Bloquear tudo e liberar apenas para IP's do Brasil [RESOLVIDO]

LSSilva
(usa Outra)

Enviado em 09/10/2018 - 13:05h

Cara, por este log seu, o único IP que ele tentou conectar foi: 162.243.246.160. Dessa forma isso se tornará um evento cíclico, onde terá que detectar, bloquear (esquema já informado anteriormente) o IP e refazer este procedimento até que o browsec não funcione mais.

servidorlinux
(usa Debian)

Enviado em 09/10/2018 - 22:46h

Olá LSSilva. Obrigado pelo retorno. Estou convencido de que este é o melhor caminho. Mas estou com uma dúvida para o bloqueio destes ip's. O script de firewall teria que ser assim, primeiro faz o LOG da rede, depois o bloqueio dos ip's do Browsec e depois segue o script?

#!/bin/bash

#vars
iflocalnet="eth1"
localnet="192.168.8.0/24"
ifwan="eth0"

start (){
#Set permissive defaults
#Policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#Clean
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

####
#Log
####
iptables -A FORWARD -s 192.168.8.0/24 -j LOG


#############################
#Bloqueio dos ip's do Browsec
#############################
for i in $(cat /etc/firewall/ips-vpn);
do
iptables -I FORWARD -d $i -j DROP
done


##############
#Filter(INPUT)
##############
#Invalid
iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "Firewall: Invalid Input "
iptables -A INPUT -m state --state INVALID -j DROP
#Valid
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Services-Accept (TCP / LAN)
for port in $(cat /etc/firewall/rules/allow-ports-input-tcp-lan | grep -v "#")
do
iptables -A INPUT -p tcp -i $iflocalnet --dport $port -s $localnet -m state --state NEW --syn -j ACCEPT
done

#Services-Accept (UDP / LAN)
for port in $(cat /etc/firewall/rules/allow-ports-input-udp-lan | grep -v "#")
do
iptables -A INPUT -p udp -i $iflocalnet --dport $port -s $localnet -m state --state NEW -j ACCEPT
done

#Services-Accept (TCP / WAN)
for port in $(cat /etc/firewall/rules/allow-ports-input-tcp-wan | grep -v "#")
do
iptables -A INPUT -p tcp -i $ifwan --dport $port -m state --state NEW --syn -j ACCEPT
done

#Services-Accept (UDP / WAN)
for port in $(cat /etc/firewall/rules/allow-ports-input-udp-wan | grep -v "#")
do
iptables -A INPUT -p udp -i $ifwan --dport $port -m state --state NEW -j ACCEPT
done

#Services-Accept (ICMP)
iptables -A INPUT -p icmp --icmp-type echo-request -s $localnet -j ACCEPT


#Loopback
iptables -A INPUT -i lo -j ACCEPT

#Default LOG
iptables -A INPUT ! -i lo -j LOG --log-prefix "Firewall: Drop Input "

###############
#Filter(OUTPUT)
###############
iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Firewall: Invalid Output "
iptables -A OUTPUT -m state --state INVALID -j DROP

################
#Filter(FORWARD)
################
#Invalid
iptables -A FORWARD -m state --state INVALID -j LOG --log-prefix "Firewall: Invalid Forward "
iptables -A FORWARD -m state --state INVALID -j DROP
#Valid
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#Blocked Sites
for site in $(cat /etc/firewall/rules/blocked-sites | grep -v "#")
do
iptables -I FORWARD -p tcp -m multiport --dports 80,443 -s $localnet -i $iflocalnet -m string --algo bm --string $site -j DROP
done

#Libera algum ip na rede pra acesso total
for ip in $(cat /etc/firewall/rules/allow-ips | grep -v "#")
do
iptables -I FORWARD -i $iflocalnet -s $ip -j ACCEPT
done

#Anti-Spoof Rule
iptables -A FORWARD -i $iflocalnet ! -s $localnet -j LOG --log-prefix "Firewall: Spoofed Packet "
iptables -A FORWARD -i $iflocalnet ! -s $localnet -j DROP

#Services-Accept (TCP)
for port in $(cat /etc/firewall/rules/allow-ports-forward-tcp | grep -v "#")
do
iptables -A FORWARD -p tcp -i $iflocalnet --dport $port -s $localnet -m state --state NEW --syn -j ACCEPT
done

#Services-Accept (UDP)
for port in $(cat /etc/firewall/rules/allow-ports-forward-udp | grep -v "#")
do
iptables -A FORWARD -p udp -i $iflocalnet --dport $port -s $localnet -m state --state NEW -j ACCEPT
done

#Services-Accept (ICMP)
iptables -A FORWARD -p icmp --icmp-type echo-request -s $localnet -i $iflocalnet -j ACCEPT

#Default LOG
iptables -A FORWARD ! -i lo -j LOG --log-prefix "Firewall: Drop Forward "

##################
#Nat - PreRouting
##################
#Proxy Transparente
#iptables -t nat -A PREROUTING -p tcp --dport 80 -i $iflocalnet -s $localnet -j REDIRECT --to-port 3128
##################
#Nat - PostRouting
##################
iptables -t nat -A POSTROUTING -o $ifwan -j MASQUERADE

#Misc.
#Não precisa colocar isso aqui
#O debian tem um arquivo "/etc/sysctl.conf", que contem essa e outras configurações
#É só descomentar a linha no dito arquivo, é bom ativar
#rp_filter
#tcp_syn_cookies
#Edite o arquivo descomentando as configurações que deseja e depois digite para ativar: "sysctl -p"
echo 1 > /proc/sys/net/ipv4/ip_forward

}
stop (){
#Set permissive defaults
#Policy
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#Clean
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
#Masquerading
iptables -t nat -A POSTROUTING -j MASQUERADE

}
case $1 in
start) start;;
stop) stop;;
restart) stop;start;;
*) echo "Use";;
esac

LSSilva
(usa Outra)

Enviado em 10/10/2018 - 13:07h

Pode deixar assim:

#!/bin/bash



#vars

iflocalnet="eth1"

localnet="192.168.8.0/24"

ifwan="eth0"



start (){

#Set permissive defaults

#Policy

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

#Clean

iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -t mangle -F

iptables -t mangle -X



##############

#Filter(INPUT)

##############

#Invalid

iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "Firewall: Invalid Input "

iptables -A INPUT -m state --state INVALID -j DROP

#Valid

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



#Services-Accept (TCP / LAN)

for port in $(cat /etc/firewall/rules/allow-ports-input-tcp-lan | grep -v "#")

do

iptables -A INPUT -p tcp -i $iflocalnet --dport $port -s $localnet -m state --state NEW --syn -j ACCEPT

done



#Services-Accept (UDP / LAN)

for port in $(cat /etc/firewall/rules/allow-ports-input-udp-lan | grep -v "#")

do

iptables -A INPUT -p udp -i $iflocalnet --dport $port -s $localnet -m state --state NEW -j ACCEPT

done



#Services-Accept (TCP / WAN)

for port in $(cat /etc/firewall/rules/allow-ports-input-tcp-wan | grep -v "#")

do

iptables -A INPUT -p tcp -i $ifwan --dport $port -m state --state NEW --syn -j ACCEPT

done



#Services-Accept (UDP / WAN)

for port in $(cat /etc/firewall/rules/allow-ports-input-udp-wan | grep -v "#")

do

iptables -A INPUT -p udp -i $ifwan --dport $port -m state --state NEW -j ACCEPT

done



#Services-Accept (ICMP)

iptables -A INPUT -p icmp --icmp-type echo-request -s $localnet -j ACCEPT





#Loopback

iptables -A INPUT -i lo -j ACCEPT



#Default LOG

iptables -A INPUT ! -i lo -j LOG --log-prefix "Firewall: Drop Input "



###############

#Filter(OUTPUT)

###############

iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Firewall: Invalid Output "

iptables -A OUTPUT -m state --state INVALID -j DROP



################

#Filter(FORWARD)

################

#Invalid

iptables -A FORWARD -m state --state INVALID -j LOG --log-prefix "Firewall: Invalid Forward "

iptables -A FORWARD -m state --state INVALID -j DROP

#Valid

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



#Blocked Sites

for site in $(cat /etc/firewall/rules/blocked-sites | grep -v "#")

do

iptables -I FORWARD -p tcp -m multiport --dports 80,443 -s $localnet -i $iflocalnet -m string --algo bm --string $site -j DROP

done



####

#Log

####

#iptables -A FORWARD -s 192.168.8.0/24 -j LOG



#############################

#Bloqueio dos ip's do Browsec

#############################

for i in $(cat /etc/firewall/ips-vpn);

do

iptables -I FORWARD -s $localnet -d $i -j DROP

done



#Libera algum ip na rede pra acesso total

for ip in $(cat /etc/firewall/rules/allow-ips | grep -v "#")

do

iptables -I FORWARD -i $iflocalnet -s $ip -j ACCEPT

done



#Anti-Spoof Rule

iptables -A FORWARD -i $iflocalnet ! -s $localnet -j LOG --log-prefix "Firewall: Spoofed Packet "

iptables -A FORWARD -i $iflocalnet ! -s $localnet -j DROP



#Services-Accept (TCP)

for port in $(cat /etc/firewall/rules/allow-ports-forward-tcp | grep -v "#")

do

iptables -A FORWARD -p tcp -i $iflocalnet --dport $port -s $localnet -m state --state NEW --syn -j ACCEPT

done



#Services-Accept (UDP)

for port in $(cat /etc/firewall/rules/allow-ports-forward-udp | grep -v "#")

do

iptables -A FORWARD -p udp -i $iflocalnet --dport $port -s $localnet -m state --state NEW -j ACCEPT

done



#Services-Accept (ICMP)

iptables -A FORWARD -p icmp --icmp-type echo-request -s $localnet -i $iflocalnet -j ACCEPT



#Default LOG

iptables -A FORWARD ! -i lo -j LOG --log-prefix "Firewall: Drop Forward "



##################

#Nat - PreRouting

##################

#Proxy Transparente

#iptables -t nat -A PREROUTING -p tcp --dport 80 -i $iflocalnet -s $localnet -j REDIRECT --to-port 3128

##################

#Nat - PostRouting

##################

iptables -t nat -A POSTROUTING -o $ifwan -j MASQUERADE



#Misc.

#Não precisa colocar isso aqui

#O debian tem um arquivo "/etc/sysctl.conf", que contem essa e outras configurações

#É só descomentar a linha no dito arquivo, é bom ativar

#rp_filter

#tcp_syn_cookies

#Edite o arquivo descomentando as configurações que deseja e depois digite para ativar: "sysctl -p"

echo 1 > /proc/sys/net/ipv4/ip_forward



}

stop (){

#Set permissive defaults

#Policy

iptables -P INPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -P OUTPUT ACCEPT

#Clean

iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -t mangle -F

iptables -t mangle -X

#Masquerading

iptables -t nat -A POSTROUTING -j MASQUERADE



}

case $1 in

start) start;;

stop) stop;;

restart) stop;start;;

*) echo "Use";;

esac

 

Quando você usa insert (I), ao invés de append (A), o que vem depois é colocado em primeiro lugar.
Por isso ele fica após o bloqueio de sites, porém na fila do iptables, é verificado primeiro.

servidorlinux
(usa Debian)

Enviado em 11/10/2018 - 17:11h

Olá LSSilva, mais uma vez obrigado pelo retorno, pela sua atenção para resolver este problema.

Tive que colocar a linha iptables -I FORWARD -j LOG no início do script porque eu executei o comando tail -f /var/log/messages, ora estava listando o tráfego, ora não estava, não sei porque. Quando fiz isto, ficou mostrando o tráfego direto sem parar. O script ficou assim:

#!/bin/bash

#vars
iflocalnet="eth1"
localnet="192.168.8.0/24"
ifwan="eth0"

start (){
#Set permissive defaults
#Policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#Clean
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

iptables -I FORWARD -j LOG

##############
#Filter(INPUT)
##############
#Invalid
iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "Firewall: Invalid Input "
iptables -A INPUT -m state --state INVALID -j DROP
#Valid
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Services-Accept (TCP / LAN)
for port in $(cat /etc/firewall/rules/allow-ports-input-tcp-lan | grep -v "#")
do
iptables -A INPUT -p tcp -i $iflocalnet --dport $port -s $localnet -m state --state NEW --syn -j ACCEPT
done

#Services-Accept (UDP / LAN)
for port in $(cat /etc/firewall/rules/allow-ports-input-udp-lan | grep -v "#")
do
iptables -A INPUT -p udp -i $iflocalnet --dport $port -s $localnet -m state --state NEW -j ACCEPT
done

#Services-Accept (TCP / WAN)
for port in $(cat /etc/firewall/rules/allow-ports-input-tcp-wan | grep -v "#")
do
iptables -A INPUT -p tcp -i $ifwan --dport $port -m state --state NEW --syn -j ACCEPT
done

#Services-Accept (UDP / WAN)
for port in $(cat /etc/firewall/rules/allow-ports-input-udp-wan | grep -v "#")
do
iptables -A INPUT -p udp -i $ifwan --dport $port -m state --state NEW -j ACCEPT
done

#Services-Accept (ICMP)
iptables -A INPUT -p icmp --icmp-type echo-request -s $localnet -j ACCEPT


#Loopback
iptables -A INPUT -i lo -j ACCEPT

#Default LOG
iptables -A INPUT ! -i lo -j LOG --log-prefix "Firewall: Drop Input "

###############
#Filter(OUTPUT)
###############
iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Firewall: Invalid Output "
iptables -A OUTPUT -m state --state INVALID -j DROP

################
#Filter(FORWARD)
################
#Invalid
iptables -A FORWARD -m state --state INVALID -j LOG --log-prefix "Firewall: Invalid Forward "
iptables -A FORWARD -m state --state INVALID -j DROP
#Valid
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#Blocked Sites
for site in $(cat /etc/firewall/rules/blocked-sites | grep -v "#")
do
iptables -I FORWARD -p tcp -m multiport --dports 80,443 -s $localnet -i $iflocalnet -m string --algo bm --string $site -j DROP
done

####
#Log
####
#iptables -A FORWARD -s 192.168.8.0/24 -j LOG

#############################
#Bloqueio dos ip's do Browsec
#############################
for i in $(cat /etc/firewall/ips-vpn);
do
iptables -I FORWARD -s $localnet -d $i -j DROP
done

#Libera algum ip na rede pra acesso total
for ip in $(cat /etc/firewall/rules/allow-ips | grep -v "#")
do
iptables -I FORWARD -i $iflocalnet -s $ip -j ACCEPT
done

#Anti-Spoof Rule
iptables -A FORWARD -i $iflocalnet ! -s $localnet -j LOG --log-prefix "Firewall: Spoofed Packet "
iptables -A FORWARD -i $iflocalnet ! -s $localnet -j DROP

#Services-Accept (TCP)
for port in $(cat /etc/firewall/rules/allow-ports-forward-tcp | grep -v "#")
do
iptables -A FORWARD -p tcp -i $iflocalnet --dport $port -s $localnet -m state --state NEW --syn -j ACCEPT
done

#Services-Accept (UDP)
for port in $(cat /etc/firewall/rules/allow-ports-forward-udp | grep -v "#")
do
iptables -A FORWARD -p udp -i $iflocalnet --dport $port -s $localnet -m state --state NEW -j ACCEPT
done

#Services-Accept (ICMP)
iptables -A FORWARD -p icmp --icmp-type echo-request -s $localnet -i $iflocalnet -j ACCEPT

#Default LOG
iptables -A FORWARD ! -i lo -j LOG --log-prefix "Firewall: Drop Forward "

##################
#Nat - PreRouting
##################
#Proxy Transparente
#iptables -t nat -A PREROUTING -p tcp --dport 80 -i $iflocalnet -s $localnet -j REDIRECT --to-port 3128
##################
#Nat - PostRouting
##################
iptables -t nat -A POSTROUTING -o $ifwan -j MASQUERADE

#Misc.
#Não precisa colocar isso aqui
#O debian tem um arquivo "/etc/sysctl.conf", que contem essa e outras configurações
#É só descomentar a linha no dito arquivo, é bom ativar
#rp_filter
#tcp_syn_cookies
#Edite o arquivo descomentando as configurações que deseja e depois digite para ativar: "sysctl -p"
echo 1 > /proc/sys/net/ipv4/ip_forward

}
stop (){
#Set permissive defaults
#Policy
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#Clean
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
#Masquerading
iptables -t nat -A POSTROUTING -j MASQUERADE

}
case $1 in
start) start;;
stop) stop;;
restart) stop;start;;
*) echo "Use";;
esac

Obrigado pela sua ajuda e atenção.

Por favor, peço ao moderador marcar como resolvido, não encontrei onde marca. Obrigado.

LSSilva
(usa Outra)

Enviado em 11/10/2018 - 19:10h

Perfeito! Obrigado pelo feedback, fico feliz em ajudar.