Problema p/ bloquear os serviços ICQ, MSN e AIM
Oi pessoal,
Estou com dificuldade de bloquear os seguintes serviços ( Msn, Irc e Icq) no iptables, já utilizei varias regra e não consegui bloqueia os serviços. Outro problema que não sei como resolver e evitar que as três interfaces internas se enxerguem, alguém sabe como resolver estes dois problemas?
Minha regra p/ fecha.
Iptables P INPUT DROP
Iptables P FORWARD DROP
Minha rede:
Eth0 200.xxx.xxx.xxx
Eth1 10.10.1.10/24
Eth2 10.10.2.10/24
Eth3 10.10.3.10/24
Regra que estou utilizando p/ bloquear os serviços:
# Bloqueando ICQ
Iptables A FORWARD p tcp dport 5190 j REJECT
Iptables A FORWARD p tcp dport 4000 j REJECT
Iptables A FORWARD d login.icq.com j REJECT
# Bloqueando MSN
Iptables A FORWARD p tcp dport 1863 j REJECT
Iptables A FORWARD d 64.4.13.0/24 j REJECT
# Bloqueando AIM
Iptables A FORWARD d cs.yahoo.com j REJECT
Iptables A FORWARD d scsa.yahoo.com j REJECT
Problema p/ bloquear os serviços ICQ, MSN e AIM
tenta esses
Bloquear AIM com IPTables:
iptables -A FORWARD --dport 5190 -j REJECT
iptables -A FORWARD -d login.oscar.aol.com -j REJECT
Bloquear ICQ com IPTables:
iptables -A FORWARD -p TCP --dport 5190 -j REJECT
iptables -A FORWARD -d login.icq.com -j REJECT
Bloquear MSN Messenger com IPTables:
iptables -A FORWARD -p TCP --dport 1863 -j REJECT
iptables -A FORWARD -d 64.4.13.0/24 -j REJECT
antes do dport vc ta usando e ten q ser -- .
veja se é isto q ta dando errado
valows
Problema p/ bloquear os serviços ICQ, MSN e AIM
Oi grilo,
cara as regra que vc me mandou nao deu certo, estou mandando o meu script da uma olhada.
#!/bin/bash
# ALIAS DOS COMANDOS
PROGRAMA="/etc/init.d/firewall"
IPT="/sbin/iptables"
MOD="/sbin/modprobe"
RMM="/sbin/rmmod"
MACLIST="/etc/maclist"
# INTERFACE DE REDE
INT_EXT="eth0" # INTERNET
INT_LAN="eth1" # ESCOLA
INT_LAN1="eth2" # WIRELESS
INT_LAN2="eth3" # ESCRITORIO
# CLASS DE IP'S
IP="200.xxx.xxx.xxx"
IP1="10.10.1.0/24"
IP2="10.10.2.0/24"
IP3="10.10.3.0/24"
LO="127.0.0.1/24"
case $1 in
start)
#CARREGAR MODULOS
$MOD ip_tables
$MOD iptable_filter
$MOD iptable_nat
$MOD ip_conntrack
$MOD ip_conntrack_ftp
$MOD ipt_LOG
$MOD ipt_REJECT
$MOD ipt_state
$MOD ipt_mac
#$MOD ipt_MASQUERADE
echo "Carregando o iptables..."
echo ""
echo "1" > "/proc/sys/net/ipv4/ip_forward"
#echo "1" > "/proc/sys/net/ipv4/rp_filter"
#echo "1" > "/proc/sys/net/ipv4/icmp_echo_ignore_all"
# POLITICA
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
# CONTROLE POR MAC
for i in `cat $MACLIST`; do
STATUS=`echo $i | cut -d ';' -f 1`
IPSOURCE=`echo $i | cut -d ';' -f 3`
MACSOURCE=`echo $i | cut -d ';' -f 2`
IDUSER=`echo $i | cut -d ';' -f 4`
if [ $STATUS = "a" ]; then
#$IPT -A FORWARD -s $IPSOURCE -m mac --mac-source $MACSOURCE -j ACCEPT
$IPT -A FORWARD -m mac --mac-source $MACSOURCE -s $IPSOURCE -j ACCEPT
$IPT -A FORWARD -d $IPSOURCE -j ACCEPT
$IPT -t nat -A PREROUTING -s $IPSOURCE -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPT -t nat -A POSTROUTING -s $IPSOURCE -o $INT_EXT -j MASQUERADE
echo "IP FIXO: - USER="$IDUSER" - IP="$IPSOURCE" - MAC="$MACSOURCE""
fi
if [ $STATUS = "d" ]; then
$IPT -A FORWARD -d $IPSOURCE -j ACCEPT
$IPT -A FORWARD -s $IPSOURCE -j ACCEPT
$IPT -t nat -A POSTROUTING -s $IPSOURCE -o $INT_EXT -j MASQUERADE
$IPT -t nat -A PREROUTING -s $IPSOURCE -p tcp --dport 80 -j REDIRECT --to-port 3128
echo "IP DINAMICO: - IP="$IPSOURCE" "ACESSO LIBERADO""
fi
if [ $STATUS = "b" ]; then
$IPT -A FORWARD -m mac --mac-source $MACSOURCE -j DROP
$IPT -A INPUT -m mac --mac-source $MACSOURCE -j DROP
#$IPT -A OUTPUT -m mac --mac-source $MACSOURCE -j DROP
echo "USUARIO BLOQUEADO: - USER="$IDUSER" - IP="$IPSOURCE" - MAC="$MACSOURCE""
fi
done
# HOST LIBERADOS P2P
$IPT -A FORWARD -s $IP2 -p tcp -i $INT_EXT --dport 6881:6889 -j ACCEPT # Bittorrent
$IPT -A FORWARD -s $IP2 -d 216.35.208.0/24 -j ACCEPT # iMesh
$IPT -A FORWARD -s $IP2 -p TCP --dport 6346 -j ACCEPT # BearShare
$IPT -A FORWARD -s $IP2 -p TCP --dport 6346 -j ACCEPT # Toadnode
$IPT -A FORWARD -s $IP2 -d 209.61.186.0/24 -j ACCEPT # WinMX
$IPT -A FORWARD -s $IP2 -d 64.49.201.0/24 -j ACCEPT # WinMX
$IPT -A FORWARD -s $IP2 -d 209.25.178.0/24 -j ACCEPT # Napigator
$IPT -A FORWARD -s $IP2 -d 206.142.53.0/24 -j ACCEPT # Morpheus
$IPT -A FORWARD -s $IP2 -p TCP --dport 1214 -j ACCEPT # Morpheus
$IPT -A FORWARD -s $IP2 -d 213.248.112.0/24 -j ACCEPT # KaZaA
$IPT -A FORWARD -s $IP2 -p TCP --dport 1214 -j ACCEPT # KaZaA
$IPT -A FORWARD -s $IP2 -p TCP --dport 6346 -j ACCEPT # Limewire
$IPT -A FORWARD -s $IP2 -d 64.245.58.0/23 -j ACCEPT # Audiogalaxy
# BLOQUEANDO OS DEMAIS P2P
$IPT -A FORWARD -p tcp -i $INT_EXT --dport 6881:6889 -j REJECT # Bittorrent
$IPT -A FORWARD -d 216.35.208.0/24 -j REJECT # iMesh
$IPT -A FORWARD -p TCP --dport 6346 -j REJECT # BearShare
$IPT -A FORWARD -p TCP --dport 6346 -j REJECT # Toadnode
$IPT -A FORWARD -d 209.61.186.0/24 -j REJECT # WinMX
$IPT -A FORWARD -d 64.49.201.0/24 -j REJECT # WinMX
$IPT -A FORWARD -d 209.25.178.0/24 -j REJECT # Napigator
$IPT -A FORWARD -d 206.142.53.0/24 -j REJECT # Morpheus
$IPT -A FORWARD -p TCP --dport 1214 -j REJECT # Morpheus
$IPT -A FORWARD -d 213.248.112.0/24 -j REJECT # KaZaA
$IPT -A FORWARD -p TCP --dport 1214 -j REJECT # KaZaA
$IPT -A FORWARD -p TCP --dport 6346 -j REJECT # Limewire
$IPT -A FORWARD -d 64.245.58.0/23 -j REJECT # Audiogalaxy
# BARRAR PACOTES DANIFICADOS
$IPT -A FORWARD -m unclean -j DROP
# PROTECAO CONTRA TRINOO
$IPT -N TRINOO
$IPT -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
$IPT -A TRINOO -j DROP
$IPT -A INPUT -p TCP -i $INT_EXT --dport 27444 -j TRINOO
$IPT -A INPUT -p TCP -i $INT_EXT --dport 27665 -j TRINOO
$IPT -A INPUT -p TCP -i $INT_EXT --dport 31335 -j TRINOO
$IPT -A INPUT -p TCP -i $INT_EXT --dport 34555 -j TRINOO
$IPT -A INPUT -p TCP -i $INT_EXT --dport 35555 -j TRINOO
# PROTECAO CONTRA TROJAN
$IPT -N TROJAN
$IPT -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
$IPT -A TROJAN -j DROP
$IPT -A INPUT -p TCP -i $INT_EXT --dport 666 -j TROJAN
$IPT -A INPUT -p TCP -i $INT_EXT --dport 666 -j TROJAN
$IPT -A INPUT -p TCP -i $INT_EXT --dport 4000 -j TROJAN
$IPT -A INPUT -p TCP -i $INT_EXT --dport 6000 -j TROJAN
$IPT -A INPUT -p TCP -i $INT_EXT --dport 6006 -j TROJAN
$IPT -A INPUT -p TCP -i $INT_EXT --dport 16660 -j TROJAN
# PROTECAO CONTRA WORMS
$IPT -A FORWARD -p tcp --dport 135:139 -j REJECT
$IPT -A FORWARD -p udp --dport 135:139 -j REJECT
# PROTECA CONTRA SYN-FLOODS
$IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# PROTECAO CONTRA PING DA MORTE
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# PROTECAO CONTRA PORT SCANNERS (nmap, etc...)
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Neste caso voce tenha atras do firewall linux um servidor de web IIS da
# Microsoft, e deseja evitar que worms com codigo arbitrarios que usam
# o comando cmd.exe.
# BLOQUEANDO EM SILENCIO
#$IPT -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe"
# BLOQUEANDO E REPORTANDO POR UMA HORA
#$IPT -I INPUT -j LOG -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe" -m limit --limit 1/hour
# LIBERAR FORWARD E INPUT
# Para utilizar esta regra deve desabilitar o controle de MACaddress.
$IPT -A INPUT -s $LO -j ACCEPT
#$IPT -A INPUT -s $IP1 -j ACCEPT
#$IPT -A INPUT -s $IP2 -j ACCEPT
#$IPT -A INPUT -s $IP3 -j ACCEPT
#$IPT -A FORWARD -s $IP1 -j ACCEPT
#$IPT -A FORWARD -s $IP2 -j ACCEPT
#$IPT -A FORWARD -s $IP3 -j ACCEPT
# LIBERAR AS PORTAS DESEJADAS
$IPT -A INPUT -p tcp --dport 21 -j ACCEPT # Ftp
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT # Ssh
$IPT -A INPUT -p tcp --dport 25 -j ACCEPT # Smtp
$IPT -A INPUT -p udp --dport 53 -j ACCEPT # Dns
$IPT -A INPUT -p udp --sport 53 -j ACCEPT # Dns
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT # Http
$IPT -A INPUT -p tcp --dport 110 -j ACCEPT # Pop3
$IPT -A INPUT -p tcp --dport 953 -j ACCEPT # Rndc
$IPT -A INPUT -p udp --dport 953 -j ACCEPT # Rndc
$IPT -A INPUT -p tcp --dport 5800 -j ACCEPT # utra@VNC
$IPT -A INPUT -p tcp --dport 5900 -j ACCEPT # utra@VNC
$IPT -A INPUT -p tcp --dport 5631 -j ACCEPT # PcAnywhere
$IPT -A INPUT -p udp --dport 5632 -j ACCEPT # PcAnywhere
#$IPT -A INPUT -i $INT_EXT -s $IP -p tcp --dport 3128 -j ACCEPT # Squid
$IPT -A INPUT -i $INT_LAN -s $IP1 -p tcp --dport 3128 -j ACCEPT # Squid
$IPT -A INPUT -i $INT_LAN1 -s $IP2 -p tcp --dport 3128 -j ACCEPT # Squid
$IPT -A INPUT -i $INT_LAN2 -s $IP3 -p tcp --dport 3128 -j ACCEPT # Squid
# LIBERAR SERVICOS
#irc, msn, icq, outros e portas de retorno
#$IPT -A INPUT -p tcp -i $INT_LAN --dport 1024: -j ACCEPT # Eth1
#$IPT -A INPUT -p tcp -i $INT_LAN1 --dport 1024: -j ACCEPT # Eth2
#$IPT -A INPUT -p tcp -i $INT_LAN2 --dport 1024: -j ACCEPT # Eth3
#$IPT -A INPUT -p tcp --dport 5190 -j REJECT
#$IPT -A INPUT -d login.icq.com -j REJECT
#$IPT -A FORWARD -p tcp --dport 5190 -j REJECT
#$IPT -A FORWARD -d login.icq.com -j REJECT
#$IPT -A FORWARD -i eth1 -p tcp --dport 1024:65535 -j DROP
#$IPT -A FORWARD -i eth1 -p udp --dport 1024:65535 -j DROP
# Bloquear AIM
$IPT -A FORWARD --dport 5190 -j REJECT
$IPT -A FORWARD -d login.oscar.aol.com -j REJECT
# Bloquear ICQ
$IPT -A FORWARD -p TCP --dport 5190 -j REJECT
$IPT -A FORWARD -d login.icq.com -j REJECT
# Bloquear MSN
$IPT -A FORWARD -p TCP --dport 1863 -j REJECT
$IPT -A FORWARD -d 64.4.13.0/24 -j REJECT
# PROXY TRANSPARENTE
# Para utilizar esta regra deve desabilitar o controle de MACaddress.
#$IPT -t nat -A PREROUTING -i $INT_EXT -p tcp --dport 80 -j REDIRECT --to-port 3128
#$IPT -t nat -A PREROUTING -i $INT_LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
#$IPT -t nat -A PREROUTING -i $INT_LAN1 -p tcp --dport 80 -j REDIRECT --to-port 3128
#$IPT -t nat -A PREROUTING -i $INT_LAN2 -p tcp --dport 80 -j REDIRECT --to-port 3128
# PACOTES QUE DEVEM CIRCULAR
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# SNAT
# Para utilizar esta regra deve desabilitar o controle de MACaddress.
#$IPT -A POSTROUTING -j SNAT --to $IP
#$IPT -t nat -A POSTROUTING -j SNAT --to $IP
#$IPT -t nat -A POSTROUTING -o $INT_EXT -j SNAT --to $IP
# DNAT
# PCAnywhere
$IPT -t nat -A PREROUTING -p tcp -i eth0 --dport 5631 -j DNAT --to 10.10.1.9:5631
$IPT -t nat -A PREROUTING -p udp -i eth0 --dport 5632 -j DNAT --to 10.10.1.9:5632
# Utra@VNC
$IPT -t nat -A PREROUTING -p tcp -i eth0 --dport 5900 -j DNAT --to 10.10.2.9:5900
$IPT -t nat -A PREROUTING -p tcp -i eth0 --dport 5800 -j DNAT --to 10.10.2.9:5800
# BLOQUEANDO ACESSO AS SEGUINTES REDES
#$IPT -A FORWARD -d 10.10.1.0/24 -s 10.10.2.0/24 -j DROP
#$IPT -A FORWARD -d 10.10.2.0/24 -s 10.10.1.0/24 -j DROP
#
;;
stop)
#LIMPAR CHAINS
$IPT -F
$IPT -t nat -F
$IPT -X TRINOO
$IPT -X TROJAN
#DESCARREGAR MODULOS
$RMM iptable_filter
$RMM ip_tables
$RMM ipt_mac
$RMM ipt_state
$RMM ipt_REJECT
$RMM ipt_LOG
$RMM iptable_nat
$RMM ip_conntrack_ftp
$RMM iptable_filter
$RMM ip_conntrack
$RMM ipt_limit
$RMM ipt_unclean
echo "0" > "/proc/sys/net/ipv4/ip_forward"
#echo "0" > "/proc/sys/net/ipv4/rp_filter"
echo "0" > "/proc/sys/net/ipv4/icmp_echo_ignore_all"
#POLITICA
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
echo "Descaregando o iptables..."
;;
restart)
$PROGRAMA stop
$PROGRAMA start
echo "Reniciando o iptables..."
;;
esac
Problema p/ bloquear os serviços ICQ, MSN e AIM
Olha por enquanto só posso te ajudar no MSN pois essa regra que esta ai realmente funciona pois eu uso ela.
#Bloqueios de MSN
CHATPORT="1863,5190"
/sbin/iptables -I INPUT -p tcp -m multiport --dport ${CHATPORT} -j DROP
/sbin/iptables -A FORWARD -p tcp -m multiport --dport ${CHATPORT} -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.7.0/0 -d 207.46.110.0/24 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.7.0/0 -d 207.46.104.0/24 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.7.0/0 -d 64.4.13.0/24 -j DROP
/sbin/iptables -A FORWARD -d messenger.hotmail.com -j REJECT
/sbin/iptables -A FORWARD -p tcp --dport 1863 -j REJECT --reject-with tcp-reset
/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 1863 -j DROP
/sbin/iptables -t mangle -A PREROUTING -d 63.208.13.126 -j DROP
/sbin/iptables -t mangle -A PREROUTING -d 64.4.12.200 -j DROP
/sbin/iptables -t mangle -A PREROUTING -d 64.4.12.201 -j DROP
/sbin/iptables -t mangle -A PREROUTING -d 65.54.131.249 -j DROP
/sbin/iptables -t mangle -A PREROUTING -d 65.54.194.118 -j DROP
/sbin/iptables -t mangle -A PREROUTING -d 65.54.211.61 -j DROP
/sbin/iptables -t mangle -A PREROUTING -d 207.46.104.20 -j DROP
/sbin/iptables -t mangle -A PREROUTING -d 207.46.110.2 -j DROP
/sbin/iptables -A FORWARD -d 64.4.13.0/24 -j REJECT
Problema p/ bloquear os serviços ICQ, MSN e AIM
eu uso essas 3 regras aqui e da certo...
mas vou continuar analisando oks..