info24hs
Bloqueio por MAC
por em 22-09-2009 às 11:53 (8434 Visualizações)
Este script serve para gerenciar o acesso à rede externa e bloquear qualquer endereço MAC que não tenha sido cadastrado na lista de endereços.
Abaixo o script que deverá ser chamado nas primeiras linha do firewall
############################# mac.sh #############################
#!/bin/sh -x
### Variaveis ###
IPTABLES=/sbin/iptables
MACLIST="/etc"
for i in `cat $maclist`;
do
STATUS=`echo $i | cut -d ';' -f1`
IPSOURCE=`echo $i | cut -d ';' -f2`
MACSOURCE=`echo $i | cut -d ';' -f3`
#Se status = a então iptables libera a conexão através destes comandos construídos na tabela filter.
if [ $STATUS = "a" ]; then
$IPTABLES -t filter -A FORWARD -s $IPSOURCE -m mac --mac-source $MACSOURCE -j ACCEPT
$IPTABLES -t filter -A FORWARD -d $IPSOURCE -j ACCEPT
$IPTABLES -t filter -A INPUT -s $IPSOURCE -m mac --mac-source $MACSOURCE -j ACCEPT
$IPTABLES -t filter -A OUTPUT -s $IPSOURCE -j ACCEPT
$IPTABLES -t filter -A OUTPUT -d $IPSOURCE -j ACCEPT
# Se for = b então bloqueia o MAC, ele só executa este comandos se STATUS não for igual a "a".
elif [ $STATUS = "b" ]; then
$IPTABLES -t filter -A FORWARD -m mac --mac-source $MACSOURCE -j DROP
$IPTABLES -t filter -A INPUT -m mac --mac-source $MACSOURCE -j DROP
$IPTABLES -t filter -A OUTPUT -m mac --mac-source $MACSOURCE -j DROP
$IPTABLES -t filter -I INPUT -s $IPSOURCE -j DROP
$IPTABLES -t filter -I FORWARD -s $IPSOURCE -j DROP
$IPTABLES -t filter -I FORWARD -d $IPSOURCE -j DROP
$IPTABLES -t filter -I OUTPUT -d $IPSOURCE -j DROP
# Senão for igual a "a" nem "b" então bloqueia todos os ips que não estão sendo usados.
else
$IPTABLES -t filter -I INPUT -s $IPSOURCE -j DROP
$IPTABLES -t filter -I FORWARD -s $IPSOURCE -j DROP
$IPTABLES -t filter -I FORWARD -d $IPSOURCE -j DROP
$IPTABLES -t filter -I OUTPUT -d $IPSOURCE -j DROP
fi
done
############################# mac.sh #############################
Abaixo o arquivo "maclist" contendo o Status, Ip, e MAC.
############################ maclist ##############################
a;192.168.0.1;00:xx:91:xx:E9:xx
a;192.168.0.2;xx:11:xx:80:xx:8C
b;192.168.0.3;00:xx:xx:52:xx:xx
############################ maclist ##############################
#Não esqueça de desativar a regra que abre uma faixa de endereços da rede local
#Exemplo:
#iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
Enviar Post de Blog por EmailComentários
+ Enviar Comentário
Ir para Perfil
Marcar como Lido
