Página 1 de 3 123 ÚltimoÚltimo
+ Responder ao Tópico



  1. Oi pessoal,

    Estou com dificuldade de bloquear os seguintes serviços ( Msn, Irc e Icq) no iptables, já utilizei varias regra e não consegui bloqueia os serviços. Outro problema que não sei como resolver e evitar que as três interfaces internas se enxerguem, alguém sabe como resolver estes dois problemas?

    Minha regra p/ fecha.

    Iptables –P INPUT DROP
    Iptables –P FORWARD DROP

    Minha rede:

    Eth0 – 200.xxx.xxx.xxx
    Eth1 – 10.10.1.10/24
    Eth2 – 10.10.2.10/24
    Eth3 – 10.10.3.10/24

    Regra que estou utilizando p/ bloquear os serviços:

    # Bloqueando ICQ
    Iptables –A FORWARD –p tcp –dport 5190 –j REJECT
    Iptables –A FORWARD –p tcp –dport 4000 –j REJECT
    Iptables –A FORWARD –d login.icq.com –j REJECT

    # Bloqueando MSN
    Iptables –A FORWARD –p tcp –dport 1863 –j REJECT
    Iptables –A FORWARD –d 64.4.13.0/24 –j REJECT

    # Bloqueando AIM
    Iptables –A FORWARD –d cs.yahoo.com –j REJECT
    Iptables –A FORWARD –d scsa.yahoo.com –j REJECT

  2. #2
    grilo
    tenta esses


    Bloquear AIM com IPTables:

    iptables -A FORWARD --dport 5190 -j REJECT
    iptables -A FORWARD -d login.oscar.aol.com -j REJECT


    Bloquear ICQ com IPTables:

    iptables -A FORWARD -p TCP --dport 5190 -j REJECT
    iptables -A FORWARD -d login.icq.com -j REJECT


    Bloquear MSN Messenger com IPTables:

    iptables -A FORWARD -p TCP --dport 1863 -j REJECT
    iptables -A FORWARD -d 64.4.13.0/24 -j REJECT



    antes do dport vc ta usando – e ten q ser -- .
    veja se é isto q ta dando errado

    valows



  3. Oi grilo,

    cara as regra que vc me mandou nao deu certo, estou mandando o meu script da uma olhada.

    #!/bin/bash


    # ALIAS DOS COMANDOS
    PROGRAMA="/etc/init.d/firewall"
    IPT="/sbin/iptables"
    MOD="/sbin/modprobe"
    RMM="/sbin/rmmod"
    MACLIST="/etc/maclist"


    # INTERFACE DE REDE
    INT_EXT="eth0" # INTERNET
    INT_LAN="eth1" # ESCOLA
    INT_LAN1="eth2" # WIRELESS
    INT_LAN2="eth3" # ESCRITORIO

    # CLASS DE IP'S
    IP="200.xxx.xxx.xxx"
    IP1="10.10.1.0/24"
    IP2="10.10.2.0/24"
    IP3="10.10.3.0/24"
    LO="127.0.0.1/24"

    case $1 in
    start)

    #CARREGAR MODULOS
    $MOD ip_tables
    $MOD iptable_filter
    $MOD iptable_nat
    $MOD ip_conntrack
    $MOD ip_conntrack_ftp
    $MOD ipt_LOG
    $MOD ipt_REJECT
    $MOD ipt_state
    $MOD ipt_mac
    #$MOD ipt_MASQUERADE

    echo "Carregando o iptables..."
    echo ""

    echo "1" > "/proc/sys/net/ipv4/ip_forward"
    #echo "1" > "/proc/sys/net/ipv4/rp_filter"
    #echo "1" > "/proc/sys/net/ipv4/icmp_echo_ignore_all"

    # POLITICA
    $IPT -P INPUT DROP
    $IPT -P FORWARD DROP

    # CONTROLE POR MAC
    for i in `cat $MACLIST`; do
    STATUS=`echo $i | cut -d ';' -f 1`
    IPSOURCE=`echo $i | cut -d ';' -f 3`
    MACSOURCE=`echo $i | cut -d ';' -f 2`
    IDUSER=`echo $i | cut -d ';' -f 4`

    if [ $STATUS = "a" ]; then
    #$IPT -A FORWARD -s $IPSOURCE -m mac --mac-source $MACSOURCE -j ACCEPT
    $IPT -A FORWARD -m mac --mac-source $MACSOURCE -s $IPSOURCE -j ACCEPT
    $IPT -A FORWARD -d $IPSOURCE -j ACCEPT
    $IPT -t nat -A PREROUTING -s $IPSOURCE -p tcp --dport 80 -j REDIRECT --to-port 3128
    $IPT -t nat -A POSTROUTING -s $IPSOURCE -o $INT_EXT -j MASQUERADE
    echo "IP FIXO: - USER="$IDUSER" - IP="$IPSOURCE" - MAC="$MACSOURCE""
    fi

    if [ $STATUS = "d" ]; then
    $IPT -A FORWARD -d $IPSOURCE -j ACCEPT
    $IPT -A FORWARD -s $IPSOURCE -j ACCEPT
    $IPT -t nat -A POSTROUTING -s $IPSOURCE -o $INT_EXT -j MASQUERADE
    $IPT -t nat -A PREROUTING -s $IPSOURCE -p tcp --dport 80 -j REDIRECT --to-port 3128
    echo "IP DINAMICO: - IP="$IPSOURCE" "ACESSO LIBERADO""
    fi

    if [ $STATUS = "b" ]; then
    $IPT -A FORWARD -m mac --mac-source $MACSOURCE -j DROP
    $IPT -A INPUT -m mac --mac-source $MACSOURCE -j DROP
    #$IPT -A OUTPUT -m mac --mac-source $MACSOURCE -j DROP
    echo "USUARIO BLOQUEADO: - USER="$IDUSER" - IP="$IPSOURCE" - MAC="$MACSOURCE""
    fi
    done

    # HOST LIBERADOS P2P
    $IPT -A FORWARD -s $IP2 -p tcp -i $INT_EXT --dport 6881:6889 -j ACCEPT # Bittorrent
    $IPT -A FORWARD -s $IP2 -d 216.35.208.0/24 -j ACCEPT # iMesh
    $IPT -A FORWARD -s $IP2 -p TCP --dport 6346 -j ACCEPT # BearShare
    $IPT -A FORWARD -s $IP2 -p TCP --dport 6346 -j ACCEPT # Toadnode
    $IPT -A FORWARD -s $IP2 -d 209.61.186.0/24 -j ACCEPT # WinMX
    $IPT -A FORWARD -s $IP2 -d 64.49.201.0/24 -j ACCEPT # WinMX
    $IPT -A FORWARD -s $IP2 -d 209.25.178.0/24 -j ACCEPT # Napigator
    $IPT -A FORWARD -s $IP2 -d 206.142.53.0/24 -j ACCEPT # Morpheus
    $IPT -A FORWARD -s $IP2 -p TCP --dport 1214 -j ACCEPT # Morpheus
    $IPT -A FORWARD -s $IP2 -d 213.248.112.0/24 -j ACCEPT # KaZaA
    $IPT -A FORWARD -s $IP2 -p TCP --dport 1214 -j ACCEPT # KaZaA
    $IPT -A FORWARD -s $IP2 -p TCP --dport 6346 -j ACCEPT # Limewire
    $IPT -A FORWARD -s $IP2 -d 64.245.58.0/23 -j ACCEPT # Audiogalaxy

    # BLOQUEANDO OS DEMAIS P2P
    $IPT -A FORWARD -p tcp -i $INT_EXT --dport 6881:6889 -j REJECT # Bittorrent
    $IPT -A FORWARD -d 216.35.208.0/24 -j REJECT # iMesh
    $IPT -A FORWARD -p TCP --dport 6346 -j REJECT # BearShare
    $IPT -A FORWARD -p TCP --dport 6346 -j REJECT # Toadnode
    $IPT -A FORWARD -d 209.61.186.0/24 -j REJECT # WinMX
    $IPT -A FORWARD -d 64.49.201.0/24 -j REJECT # WinMX
    $IPT -A FORWARD -d 209.25.178.0/24 -j REJECT # Napigator
    $IPT -A FORWARD -d 206.142.53.0/24 -j REJECT # Morpheus
    $IPT -A FORWARD -p TCP --dport 1214 -j REJECT # Morpheus
    $IPT -A FORWARD -d 213.248.112.0/24 -j REJECT # KaZaA
    $IPT -A FORWARD -p TCP --dport 1214 -j REJECT # KaZaA
    $IPT -A FORWARD -p TCP --dport 6346 -j REJECT # Limewire
    $IPT -A FORWARD -d 64.245.58.0/23 -j REJECT # Audiogalaxy

    # BARRAR PACOTES DANIFICADOS
    $IPT -A FORWARD -m unclean -j DROP

    # PROTECAO CONTRA TRINOO
    $IPT -N TRINOO
    $IPT -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
    $IPT -A TRINOO -j DROP
    $IPT -A INPUT -p TCP -i $INT_EXT --dport 27444 -j TRINOO
    $IPT -A INPUT -p TCP -i $INT_EXT --dport 27665 -j TRINOO
    $IPT -A INPUT -p TCP -i $INT_EXT --dport 31335 -j TRINOO
    $IPT -A INPUT -p TCP -i $INT_EXT --dport 34555 -j TRINOO
    $IPT -A INPUT -p TCP -i $INT_EXT --dport 35555 -j TRINOO

    # PROTECAO CONTRA TROJAN
    $IPT -N TROJAN
    $IPT -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
    $IPT -A TROJAN -j DROP
    $IPT -A INPUT -p TCP -i $INT_EXT --dport 666 -j TROJAN
    $IPT -A INPUT -p TCP -i $INT_EXT --dport 666 -j TROJAN
    $IPT -A INPUT -p TCP -i $INT_EXT --dport 4000 -j TROJAN
    $IPT -A INPUT -p TCP -i $INT_EXT --dport 6000 -j TROJAN
    $IPT -A INPUT -p TCP -i $INT_EXT --dport 6006 -j TROJAN
    $IPT -A INPUT -p TCP -i $INT_EXT --dport 16660 -j TROJAN

    # PROTECAO CONTRA WORMS
    $IPT -A FORWARD -p tcp --dport 135:139 -j REJECT
    $IPT -A FORWARD -p udp --dport 135:139 -j REJECT

    # PROTECA CONTRA SYN-FLOODS
    $IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

    # PROTECAO CONTRA PING DA MORTE
    $IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

    # PROTECAO CONTRA PORT SCANNERS (nmap, etc...)
    $IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

    # Neste caso voce tenha atras do firewall linux um servidor de web IIS da
    # Microsoft, e deseja evitar que worms com codigo arbitrarios que usam
    # o comando cmd.exe.

    # BLOQUEANDO EM SILENCIO
    #$IPT -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe"

    # BLOQUEANDO E REPORTANDO POR UMA HORA
    #$IPT -I INPUT -j LOG -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe" -m limit --limit 1/hour

    # LIBERAR FORWARD E INPUT
    # Para utilizar esta regra deve desabilitar o controle de MACaddress.
    $IPT -A INPUT -s $LO -j ACCEPT
    #$IPT -A INPUT -s $IP1 -j ACCEPT
    #$IPT -A INPUT -s $IP2 -j ACCEPT
    #$IPT -A INPUT -s $IP3 -j ACCEPT
    #$IPT -A FORWARD -s $IP1 -j ACCEPT
    #$IPT -A FORWARD -s $IP2 -j ACCEPT
    #$IPT -A FORWARD -s $IP3 -j ACCEPT

    # LIBERAR AS PORTAS DESEJADAS
    $IPT -A INPUT -p tcp --dport 21 -j ACCEPT # Ftp
    $IPT -A INPUT -p tcp --dport 22 -j ACCEPT # Ssh
    $IPT -A INPUT -p tcp --dport 25 -j ACCEPT # Smtp
    $IPT -A INPUT -p udp --dport 53 -j ACCEPT # Dns
    $IPT -A INPUT -p udp --sport 53 -j ACCEPT # Dns
    $IPT -A INPUT -p tcp --dport 80 -j ACCEPT # Http
    $IPT -A INPUT -p tcp --dport 110 -j ACCEPT # Pop3
    $IPT -A INPUT -p tcp --dport 953 -j ACCEPT # Rndc
    $IPT -A INPUT -p udp --dport 953 -j ACCEPT # Rndc
    $IPT -A INPUT -p tcp --dport 5800 -j ACCEPT # utra@VNC
    $IPT -A INPUT -p tcp --dport 5900 -j ACCEPT # utra@VNC
    $IPT -A INPUT -p tcp --dport 5631 -j ACCEPT # PcAnywhere
    $IPT -A INPUT -p udp --dport 5632 -j ACCEPT # PcAnywhere
    #$IPT -A INPUT -i $INT_EXT -s $IP -p tcp --dport 3128 -j ACCEPT # Squid
    $IPT -A INPUT -i $INT_LAN -s $IP1 -p tcp --dport 3128 -j ACCEPT # Squid
    $IPT -A INPUT -i $INT_LAN1 -s $IP2 -p tcp --dport 3128 -j ACCEPT # Squid
    $IPT -A INPUT -i $INT_LAN2 -s $IP3 -p tcp --dport 3128 -j ACCEPT # Squid

    # LIBERAR SERVICOS
    #irc, msn, icq, outros e portas de retorno
    #$IPT -A INPUT -p tcp -i $INT_LAN --dport 1024: -j ACCEPT # Eth1
    #$IPT -A INPUT -p tcp -i $INT_LAN1 --dport 1024: -j ACCEPT # Eth2
    #$IPT -A INPUT -p tcp -i $INT_LAN2 --dport 1024: -j ACCEPT # Eth3
    #$IPT -A INPUT -p tcp --dport 5190 -j REJECT
    #$IPT -A INPUT -d login.icq.com -j REJECT
    #$IPT -A FORWARD -p tcp --dport 5190 -j REJECT
    #$IPT -A FORWARD -d login.icq.com -j REJECT
    #$IPT -A FORWARD -i eth1 -p tcp --dport 1024:65535 -j DROP
    #$IPT -A FORWARD -i eth1 -p udp --dport 1024:65535 -j DROP
    # Bloquear AIM
    $IPT -A FORWARD --dport 5190 -j REJECT
    $IPT -A FORWARD -d login.oscar.aol.com -j REJECT

    # Bloquear ICQ
    $IPT -A FORWARD -p TCP --dport 5190 -j REJECT
    $IPT -A FORWARD -d login.icq.com -j REJECT

    # Bloquear MSN
    $IPT -A FORWARD -p TCP --dport 1863 -j REJECT
    $IPT -A FORWARD -d 64.4.13.0/24 -j REJECT



    # PROXY TRANSPARENTE
    # Para utilizar esta regra deve desabilitar o controle de MACaddress.
    #$IPT -t nat -A PREROUTING -i $INT_EXT -p tcp --dport 80 -j REDIRECT --to-port 3128
    #$IPT -t nat -A PREROUTING -i $INT_LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
    #$IPT -t nat -A PREROUTING -i $INT_LAN1 -p tcp --dport 80 -j REDIRECT --to-port 3128
    #$IPT -t nat -A PREROUTING -i $INT_LAN2 -p tcp --dport 80 -j REDIRECT --to-port 3128

    # PACOTES QUE DEVEM CIRCULAR
    $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    # SNAT
    # Para utilizar esta regra deve desabilitar o controle de MACaddress.
    #$IPT -A POSTROUTING -j SNAT --to $IP
    #$IPT -t nat -A POSTROUTING -j SNAT --to $IP
    #$IPT -t nat -A POSTROUTING -o $INT_EXT -j SNAT --to $IP

    # DNAT
    # PCAnywhere
    $IPT -t nat -A PREROUTING -p tcp -i eth0 --dport 5631 -j DNAT --to 10.10.1.9:5631
    $IPT -t nat -A PREROUTING -p udp -i eth0 --dport 5632 -j DNAT --to 10.10.1.9:5632

    # Utra@VNC
    $IPT -t nat -A PREROUTING -p tcp -i eth0 --dport 5900 -j DNAT --to 10.10.2.9:5900
    $IPT -t nat -A PREROUTING -p tcp -i eth0 --dport 5800 -j DNAT --to 10.10.2.9:5800

    # BLOQUEANDO ACESSO AS SEGUINTES REDES
    #$IPT -A FORWARD -d 10.10.1.0/24 -s 10.10.2.0/24 -j DROP
    #$IPT -A FORWARD -d 10.10.2.0/24 -s 10.10.1.0/24 -j DROP
    #

    ;;
    stop)

    #LIMPAR CHAINS
    $IPT -F
    $IPT -t nat -F
    $IPT -X TRINOO
    $IPT -X TROJAN

    #DESCARREGAR MODULOS
    $RMM iptable_filter
    $RMM ip_tables

    $RMM ipt_mac
    $RMM ipt_state
    $RMM ipt_REJECT
    $RMM ipt_LOG
    $RMM iptable_nat
    $RMM ip_conntrack_ftp
    $RMM iptable_filter
    $RMM ip_conntrack
    $RMM ipt_limit
    $RMM ipt_unclean

    echo "0" > "/proc/sys/net/ipv4/ip_forward"
    #echo "0" > "/proc/sys/net/ipv4/rp_filter"
    echo "0" > "/proc/sys/net/ipv4/icmp_echo_ignore_all"

    #POLITICA
    $IPT -P INPUT ACCEPT
    $IPT -P FORWARD ACCEPT
    echo "Descaregando o iptables..."
    ;;
    restart)
    $PROGRAMA stop
    $PROGRAMA start
    echo "Reniciando o iptables..."
    ;;
    esac

  4. #4
    silmar
    Olha por enquanto só posso te ajudar no MSN pois essa regra que esta ai realmente funciona pois eu uso ela.


    #Bloqueios de MSN
    CHATPORT="1863,5190"
    /sbin/iptables -I INPUT -p tcp -m multiport --dport ${CHATPORT} -j DROP
    /sbin/iptables -A FORWARD -p tcp -m multiport --dport ${CHATPORT} -j DROP
    /sbin/iptables -A FORWARD -p tcp -s 192.168.7.0/0 -d 207.46.110.0/24 -j DROP
    /sbin/iptables -A FORWARD -p tcp -s 192.168.7.0/0 -d 207.46.104.0/24 -j DROP
    /sbin/iptables -A FORWARD -p tcp -s 192.168.7.0/0 -d 64.4.13.0/24 -j DROP
    /sbin/iptables -A FORWARD -d messenger.hotmail.com -j REJECT
    /sbin/iptables -A FORWARD -p tcp --dport 1863 -j REJECT --reject-with tcp-reset
    /sbin/iptables -t mangle -A PREROUTING -p tcp --dport 1863 -j DROP
    /sbin/iptables -t mangle -A PREROUTING -d 63.208.13.126 -j DROP
    /sbin/iptables -t mangle -A PREROUTING -d 64.4.12.200 -j DROP
    /sbin/iptables -t mangle -A PREROUTING -d 64.4.12.201 -j DROP
    /sbin/iptables -t mangle -A PREROUTING -d 65.54.131.249 -j DROP
    /sbin/iptables -t mangle -A PREROUTING -d 65.54.194.118 -j DROP
    /sbin/iptables -t mangle -A PREROUTING -d 65.54.211.61 -j DROP
    /sbin/iptables -t mangle -A PREROUTING -d 207.46.104.20 -j DROP
    /sbin/iptables -t mangle -A PREROUTING -d 207.46.110.2 -j DROP
    /sbin/iptables -A FORWARD -d 64.4.13.0/24 -j REJECT



  5. #5
    grilo
    eu uso essas 3 regras aqui e da certo...
    mas vou continuar analisando oks..






Tópicos Similares

  1. Respostas: 10
    Último Post: 04-10-2011, 18:42
  2. Problema em bloquear MSN (Proxy Transp. + Iptables)
    Por danielrcom no fórum Servidores de Rede
    Respostas: 1
    Último Post: 16-04-2008, 11:16
  3. Problema em Bloquear MSN
    Por Tatanka no fórum Servidores de Rede
    Respostas: 4
    Último Post: 13-04-2006, 13:22
  4. Bloquear arquivos ICQ/MSN
    Por aluisiogouveia no fórum Servidores de Rede
    Respostas: 3
    Último Post: 14-01-2005, 09:16
  5. problemas para bloquear o MSN na rede
    Por noir no fórum Servidores de Rede
    Respostas: 15
    Último Post: 09-09-2004, 11:12

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L