Liberar MSN para mais de um usuário [RESOLVIDO]

gabrielbcastro
(usa Debian)

Enviado em 21/01/2009 - 18:12h

Beleza galera!
Estou começando no mundo Linux e espero a ajuda de vocês! :)

Estou montando um firewall com iptables no Ubuntu Server.
Eu bloquiei o MSN no iptables só que preciso liberá-lo para algumas máquinas.
Como faço???

Desde já agradeço!

Diede
(usa Debian)

Enviado em 21/01/2009 - 18:17h

Deixa uma regra oposta à que você negou antes dela e com ACCEPT:
se a regra era:
iptables -A FORWARD -p tcp --dport 1836 -j DROP
ficará:

iptables -A FORWARD -p tcp --dport 1836 -s <IP_DA_MAQUINA_LIBERADA> -j ACCEPT
iptables -A FORWARD -p tcp --dport 1836 -s <IP_DA_MAQUINA_LIBERADA2> -j ACCEPT
iptables -A FORWARD -p tcp --dport 1836 -s <IP_DA_MAQUINA_LIBERADA3> -j ACCEPT
iptables -A FORWARD -p tcp --dport 1836 -j DROP

gabrielbcastro
(usa Debian)

Enviado em 21/01/2009 - 18:51h

Diede, desta forma não funcionou...
Se não estou enganado, a requisição que vai pro firewall passará por todas as linhas sendo, neste caso, DROPADO no fim.
Se eu tiver falando bobagem me corrija por favor.

joaovitorlinux
(usa Ubuntu)

Enviado em 22/01/2009 - 10:32h

Amigo, instalei em meu servidor o Msn-Proxy, uso aqui no serviço e foi a melhor coisa para o pessoal parar de fica brincando com o msn, dah uma olhada nesse artigo:

http://www.vivaolinux.com.br/artigo/MSNProxy-no-Debian-Etch-1

T+

gabrielbcastro
(usa Debian)

Enviado em 22/01/2009 - 14:31h

tá ae o script...
se vcs tiverem algumas dicas para melhorar o script agradeço


***************************************************************************

#!/bin/bash
#
# Script adaptado por Gabriel Barbosa


# Local para o executavel do IPTables
IPT=`which iptables`;

# Interface da rede INTERNA
IF_INTERNA="eth0";

# Interface da rede EXTERNA
IF_EXTERNA="eth1";

# Definicao da rede interna
REDE_INTERNA="192.168.0.0/24"

# IPS Liberados
IP_L1="192.168.0.31"
IP_L2="192.168.0.7"


fw_start()
{
#ativa o roteamento dinamico
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr


# ================ POLITICAS PADRAO ===================
$IPT -t filter -P INPUT DROP
$IPT -t filter -P FORWARD DROP
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT

# Habilitando Strings
modprobe ipt_string
modprobe ipt_MASQUERADE
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe iptable_filter
modprobe ipt_limit
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ip_nat_ftp

# Cria chain com regras de seguranca
$IPT -N BLOCK
$IPT -A BLOCK -p icmp --icmp-type echo-request -j DROP
$IPT -A BLOCK -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -A BLOCK -p tcp -m limit --limit 1/s -j ACCEPT
$IPT -A BLOCK -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 1/s -j ACCEPT
$IPT -A BLOCK -m unclean -j DROP
$IPT -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A BLOCK -j LOG --log-prefix "FW_ALERT: "
$IPT -A BLOCK -j DROP

# Muda a prioridade dos pacotes (Type Of Service) para agilizar as coisas
$IPT -t mangle -A OUTPUT -o $IF_EXTERNA -p tcp -m multiport --dports 22,80,6667,443,563 -j TOS --set-tos 0x10

# Libera todo o trafego local
$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A INPUT -i $IF_INTERNA -j ACCEPT
$IPT -t filter -A FORWARD -i $IF_INTERNA -j ACCEPT

# ====== BLOQUEANDO MSN ===================================================


LIBERA_MSN1()
{
$IPT -A FORWARD -s $IP_L1 -m string --algo bm --string "gateway.dll" -j ACCEPT
$IPT -A FORWARD -s $IP_L1 -m string --algo bm --string "e-messenger.net" -j ACCEPT
$IPT -A FORWARD -s $IP_L1 -m string --algo bm --string "meebo.com" -j ACCEPT
$IPT -A FORWARD -s $IP_L1 -m string --algo bm --string "messenger.msn.com" -j ACCEPT
$IPT -A FORWARD -s $IP_L1 -m string --algo bm --string "clientless.net" -j ACCEPT
$IPT -A FORWARD -s $IP_L1 -m string --algo bm --string "wbmsn.net" -j ACCEPT
$IPT -A FORWARD -s $IP_L1 -m string --algo bm --string "msn2go.com" -j ACCEPT
$IPT -A FORWARD -s $IP_L1 -m string --algo bm --string "iloveim.com" -j ACCEPT
$IPT -A FORWARD -s $IP_L1 -m string --algo bm --string "info.sytes.net" -j ACCEPT
$IPT -A FORWARD -s $IP_L1 -m string --algo bm --string "chatenabled.mail.google.com" -j ACCEPT
$IPT -A FORWARD -s $IP_L1 -m string --algo bm --string "x-msn-messenger" -j ACCEPT
$IPT -A FORWARD -s $IP_L1 -m string --algo bm --string "messenger.hotmail.com" -j ACCEPT
$IPT -A FORWARD -s $IP_L1 -m string --algo bm --string "loginnet.passport.com" -j ACCEPT
$IPT -A FORWARD -s $IP_L1 -m string --algo bm --string "login.live.com" -j ACCEPT
$IPT -t nat -A PREROUTING -s $IP_L1 -p TCP --dport 1863 -j ACCEPT
$IPT -t nat -A PREROUTING -s $IP_L1 -p UDP --dport 1863 -j ACCEPT

}


LIBERA_MSN2()
{
$IPT -A FORWARD -s $IP_L2 -m string --algo bm --string "gateway.dll" -j ACCEPT
$IPT -A FORWARD -s $IP_L2 -m string --algo bm --string "e-messenger.net" -j ACCEPT
$IPT -A FORWARD -s $IP_L2 -m string --algo bm --string "meebo.com" -j ACCEPT
$IPT -A FORWARD -s $IP_L2 -m string --algo bm --string "messenger.msn.com" -j ACCEPT
$IPT -A FORWARD -s $IP_L2 -m string --algo bm --string "clientless.net" -j ACCEPT
$IPT -A FORWARD -s $IP_L2 -m string --algo bm --string "wbmsn.net" -j ACCEPT
$IPT -A FORWARD -s $IP_L2 -m string --algo bm --string "msn2go.com" -j ACCEPT
$IPT -A FORWARD -s $IP_L2 -m string --algo bm --string "iloveim.com" -j ACCEPT
$IPT -A FORWARD -s $IP_L2 -m string --algo bm --string "info.sytes.net" -j ACCEPT
$IPT -A FORWARD -s $IP_L2 -m string --algo bm --string "chatenabled.mail.google.com" -j ACCEPT
$IPT -A FORWARD -s $IP_L2 -m string --algo bm --string "x-msn-messenger" -j ACCEPT
$IPT -A FORWARD -s $IP_L2 -m string --algo bm --string "messenger.hotmail.com" -j ACCEPT
$IPT -A FORWARD -s $IP_L2 -m string --algo bm --string "loginnet.passport.com" -j ACCEPT
$IPT -A FORWARD -s $IP_L2 -m string --algo bm --string "login.live.com" -j ACCEPT
$IPT -t nat -A PREROUTING -s $IP_L2 -p TCP --dport 1863 -j ACCEPT
$IPT -t nat -A PREROUTING -s $IP_L2 -p UDP --dport 1863 -j ACCEPT
}


BLOQUEIA_MSN()
{
$IPT -I FORWARD -s $REDE_INTERNA -i $IF_INTERNA -m string --algo bm --string "gateway.dll" -j DROP
$IPT -I FORWARD -s $REDE_INTERNA -i $IF_INTERNA -m string --algo bm --string "e-messenger.net" -j DROP
$IPT -I FORWARD -s $REDE_INTERNA -i $IF_INTERNA -m string --algo bm --string "meebo.com" -j DROP
$IPT -I FORWARD -s $REDE_INTERNA -i $IF_INTERNA -m string --algo bm --string "messenger.msn.com" -j DROP
$IPT -I FORWARD -s $REDE_INTERNA -i $IF_INTERNA -m string --algo bm --string "clientless.net" -j DROP
$IPT -I FORWARD -s $REDE_INTERNA -i $IF_INTERNA -m string --algo bm --string "wbmsn.net" -j DROP
$IPT -I FORWARD -s $REDE_INTERNA -i $IF_INTERNA -m string --algo bm --string "msn2go.com" -j DROP
$IPT -I FORWARD -s $REDE_INTERNA -i $IF_INTERNA -m string --algo bm --string "iloveim.com" -j DROP
$IPT -I FORWARD -s $REDE_INTERNA -i $IF_INTERNA -m string --algo bm --string "info.sytes.net" -j DROP
$IPT -I FORWARD -s $REDE_INTERNA -i $IF_INTERNA -m string --algo bm --string "chatenabled.mail.google.com" -j DROP
$IPT -I FORWARD -s $REDE_INTERNA -i $IF_INTERNA -m string --algo bm --string "x-msn-messenger" -j DROP
$IPT -I FORWARD -s $REDE_INTERNA -i $IF_INTERNA -m string --algo bm --string "messenger.hotmail.com" -j DROP
$IPT -I FORWARD -s $REDE_INTERNA -i $IF_INTERNA -m string --algo bm --string "loginnet.passport.com" -j DROP
$IPT -I FORWARD -s $REDE_INTERNA -i $IF_INTERNA -m string --algo bm --string "login.live.com" -j DROP
$IPT -t nat -I PREROUTING -s $REDE_INTERNA -i $IF_INTERNA -p TCP --dport 1863 -j DROP
$IPT -t nat -I PREROUTING -s $REDE_INTERNA -i $IF_INTERNA -p UDP --dport 1863 -j DROP
}

LIBERA_MSN1
LIBERA_MSN2
BLOQUEIA_MSN


# ========================================================================


# Proxy Transparente
$IPT -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128

# Libera SSH
$IPT -t filter -A INPUT -i $IF_EXTERNA -p tcp -m multiport --dports 22,6667 -j ACCEPT

# Libera DNS
$IPT -t filter -A INPUT -i $IF_INTERNA -p udp --dport 53 -j ACCEPT

# Libera a conexao para a rede interna
$IPT -t nat -A POSTROUTING -s $REDE_INTERNA -j MASQUERADE

# Cria um NAT para o SSH de uma maquina da rede interna
#$IPT -t filter -A FORWARD -p tcp -d 0/0 --dport 2222 -j ACCEPT

# Regras para evitar packet flood
$IPT -A INPUT -j BLOCK
$IPT -A FORWARD -j BLOCK
}


fw_stop()
{
$IPT -t filter -P INPUT ACCEPT
$IPT -t filter -P FORWARD ACCEPT
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t filter -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -t filter -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT -t filter -Z
$IPT -t nat -Z
$IPT -t mangle -Z
}


fw_usage()
{
echo
echo "$0 (start | stop | restart | clear)"
echo
echo "start - Ativa o firewall"
echo "stop - Desativa o firewall"
echo "restart - Reativa o firewall"
echo "clear - Limpa os contatores"
}

fw_clear()
{
$IPT -t filter -Z
$IPT -t nat -Z
$IPT -t mangle -Z
}

case $1 in

start)
fw_start;
;;

stop)
fw_stop;
;;

restart)
fw_stop;
fw_start;
;;

clear)
fw_clear;
;;
*)
fw_usage;
exit;
;;

esac

gabrielbcastro
(usa Debian)

Enviado em 22/01/2009 - 16:50h

obrigado galera!
consegui resolver com a ajuda de voces!

alterei no script.. ao inves de usar o -I nas regras coloquei -A...

Vlw!!