables -N REDINPUT
/sbin/iptables -A INPUT -j REDINPUT
/sbin/iptables -t nat -N REDNAT
/sbin/iptables -t nat -A POSTROUTING -j REDNAT

iptables_red

# FW_PINHOLES pinhole chain, used for internal traffic from ORANGE/BLUE/GREEN to ORANGE/BLUE/GREEN
/sbin/iptables -N FW_PINHOLES

# PORTFWACCESS chain, used for portforwarding
/sbin/iptables -N PORTFWACCESS
/sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j PORTFWACCESS

# Custom prerouting chains (for ntp redirect, transparent proxy and port forwarding)
/sbin/iptables -t nat -N NTP
/sbin/iptables -t nat -A PREROUTING -j NTP
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -d ! 200.201.174.0/24 -p tcp --dport 80 -j SQUID
#/sbin/iptables -t nat -A PREROUTING -j SQUID
/sbin/iptables -t nat -N PORTFW
/sbin/iptables -t nat -A PREROUTING -j PORTFW

# Custom mangle/nat chains for port forwarding
/sbin/iptables -t mangle -N PORTFWMANGLE
/sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE
/sbin/iptables -t nat -N PORTFWNAT
/sbin/iptables -t nat -A POSTROUTING -j PORTFWNAT

#Regras para conectividade social

/sbin/iptables -t nat -I PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
/sbin/iptables -I FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -d ! 200.201.174.207 --dport 80 -j REDIRECT --to-port 3128


# last rule in input and forward chain is for logging and block.
/sbin/iptables -N FW_LOG
/sbin/iptables -A INPUT -j FW_LOG
/sbin/iptables -A FORWARD -j FW_LOG

# Apply our policies here, updated later in case of red up/down etc.
/usr/local/bin/setfwrules --all

# run local firewall configuration, if present
if [ -x /etc/rc.d/rc.firewall.local ]; then
/etc/rc.d/rc.firewall.local start
fi

#~ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
#~ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "

;;
stop)
iptables_init
# Accept everyting connected
/sbin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_1_DEV -m conntrack --ctstate NEW -j ACCEPT

# run local firewall configuration, if present
if [ -x /etc/rc.d/rc.firewall.local ]; then
/etc/rc.d/rc.firewall.local stop
fi

/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
;;
reload)
iptables_red

# Update all rules
/usr/local/bin/setfwrules --all

# run local firewall configuration, if present
if [ -x /etc/rc.d/rc.firewall.local ]; then
/etc/rc.d/rc.firewall.local reload
fi
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|reload|restart}"
exit 1
;;
esac

exit 0

jjrcoast
(usa CentOS)

Enviado em 07/04/2015 - 17:57h

Olá a todos, sou José e novato na área, peguei scritps e tentei adapta-los à minha necessidade, ocorre o seguinte: minha rede tem clientes DHCP de .20 a .99 daí quero que os clientes .100 ao .135 possam acessar as redes sociais, tentei o seguinte:

#!/bin/bash
#SOCIAL dropper adapted by _Joe

modprobe ipt_string

CHEFE="192.168.10.100 192.168.10.101 192.168.10.102 192.168.10.103 192.168.10.104 192.168.10.105 192.168.10.106 192.168.10.107 192.168.10.108 192.168.10.109 192.168.10.110 192.168.10.111 192.168.10.112 192.168.10.113 192.168.10.114 192.168.10.115 192.168.10.116 192.168.10.117 192.168.10.118 192.168.10.119 192.168.10.120 192.168.10.121 192.168.10.122 192.168.10.123 192.168.10.124 192.168.10.125 192.168.10.126 192.168.10.127 192.168.10.128 192.168.10.129 192.168.10.130 192.168.10.131 192.168.10.132 192.168.10.133 192.168.10.134 192.168.10.135"

iptables -N SOCIAL
iptables -I FORWARD -p tcp -m iprange --dst-range 66.220.0.0-66.220.255.255 --dport 443 -j SOCIAL
iptables -I FORWARD -p tcp -m iprange --dst-range 69.63.0.0-69.63.255.255 --dport 443 -j SOCIAL
iptables -I FORWARD -p tcp -m iprange --dst-range 204.15.0.0-204.15.255.255 --dport 443 -j SOCIAL
iptables -I FORWARD -p tcp -m iprange --dst-range 204.74.0.0-204.74.255.255 --dport 443 -j SOCIAL
iptables -I FORWARD -p tcp -m iprange --dst-range 173.252.0.0-173.252.255.255 --dport 443 -j SOCIAL
iptables -I FORWARD -p tcp -m iprange --dst-range 69.171.0.0-69.171.255.255 --dport 443 -j SOCIAL
iptables -I FORWARD -p tcp -m iprange --dst-range 31.13.0.0-31.13.255.255 --dport 443 -j SOCIAL
iptables -I FORWARD -p tcp -m iprange --dst-range 179.184.10.0-179.184.10.255 --dport 443 -j SOCIAL
iptables -I OUTPUT -m string --algo bm --string "youtube.com" -j SOCIAL
iptables -I FORWARD -m string --algo bm --string "youtube.com" -j SOCIAL

for face in $CHEFE;
do
iptables -I SOCIAL -s $face -j ACCEPT
done
iptables -A SOCIAL -j REJECT

Mas ocorre o seguinte:
1 - O Facebook bloqueia legal para clientes fora dessa faixa (pois estou bloqueando pelo IP do face
2 - O youtube bloqueia geral e interfere no funcionamento do google, mesmo usando --string (se eu usar o ip do youtube para tambem o google, essencial para pesquisas tipo "consultar cpf", etc...)
Como enxugar esse script e fazer com que ele funcione do jeito que eu quero?

Uso o ipcop 2.1.9

Obrigado pelo espaço.