Negar todos e liberar alguns Mac

mr_marcinho
(usa Ubuntu)

Enviado em 29/10/2008 - 10:16h

Boa dia pessoal, gostaria de incrementar um pouco mais meu firewall fazendo com que ele negue todo o acesso pra fora e depois libere apenas os Mac-Address que eu definir, segue meu firewall.:

#! /bin/bash

# Carrega os modulos IPTables
modprobe ip_tables
modprobe iptable_nat

# Limpa as regras anteriores
iptables -F
iptables -t nat -F



# Bloqueando pelo IP
#iptables -A FORWARD -s 172.16.2.10/32 -j DROP
#iptables -A INPUT -s 172.16.2.10/32 -j DROP

#iptables -A FORWARD -s 172.16.2.23/32 -j DROP
#iptables -A INPUT -s 172.16.2.23/32 -j DROP

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE


# Redirecionando a porta 80 para 3128 para uso do proxy do Squid
iptables -t nat -A PREROUTING -i eth3 -p tcp --dport 80 -j REDIRECT --to 3128


echo 1 > /proc/sys/net/ipv4/ip_forward

# Aceitar pacotes da porta 80 e 2222 - Web e SSH
iptables -A INPUT -p tcp --destination-port 2222 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 222 -j ACCEPT

iptables -A INPUT -p tcp --destination-port 5000 -j ACCEPT
iptables -A INPUT -p udp --destination-port 5000 -j ACCEPT
iptables -A OUTPUT -p tcp --destination-port 5000 -j ACCEPT
iptables -A OUTPUT -p udp --destination-port 5000 -j ACCEPT


# Redirecionamento para VNC
iptables -A INPUT -p tcp --destination-port 5900 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 5901 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 5903 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 5905 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 5500 -j ACCEPT
iptables -A INPUT -p udp --destination-port 5500 -j ACCEPT

#Redirecionamentos para eMule
iptables -A INPUT -p tcp --destination-port 37538 -j ACCEPT
iptables -A INPUT -p udp --destination-port 14651 -j ACCEPT

# Redirecionamentos para BitTorrent
iptables -A INPUT -p tcp --destination-port 29208 -j ACCEPT
iptables -A INPUT -p udp --destination-port 29208 -j ACCEPT

#Redirecionamentos Gledinei
#iptables -A INPUT -p udp --destination-port 27015 -j ACCEPT


iptables -A INPUT -p tcp --syn -s 172.16.2.0/255.255.255.0 -j ACCEPT
iptables -A INPUT -p tcp --syn -i ppp0 -j ACCEPT


#VNC
iptables -A PREROUTING -t nat -p tcp --dport 5901 -j DNAT --to 172.16.2.1:5900

iptables -A PREROUTING -t nat -p tcp --dport 5903 -j DNAT --to 172.16.2.3:5900

iptables -A PREROUTING -t nat -p tcp --dport 5905 -j DNAT --to 172.16.2.5:5900

iptables -A PREROUTING -t nat -p tcp --dport 5500 -j DNAT --to 172.16.2.1:5500
iptables -A PREROUTING -t nat -p udp --dport 5500 -j DNAT --to 172.16.2.1:5500

#eMule
iptables -A PREROUTING -t nat -p tcp --dport 37538 -j DNAT --to 172.16.2.1:37538
iptables -A PREROUTING -t nat -p udp --dport 14651 -j DNAT --to 172.16.2.1:14651


#BitTorrent
iptables -A PREROUTING -t nat -p tcp --dport 29208 -j DNAT --to 172.16.2.1:29208
iptables -A PREROUTING -t nat -p udp --dport 29208 -j DNAT --to 172.16.2.1:29208

# Protecao conta Ping da Morte
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Protecao conta Syn-floods
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#Protecao contra port scanners
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
#iptables -A FORWARD -m unclean -j DROP

iptables -A INPUT -p tcp --syn -j DROP

# Bloqueando pelo IP
#iptables -A FORWARD -s 172.16.2.10/32 -j DROP
#iptables -A INPUT -s 172.16.2.10/32 -j DROP

#Bloqueando pelo Mac Address
iptables -A INPUT -m mac --mac-source 00:14:A4:31:A2:85 -j DROP
iptables -A FORWARD -m mac --mac-source 00:14:A4:31:A2:85 -j DROP

iptables -A INPUT -m mac --mac-source 00:03:0D:9E:A3:AE -j DROP
iptables -A FORWARD -m mac --mac-source 00:03:0D:9E:A3:AE -j DROP

# IPs Amarrados pelo mac address
#iptables -A FORWARD -s 172.16.2.1 -m mac --mac-source ! 00:0E:A6:70:6B:F2 -j DROP
iptables -A FORWARD -s 172.16.2.2 -m mac --mac-source ! 00:19:7D:5F:95:13 -j DROP
iptables -A FORWARD -s 172.16.2.3 -m mac --mac-source ! 00:19:7E:84:7A:8A -j DROP
iptables -A FORWARD -s 172.16.2.4 -m mac --mac-source ! 00:18:E7:2C:D3:27 -j DROP
iptables -A FORWARD -s 172.16.2.5 -m mac --mac-source ! 00:0C:43:84:5D:B3 -j DROP
iptables -A FORWARD -s 172.16.2.6 -m mac --mac-source ! 00:06:4F:6B:B5:97 -j DROP
iptables -A FORWARD -s 172.16.2.8 -m mac --mac-source ! 00:06:4F:6B:A7:45 -j DROP
iptables -A FORWARD -s 172.16.2.9 -m mac --mac-source ! 00:1F:1F:12:56:B8 -j DROP
iptables -A FORWARD -s 172.16.2.10 -m mac --mac-source ! 00:1F:1F:11:BC:9E -j DROP
iptables -A FORWARD -s 172.16.2.11 -m mac --mac-source ! 00:1F:1F:12:56:B8 -j DROP
iptables -A FORWARD -s 172.16.2.21 -m mac --mac-source ! 00:14:2A:B3:B9:46 -j DROP
iptables -A FORWARD -s 172.16.2.22 -m mac --mac-source ! 00:16:44:B8:95:11 -j DROP
iptables -A FORWARD -s 172.16.2.23 -m mac --mac-source ! 00:1D:E0:24:AD:0D -j DROP
iptables -A FORWARD -s 172.16.2.31 -m mac --mac-source ! 00:1C:F0:A4:F7:C5 -j DROP
iptables -A FORWARD -s 172.16.2.32 -m mac --mac-source ! 00:1D:7D:79:80:A0 -j DROP
iptables -A FORWARD -s 172.16.2.41 -m mac --mac-source ! 00:18:E7:0A:14:9B -j DROP
iptables -A FORWARD -s 172.16.2.42 -m mac --mac-source ! 00:16:44:B1:70:00 -j DROP
iptables -A FORWARD -s 172.16.2.51 -m mac --mac-source ! 00:40:F4:F3:C9:61 -j DROP
iptables -A FORWARD -s 172.16.2.52 -m mac --mac-source ! 00:1D:7D:38:72:DC -j DROP

Como vocês viram ai no final também ele verificar se o mac bate com o ip, então eu gostaria de negar tudo, liberar alguns mac, e depois conferir se o mac bate com o ip ....



Valeu gente.

Márcio Braga.