+ Responder ao Tópico



  1. #1

    Padrão Duvida com Firewall Mac/Ip

    Ae pessoal to com um problema aqui seguinte vou colocar meu script e depois vou comentar minha duvida...

    Script

    echo 1 > /proc/sys/net/ipv4/ip_forward
    modprobe iptable_nat
    modprobe ip_conntrack_ftp
    modprobe ip_nat_ftp
    iptables -F
    iptables -t nat -F
    #
    ###############--Nat--###############
    #
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    #
    ###########################################################
    ##################-----IP's Validos---#########
    #
    #iptables -t nat -A PREROUTING -d 200.254.123.26 -p tcp -j DNAT --to 192.168.0.12
    #iptables -t nat -A POSTROUTING -d 192.168.0.12 -p tcp -j SNAT --to 200.254.123.26
    #iptables -t nat -A PREROUTING -d 200.254.123.26 -p udp -j DNAT --to 192.168.0.12
    #iptables -t nat -A POSTROUTING -d 192.168.0.12 -p udp -j SNAT --to 200.254.123.26
    #
    ###################---Controle Ip/Mac---###########
    #
    iptables -t nat -A PREROUTING -s 10.0.3.4 -m mac --mac-source 00:0e:2e:50:b4:81 -i eth1 -j ACCEPT
    iptables -t nat -A PREROUTING -m mac --mac-source 00:0e:2e:50:b4:81 -i eth1 -j DROP
    #
    ####################---Caixa Conectividade Social---######
    #
    iptables -A INPUT -p tcp -s 192.168.0.24 --sport 1024:65535 -d 200.201.174.0/24 --dport 80 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp -s 192.168.0.24 --sport 1024:65535 -d 200.201.174.0/24 --dport 80 -j ACCEPT
    #
    #############---Proxy Transparent---###############
    #
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
    #
    ##################---Controlar Upload---##############
    #
    iptables -t mangle -A FORWARD -s 192.168.0.6 -j MARK --set-mark 120
    #


    Ae pessoal minha duvida é a seguinte esse ip 10.0.3.4 ae descrito no meu script ele é de um cliente . Seguinte eu vou lá e coloco o cabo de rede em uma maquina, mas tem uns espertinhos aqui q estao colocando o cabo de rede q vem do meu switch no switch deles dae eles configuram os ips das estacoes na mesma rota do meu servidor aqui e ficam sugando a banda.
    Queria um esquema q acabasse com isso o do mac da certo mas nesse caso que eu falei acima fica um pouco dificil, queria só aquele ip q eu liberei funcionasse internet e nao todos os ips da rede dele q no caso tá mesma faixa das rotas aqui.

    Se nao fui claro falem a duvida.

    Alguem help-me please

  2. #2
    Visitante

    Padrão Duvida com Firewall Mac/Ip

    Você esta usando as regras para tratar a rede... entao vai acontecer isso mesmo ... pra fazer por maquina eh só criar suas regras por endereço IP..

    por exemplo para cada maquina que fosse liberar vc tinha que criar uma regra aceitando....

    Mas isso vai dar muito trampo... indo vc a usar um proxy com user/senha!!!!

    vai te dar menos dor de cabeça...

  3. #3

    Padrão Duvida com Firewall Mac/Ip

    Ae cara valw pela dica mas quanto ao trabalho nao tem problema eu estava querendo fazer o seguinte veja só se tem como eu droparia toda a rede no script e depois liberaria só os ips dos clientes com seus respectivos macs, se alguem poder me postar um exemplo de como ficaria esse script, agradeceria muito.


    Valew

  4. #4
    Visitante

    Padrão Eu fiz uma coisa parecida... olha ali

    Olá, eu fiz um esquema parecido com esse... eu fiz umas modificaçoes leves nele... mas isso é mais ou menos o que você vai precisar!

    Tome o cuidado para liberar o acesso a esse seu Gateway para sua máquina com acesso remoto!

    Bom, qualquer coisa me mande um email, mas eu creio que com isso você consegue ajusta-lo para suas necessidades. [email protected]

    Espero ajudar um pouco!

    André Zenun

    #!/bin/bash
    ####################################################################
    #
    #Author: André Marascalchi Zenun
    #Date: 29/07/2005
    #
    ####################################################################



    ####################################################################
    # BINARIO DO IPTABLES
    ####################################################################
    cmd="/usr/sbin/iptables"

    ####################################################################
    # PORTAS
    ####################################################################
    ssh_p="22"
    http_p="80"

    ####################################################################
    # INICIO DEFINICAO DE INTERFACES
    ####################################################################

    local_if=""
    internet_if=""

    ####################################################################
    # INICIO DEFINICAO DE INTERFACES
    ####################################################################



    ####################################################################
    # INICIO DEFINICAO DAS REDES
    ####################################################################

    local_net=""
    local_netmask=""

    internet_net=""
    internet_netmask=""

    local_address=""
    internet_address=""


    ####################################################################
    # TERMINO DEFINICAO DAS REDES
    ####################################################################



    ####################################################################
    # INICIO DEFINICAO MACs ACESSO INTERNET
    ####################################################################

    mac1=""
    mac2=""

    mac_allow_internet="$mac1 $mac2"

    ####################################################################
    # TERMINO DEFINICAO MACs ACESSO REDE WISCONSIN E FIREWALL
    ####################################################################



    ####################################################################
    # INICIO DEFINICAO IPs ACESSO FIREWALL INTERNET
    ####################################################################

    ip1=""
    ip2=""

    ip_allow_fw="$ip1 $ip2"

    ####################################################################
    # INICIO DEFINICAO IPs ACESSO FIREWALL INTERNET
    ####################################################################



    ####################################################################
    # DELETANDO REGRAS EXISTENTES
    ####################################################################
    $cmd -t filter -F
    $cmd -t filter -X
    $cmd -t nat -F
    $cmd -t nat -X


    ####################################################################
    # MUDANDO A POLITICA PADRAO DAS TABELAS DO IPTABLES
    ####################################################################
    $cmd -P INPUT DROP
    $cmd -P FORWARD DROP
    $cmd -P OUTPUT ACCEPT


    ####################################################################
    # CRIANDO TABELAS
    ####################################################################
    $cmd -N DROPLOG


    ####################################################################
    ####################################################################
    ####################################################################
    ####################################################################



    ####################################################################
    # INICIO ACESSO HOST LOCAL
    ####################################################################

    $cmd -t filter -A INPUT --match state --state ESTABLISHED,RELATED -j ACCEPT
    $cmd -t filter -A INPUT -s localhost -j ACCEPT

    ####################################################################
    # TERMINO ACESSO HOST LOCAL
    ####################################################################



    ####################################################################
    # INICIO TABELA DE LOGs
    ####################################################################
    $cmd -N DROPLOG
    $cmd -A DROPLOG -j LOG --log-level 7
    $cmd -A DROPLOG -j DROP
    ####################################################################
    # TERMINO TABELA DE LOGs
    ####################################################################



    ####################################################################
    # INICIO DHCP REDE LOCAL
    ####################################################################

    $cmd -A INPUT -i $local_if -p udp --dport 67 -j ACCEPT

    ####################################################################
    # TERMINO DHCP REDE LOCAL
    ####################################################################



    ####################################################################
    # INICIO ACESSO AO FIREWALL POR SSH INTERNET
    ####################################################################

    $cmd -t filter -A INPUT -i $internet_if -s $eba -j ACCEPT

    for ip in `echo $ip_allow_fw`
    do

    $cmd -t filter -A INPUT -i $internet_if -s $ip -p tcp --dport $ssh_p -j ACCEPT

    done

    $cmd -t filter -A INPUT -p tcp -i $internet_if --dport $ssh_p -j DROPLOG

    ####################################################################
    # TERMINO ACESSO AO FIREWALL POR SSH
    ####################################################################



    ####################################################################
    # INICIO ACESSO A MACs CONHECIDOS INTERNET
    ####################################################################

    for mac in `echo $mac_allow_internet`
    do

    $cmd -t filter -A FORWARD -s $local_net/$local_netmask --match mac --mac-source $mac -d $internet_net/$internet_netmask -j ACCEPT

    done

    $cmd -t nat -A POSTROUTING -s $local_net/$local_netmask -d $internet_net/$internet_netmask -o $internet_if -j MASQUERADE


    ####################################################################
    # TERMINO ACESSO A MACs CONHECIDOS INTERNET
    ####################################################################

  5. #5

    Padrão Duvida com Firewall Mac/Ip

    Mano olha isso q resolve seu problema: https://under-linux.org/modules.php?...sid=5018#11553
    Outra coisa fuja deste fw enormes......tamanho não é documento... muitos fw gigantes não fazem a metade doq um menor bem ajustado as nescessidades de uma rede
    Abraço :good: :good: :good: :good: :good:

  6. #6
    Visitante

    Padrão Duvida com Firewall Mac/Ip

    Hehehehehehehehe....

    Bom, me desculpa mas aquilo ali não é um Firewall ENORME! Aquilo ali é um arquivo com regras comentadas!

    E se você for analizar bem as regras que estão ali, vão ver que são parecidas com a necessidade dele.

    Librando MACs para acesso a internet, liberando a porta do DHCP, caso ele faça isso em sua rede, liberando acesso ao host local, liberando SSH para máquinas específicas...

    Não da para entender o porque do "Outra coisa fuja deste fw enormes......tamanho não é documento..." você tem que colocar o que é necessário!

    Até....

  7. #7

    Padrão Duvida com Firewall Mac/Ip

    Meu amigo está oservação q fiz nao foi com relação ao seu FW pois vi q ele é grande por causa dos comentários...
    Desculpe mas a inteção não foi está... :good: :good: :good: :good: :good: :good:

  8. #8
    Visitante

    Padrão Duvida com Firewall Mac/Ip

    Huuu, bom então blz... é que da forma como foi dito na mensagem anterior dava para entender outra coisa... :good:

    Até...

  9. #9

    Padrão Duvida com Firewall Mac/Ip

    Aee Lacierdas esse teu script ficou blz, mas tem um problema como foi descrito acima eu uso ip validos em alguns clientes e minha regra de ip valido está lá já tentei de varias maneiras tentar encaichar essa regra do ip valido no teu script mas nao funciona.

    Obrigado

  10. #10

    Padrão Duvida com Firewall Mac/Ip

    Mas qual é a dificuldade...é só vc copiar a regra mas nada...

    Citação Postado originalmente por ifc0nfig
    Aee Lacierdas esse teu script ficou blz, mas tem um problema como foi descrito acima eu uso ip validos em alguns clientes e minha regra de ip valido está lá já tentei de varias maneiras tentar encaichar essa regra do ip valido no teu script mas nao funciona.

    Obrigado

  11. #11

    Padrão Duvida com Firewall Mac/Ip

    Lacierdas

    Seguinte a parada do ip valido eu consegui agora to com um problema quando faço o redirecionamento da porta do squid.

    eth1=redelocal
    eth0=redeinternet

    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128


    A internet para de funcionar quando comento e executo o script de novo ela funciona blz.


    help-me

  12. #12

    Padrão Duvida com Firewall Mac/Ip

    Mano da uma olhada se seu proxy ta redondo...
    Se vc achar q tá... vc roda as regras de proxy e pinga algum site.... se pinga o pau está no squid...pq vc não perdeu a conexão o seu squid q não responde ela....
    Uma outra opção é vc está colocando a regra no lugar errado...
    Abraço :good: :good: :good:

    Citação Postado originalmente por ifc0nfig
    Lacierdas

    Seguinte a parada do ip valido eu consegui agora to com um problema quando faço o redirecionamento da porta do squid.

    eth1=redelocal
    eth0=redeinternet

    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128


    A internet para de funcionar quando comento e executo o script de novo ela funciona blz.


    help-me

  13. #13

    Padrão Duvida com Firewall Mac/Ip

    Lacierdas,

    Aqui funcionou mas ficou alguma coisa esquisita a mesma coisa q vc falou ae está acontecendo aqui, mas só depois acontece o q vc falou aqui quando eu faço alguma alteracao no squid e restart ele a pagina fica sem abrir quando vou olhar as portas esta como closed 3128 pode ser alguma coisa com isso.

    Valew e Obrigado

  14. #14

    Padrão Duvida com Firewall Mac/Ip

    Citação Postado originalmente por ifc0nfig
    Lacierdas,

    Aqui funcionou mas ficou alguma coisa esquisita a mesma coisa q vc falou ae está acontecendo aqui, mas só depois acontece o q vc falou aqui quando eu faço alguma alteracao no squid e restart ele a pagina fica sem abrir quando vou olhar as portas esta como closed 3128 pode ser alguma coisa com isso.

    Valew e Obrigado
    Seu FW pode está fechando está porta....só o fw tem este poder...Olha isso

    :good: :good:

  15. #15

    Padrão Duvida com Firewall Mac/Ip

    Lacierdas,

    Seguinte eu estou usando aquele script q vc passou o link acima, estou querendo combinar ele com o proxy e ficou assim:

    ###-Script-####
    #!/bin/sh
    #
    #Internet=eth0
    #Rede Interna=eth1
    #
    # Ativa modulos
    modprobe ip_tables
    modprobe iptable_nat
    modprobe ip_conntrack
    modprobe ip_nat_ftp
    modprobe ipt_REJECT
    modprobe ipt_MASQUERADE
    #
    # Zera regras
    iptables -F
    iptables -X
    iptables -F -t nat
    iptables -X -t nat
    iptables -F -t filter
    iptables -X -t filter
    #
    # Determina a política padrão
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    #
    # Aceita os pacotes que realmente devem entrar
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    #
    # Liberando portas
    #
    #SSH
    iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
    #DNS
    iptables -A INPUT -p tcp -s 0/0 --dport 53 -j ACCEPT
    iptables -A INPUT -p udp -s 0/0 --dport 53 -j ACCEPT
    #PORTA SQUID 3128
    iptables -A INPUT -p tcp -s 0/0 --dport 3128 -j ACCEPT
    iptables -A INPUT -p udp -s 0/0 --dport 3128 -j ACCEPT
    #WEB
    iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    #Libera o loopback
    iptables -A INPUT -p tcp -s 127.0.0.1/8 -j ACCEPT
    #
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
    #
    # Controle de acesso IP X MAC
    #
    # Cliente 1
    #iptables -t filter -A FORWARD -d 0/0 -s 192.168.0.2 -m mac #--mac-source 00:0B:05:EC:0D:5A -j ACCEPT
    #iptables -t filter -A FORWARD -d 192.168.0.2 -s 0/0 -j ACCEPT
    #iptables -t filter -A INPUT -s 192.168.0.2 -d 0/0 -m mac --mac-source #00:0B:05:EC:0D:5A -j ACCEPT
    #iptables -t nat -A POSTROUTING -s 192.168.0.2 -o eth1 -j MASQUERADE
    #
    # Cliente 2
    iptables -t filter -A FORWARD -d 0/0 -s 192.168.0.244 -m mac --mac-source 00:40:d0:1d:9d:2c -j ACCEPT
    iptables -t filter -A FORWARD -d 192.168.0.244 -s 0/0 -j ACCEPT
    iptables -t filter -A INPUT -s 192.168.0.244 -d 0/0 -m mac --mac-source 00:40:d0:1d:9d:2c -j ACCEPT
    iptables -t nat -A POSTROUTING -s 192.168.0.244 -o eth0 -j MASQUERADE
    #
    #Compartilha a conexão
    echo 1 > /proc/sys/net/ipv4/ip_forward
    #
    #Fecha o resto
    iptables -A INPUT -j DROP
    iptables -A FORWARD -j DROP
    #

    Gostaria de saber se a linha do proxy está no local certo e essas ultimas linhas sao as q bloqueia as portas, funciona blz, mas assim o squid ele inicia na inicializacao do sistema dae eu executo o script roda blzinha.
    Mas tem um problema depois disso se eu fizer alguma alteracao no squid e mandar ele restartar fica daquele jeito q vc disse ele pinga em qualquer site mas nao consegue abrir por nenhum navegador.

    Obrigado por me ajudar

  16. #16

    Padrão Duvida com Firewall Mac/Ip

    Amigo ou vc libera um NAT para cada ip ou liberapara geral....muda a regra do prxy para baixo... Acho q é só isso

  17. #17
    mcyberx
    Visitante

    Padrão Re: Duvida com Firewall Mac/Ip

    já tento mascara somente um IP e colocar ele como gateway?