Bloqueio de https

1. Bloqueio de https

eduardocotac
(usa Ubuntu)

Enviado em 22/07/2011 - 12:04h

Bom dia pessoal, tenho proxy autenticado e não esta bloqueando as paginas em https, exemplo https://www.facebook.com, se logar bloqueia, mas se o usuario cancelar o login de digitar qq end. com https no browser acessa de boa, como bloqueio via ipatbles pois as regras q coloquei no meu script de firewall não bloqueia aporta 443 e a saida seja so por iptables.

segue o script, se alguem poder me dar uma dica, eu agradeço

#!/bin/sh

# Vari<E1>veis
# -------------------------------------------------------
iptables=/sbin/iptables
IF_EXTERNA=eth0
IF_INTERNA=eth1

# Ativa m<F3>dulos
# -------------------------------------------------------
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

# Ativa roteamento no kernel
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward

# Prote<E7><E3>o contra IP spoofing
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

# Zera regras
# -------------------------------------------------------
$iptables -F
$iptables -X
$iptables -F -t nat
$iptables -X -t nat
$iptables -F -t mangle
$iptables -X -t mangle

# Determina a pol<ED>tica padr<E3>o
# -------------------------------------------------------
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP

#################################################
# Tabela FILTER
#################################################

# Dropa pacotes TCP indesej<E1>veis
# -------------------------------------------------------
$iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIRE: NEW sem syn: "
$iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

# Dropa pacotes mal formados
# -------------------------------------------------------
$iptables -A INPUT -i $IF_EXTERNA -m unclean -j LOG --log-level 6 --log-prefix "FIRE: pacote mal formado: "
$iptables -A INPUT -i $IF_EXTERNA -m unclean -j DROP

# Aceita os pacotes que realmente devem entrar
# -------------------------------------------------------
$iptables -A INPUT -i ! $IF_EXTERNA -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

# Prote<E7><E3>o contra trinoo
# -------------------------------------------------------
$iptables -N TRINOO
$iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIRE: trinoo: "
$iptables -A TRINOO -j DROP
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27444 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27665 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 31335 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 34555 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 35555 -j TRINOO

# Prote<E7><E3>o contra tronjans
# -------------------------------------------------------
$iptables -N TROJAN
$iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIRE: trojan: "
$iptables -A TROJAN -j DROP
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 4000 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6000 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6006 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 16660 -j TROJAN

# Prote<E7><E3>o contra worms
# -------------------------------------------------------
$iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNA -j REJECT

# Prote<E7><E3>o contra syn-flood
# -------------------------------------------------------
$iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT

# Prote<E7><E3>o contra ping da morte
# -------------------------------------------------------
$iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Prote<E7><E3>o contra port scanners
# -------------------------------------------------------
$iptables -N SCANNER
$iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIRE: port scanner: "
$iptables -A SCANNER -j DROP
$iptables -A FORWARD -s 10.2.114.50 -d 10.2.114.2 -j ACCEPT
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXTERNA -j SCANNER

# Loga tentativa de acesso a determinadas portas
# -------------------------------------------------------
$iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIRE: ftp: "
$iptables -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIRE: telnet: "
$iptables -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIRE: smtp: "
$iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIRE: http: "
$iptables -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIRE: pop3: "
$iptables -A INPUT -p udp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIRE: rpc: "
$iptables -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIRE: identd: "
$iptables -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIRE: samba: "
$iptables -A INPUT -p udp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIRE: samba: "
$iptables -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIRE: snmp: "
$iptables -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIRE: irc: "
$iptables -A INPUT -p tcp --dport 5005 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIRE: squid: "
$iptables -A INPUT -p tcp --dport 443 -i $IF_INTERNA -j LOG --log-level 6 --log-prefix "FIRE: https: "

#$iptables -t nat -A PREROUTING -s 10.2.114.2 -d 10.2.111.150 -j ACCEPT

$iptables -t nat -A PREROUTING -s 10.2.114.50 -j ACCEPT

# VPN
$iptables -t filter -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
$iptables -t filter -A INPUT -i eth1 -p udp --dport 5001 -j ACCEPT
$iptables -t filter -A INPUT -i eth1 -p udp --dport 5002 -j ACCEPT

# libera trafego no tunel
$iptables -t filter -A FORWARD -i tun2 -j ACCEPT
$iptables -t filter -A INPUT -i tun2 -j ACCEPT

$iptables -t nat -A PREROUTING -s 10.2.114.90 -d 200.201.174.0/24 -j ACCEPT

# Otimiza acesso das paginas no tunel
$iptables -t nat -A PREROUTING -s 192.168.10.0/24 -d 10.2.111.1 -j ACCEPT
$iptables -t nat -A PREROUTING -s $10.2.111.201 -j ACCEPT
$iptables -t nat -A PREROUTING -s 10.2.114.0/24 -d 10.2.111.201 -j ACCEPT

#################################################
# Tabela NAT
#################################################

# Ativa mascaramento de sa<ED>da
# -------------------------------------------------------
$iptables -A POSTROUTING -t nat -o $IF_EXTERNA -j MASQUERADE

#### Acesso porto seguros #####
$iptables -t nat -I PREROUTING -p tcp -d 200.196.0.0/24 -j ACCEPT
$iptables -t nat -I PREROUTING -p tcp -d 200.168.0.0/24 -j ACCEPT
$iptables -I FORWARD -p tcp -d 200.196.0.0/24 -j ACCEPT
$iptables -I FORWARD -p tcp -d 200.168.0.0/24 -j ACCEPT
$iptables -t nat -A PREROUTING -s 10.2.114.50 -j ACCEPT

# Acesso ao Conectividade Social e SEFIP (host - cmt.caixa.gov.br):
$iptables -t nat -I PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
$iptables -t nat -I PREROUTING -p tcp -d 200.223.0.0 -j ACCEPT
$iptables -I FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT
$iptables -I FORWARD -p tcp -d 200.223.0.0 -j ACCEPT
$iptables -A FORWARD -s 10.2.114.90 -d 200.201.0.0/24 -j ACCEPT

# Acesso ao Acesso Digital:
$iptables -t nat -I PREROUTING -p tcp -d 200.185.36.0/16 -j ACCEPT
$iptables -t nat -I PREROUTING -p tcp -d 200.185.36.0 -j ACCEPT
$iptables -I FORWARD -p tcp -d 200.185.36.0/16 -j ACCEPT
$iptables -I FORWARD -p tcp -d 200.185.36.0 -j ACCEPT
$iptables -A FORWARD -s 10.2.114.47 -d 200.185.36.0/24 -j ACCEPT

# Acesso ao Acesso SETI:
$iptables -t nat -I PREROUTING -p tcp -d 192.168.10.0/16 -j ACCEPT
$iptables -t nat -I PREROUTING -p tcp -d 192.168.10.0 -j ACCEPT
$iptables -I FORWARD -p tcp -d 192.168.10.0/16 -j ACCEPT
$iptables -I FORWARD -p tcp -d 192.168.10.0 -j ACCEPT
$iptables -A FORWARD -s 10.2.114.0/24 -d 192.168.10.0/24 -j ACCEPT

#$iptables -t nat -A PREROUTING -s seti.br.gm.com -j ACCEPT
$iptables -t nat -A PREROUTING -s 10.2.114.0/24 -d 192.168.10.84 -j ACCEPT

# Porto seguros
$iptables -I FORWARD -p tcp --dport 6000 -d 200.196.232.130 -j ACCEPT
$iptables -I FORWARD -p udp --dport 6000 -d 200.196.232.130 -j ACCEPT
$iptables -I FORWARD -p tcp --dport 6000 -d 200.168.247.66 -j ACCEPT
$iptables -I FORAWRD -p udp --dport 6000 -d 200.168.247.66 -j ACCEPT

$iptables -I FORWARD -p tcp --dport 220 -d 200.196.232.130 -j ACCEPT
$iptables -I FORWARD -p udp --dport 220 -d 200.196.232.130 -j ACCEPT
$iptables -I FORWARD -p tcp --dport 220 -d 200.168.247.66 -j ACCEPT
$iptables -I FORWARD -p udp --dport 220 -d 200.168.247.66 -j ACCEPT

## Roteamento das Paginas do seti
$iptables -t nat -A PREROUTING -s 10.2.114.0/24 -d 192.168.2.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 80
$iptables -I FORWARD -s 192.168.10.0 -p tcp --dport 80 -j ACCEPT

# Proxy
$iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 80 -j REDIRECT --to-port 5005
$iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 8080 -j REDIRECT --to-port 5005

# ip com acesso livre

$iptables -t nat -A PREROUTING -s 10.2.114.92 -j ACCEPT
#$iptables -t nat -A PREROUTING -s 10.2.114.47 -j ACCEPT

######
## Bloqueia a porta segura e redirecina para o PROXY
$iptables -t filter -A FORWARD -p tcp --dport 443 -j DROP
$iptables -A FORWARD -i eth1 -p tcp --dport 443 -j DROP

# Redireciona portas na pr<F3>pria m<E1>quina
# -------------------------------------------------------

$iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
$iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
$iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
$iptables -A FORWARD -p tcp --dport 587 -j ACCEPT
$iptables -A FORAWRD -p tcp --sport 587 -j ACCEPT

# redirecionamento
#$iptables -t nat -A PREROUTING -s 10.2.114.0/24 -d 192.168.10.0/24 -j DNAT --to 10.2.111.150

0 0

Quote