Postado originalmente por
Submundo
Segue a baixo o firewall que tem como objetivo amarrar ip com mac, mas infelizmente não está funciona.
Exemplo arquivo mac
x;MAC;IP;CLENTE
x=accept
y=drop
#!/bin/sh
IPT=/usr/sbin/iptables
MACLIST="/etc/mac"
PROGRAMA=/etc/rc.firewall
NET_IFACE0=eth0
NET_IFACE2=eth2
NET_IFACE3=eth3
LAN_IFACE=eth1
CLASSE=192.168.254.0/24
echo -n "Carregando os modulos..."
modprobe ipt_REJECT
modprobe ip_tables
modprobe ipt_state
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe iptable_nat
modprobe iptable_filter
modprobe iptable_mangle
modprobe ipt_MASQUERADE
modprobe ipt_p2p
modprobe ipt_unclean
modprobe ipt_LOG
#modprobe ipt_recent
echo " [OK]"
case $1 in
start)
$IPT -F
$IPT -X
$IPT -F -t nat
$IPT -X -t nat
$IPT -F -t filter
$IPT -X -t filter
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
echo -n "Liberando acesso do localhost..."
$IPT -A INPUT -p ALL -s 127.0.0.1 -i lo -j ACCEPT
$IPT -A INPUT -p tcp --dport 2227 -j ACCEPT
echo -n "Otimizando o roteamento..."
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo " [OK]"
for i in `cat $MACLIST`; do
MACSOURCE=`echo $i | cut -d ';' -f 2`
IPSOURCE=`echo $i | cut -d ';' -f 3`
STATUS=`echo $i | cut -d ';' -f 1`
if [ $STATUS = "x" ]; then
$IPT -t filter -A FORWARD -d 0/0 -s $IPSOURCE -m mac --mac-source $MACSOURCE -j ACCEPT
$IPT -t filter -A FORWARD -d $IPSOURCE -s 0/0 -j ACCEPT
$IPT -t nat -A POSTROUTING -s $IPSOURCE -o $NET_IFACE0 -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $IPSOURCE -o $NET_IFACE2 -j MASQUERADE
#$IPT -t nat -A POSTROUTING -s $IPSOURCE -o $NET_IFACE3 -j MASQUERADE
$IPT -t nat -A PREROUTING -p tcp -s $IPSOURCE -m mac --mac-source $MACSOURCE --dport 80 -j REDIRECT --to-port 3128
$IPT -t filter -A INPUT -m mac --mac-source $MACSOURCE -s $IPSOURCE -j ACCEPT
#$IPT -t nat -A POSTROUTING -s $IPSOURCE -o $LAN_IFACE -j MASQUERADE
$IPT -A INPUT -i $LAN_IFACE -s $IPSOURCE -p tcp --dport 3128 -j ACCEPT
# Libera todas as portas
$IPT -A INPUT -p tcp -s $IPSOURCE -j ACCEPT
else
$IPT -t filter -A FORWARD -m mac --mac-source $MACSOURCE -j DROP
$IPT -t filter -A INPUT -m mac --mac-source $MACSOURCE -s $IPSOURCE -j DROP
$IPT -t filter -A OUTPUT -s $IPSOURCE -j DROP
fi
done
echo " [OK]"
$IPT -A INPUT -s 192.168.254.0/24 -j DROP
# Abilitando repasse entre as interfaces
echo 1 > /proc/sys/net/ipv4/ip_forward
# Protege contra synflood
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Proteção contra ICMP Broadcasting
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Ignora pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Bloqueia traceroute
$IPT -A INPUT -p udp --dport 33435:33525 -j DROP
# Proteções diversas contra portscanners, ping of death, ataques DoS, etc.
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
$IPT -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
$IPT -A FORWARD -m unclean -j DROP
$IPT -N VALID_CHECK
$IPT -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
$IPT -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP
# Regras para saida e entrada
$IPT -A OUTPUT -p udp --dport 137:139 -j DROP
$IPT -A OUTPUT -p udp --sport 137:139 -j DROP
$IPT -A OUTPUT -p udp --dport 445 -j DROP
# Liberaçao de portas para rede interna
$IPT -A FORWARD -o $NET_IFACE0 -m multiport -p tcp --dport 80,8080,53,25,110,119,1863,443,2631,7171,6900,44405,3742,20
00,27030 -j ACCEPT
$IPT -A FORWARD -o $NET_IFACE2 -m multiport -p tcp --dport 80,8080,53,25,110,119,1863,443,2631,7171,6900,44405,3742,2000,27030
-j ACCEPT
$IPT -A FORWARD -o $NET_IFACE3 -m multiport -p tcp --dport 80,8080,53,25,110,119,1863,443,2631,7171,6900,44405,3742,2000,27030
-j ACCEPT
$IPT -A FORWARD -o $NET_IFACE0 -m multiport -p tcp --dport 55901,6112,7456,3456 -j ACCEPT
$IPT -A FORWARD -o $NET_IFACE2 -m multiport -p tcp --dport 55901,6112,7456,3456 -j ACCEPT
$IPT -A FORWARD -o $NET_IFACE3 -m multiport -p tcp --dport 55901,6112,7456,3456 -j ACCEPT
$IPT -A FORWARD -o $NET_IFACE0 -m multiport -p udp --dport 53,1036,1032,1140,1151,2857 -j ACCEPT
$IPT -A FORWARD -o $NET_IFACE2 -m multiport -p udp --dport 53,1036,1032,1140,1151,2857 -j ACCEPT
$IPT -A FORWARD -o $NET_IFACE3 -m multiport -p udp --dport 53,1036,1032,1140,1151,2857 -j ACCEPT
$IPT -A FORWARD -o $NET_IFACE0 -p udp --dport 27000:27030 -j ACCEPT
$IPT -A FORWARD -o $NET_IFACE2 -p udp --dport 27000:27030 -j ACCEPT
$IPT -A FORWARD -o $NET_IFACE3 -p udp --dport 27000:27030 -j ACCEPT
$IPT -A FORWARD -o $LAN_IFACE -d $IPSOURCE -m state --state ESTABLISHED,RELATED -j ACCEPT
echo -n "Bloqueando spoofing..."
$IPT -A INPUT -i $LAN_IFACE -s 10.0.0.0/8 -j DROP
$IPT -A INPUT -i $LAN_IFACE -s 172.16.0.0/12 -j DROP
$IPT -A INPUT -i $LAN_IFACE -s 192.168.0.0/16 -j DROP
$IPT -A INPUT -i $LAN_IFACE -s 224.0.0.0/4 -j DROP
$IPT -A INPUT -i $LAN_IFACE -s 240.0.0.0/5 -j DROP
echo " [OK]"
# Liberando alguns acessos por ping:
echo -n "Liberando acesso por ping..."
$IPT -A INPUT -p icmp --icmp-type 8 -i eth1 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
echo " [OK]"
# Descarta pacotes invalidos:
echo -n "Descartando pacotes invalidos para reenvio..."
$IPT -A FORWARD -m state --state INVALID -j DROP
echo " [OK]"
;;
stop)
$IPT -F
$IPT -Z
$IPT -t nat -F
$IPT -t filter -P FORWARD ACCEPT
restart)
$PROGRAMA stop
$PROGRAMA start
;;
esac
O SCRIPT ACIMA NÃO AMARRA IP COM MAC!!!!!