Maldita porta 443 que nao bloqueia [RESOLVIDO]
1. Maldita porta 443 que nao bloqueia [RESOLVIDO]
rdnet
(usa Debian)
Enviado em 04/01/2017 - 11:43h
Pessoal, nao sei mais o que fazer... nao consigo bloquear acesso de um grupo de ips ou ate mesmo um especifico aos sites do youtube facebook e outros que tem https.... posto meu iptables para verificação caso alguem possa me ajudar a encontrar o que esta errado.
#ETH0 - IP Interno
#ETH1 - IP Valido
#ETH2 - IP Wan
#-- Limpa regras
iptables -t filter -F
iptables -t nat -F
#-- Carrega Modulos
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_MASQUERADE
modprobe ipt_multiport
modprobe iptable_mangle
modprobe ipt_tos
modprobe ipt_limit
modprobe ipt_mark
modprobe ipt_MARK
modprobe ipt_string
#-- Politicas das tabelas
# Tabela filter
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
# Tablea nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
# Tabela mangle
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
#-- Definicao das regras
# Regras Gerais
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT # liberar pacotes loopback
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # libera conecoes de originadas pelo firewall PARA REDE LOCAL
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT # liberar ping
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # aceita conecexoes estabelecidas
iptables -I FORWARD -j ACCEPT -i eth2
iptables -I FORWARD -j ACCEPT -o eth2
# Redirecionamentos
iptables -A INPUT -p tcp --destination-port 2299 -j ACCEPT #externo servidor ssh
iptables -A INPUT -i eth0 -p tcp --destination-port 10000 -j ACCEPT # webmin
iptables -A INPUT -i eth0 -p tcp --destination-port 80 -j ACCEPT # web
iptables -A INPUT -i eth0 -p tcp --destination-port 3128 -j ACCEPT # web
#-- IPS fora do squid
iptables -t nat -A PREROUTING -s 192.168.100.81 -j ACCEPT #dvr
iptables -t nat -A PREROUTING -s 192.168.100.82 -j ACCEPT #dvr
iptables -t nat -A PREROUTING -s 192.168.100.83 -j ACCEPT #dvr
#iptables -t nat -A PREROUTING -m iprange --src-range 192.168.100.80-192.168.100.89 -j ACCEPT #IPS DIRETORES
###########################
#-- NHACA QUE NAO FUNCIONA
#iptables -A FORWARD -s 192.168.100.118 -p tcp --dport 443 --sport 443 -j DROP
#iptables -A FORWARD -d 192.168.100.118 -p tcp --dport 443 --sport 443 -j DROP
iptables -I FORWARD -s 192.168.100.118 -p tcp --dport 443 --sport 443 -j DROP
iptables -I FORWARD -d 192.168.100.118 -p tcp --dport 443 --sport 443 -j DROP
iptables -I FORWARD -p tcp --dport 443 -m string --algo bm --string "wikipedia.org" -m iprange --src-range 192.168.100.30-192.168.100.34 -j DROP
iptables -I FORWARD -p tcp --dport 443 -m string --algo bm --string "youtube.com" -m iprange --src-range 192.168.100.30-192.168.100.34 -j DROP
iptables -I FORWARD -p tcp --dport 443 -m string --algo bm --string "gmail.com" -m iprange --src-range 192.168.100.30-192.168.100.34 -j DROP
iptables -I FORWARD -p tcp --dport 443 -m string --algo bm --string "facebook.com" -m iprange --src-range 192.168.100.30-192.168.100.34 -j DROP
iptables -I FORWARD -p tcp --dport 443 -m string --algo bm --string "whatsapp.com" -m iprange --src-range 192.168.100.30-192.168.100.34 -j DROP
iptables -I FORWARD -p tcp --dport 443 -m string --algo bm --string "viawebradio" -m iprange --src-range 192.168.100.30-192.168.100.34 -j DROP
iptables -I FORWARD -p tcp --dport 443 -m string --algo bm --string "radiouniversitaria" -m iprange --src-range 192.168.100.30-192.168.100.34 -j DROP
# Redirecionamento para squid
iptables -t nat -A PREROUTING -s 192.168.100.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward