LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page MAC w/ IP locked (but msn still...)
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-15-2004, 01:56 PM   #1
gigli
LQ Newbie
 
Registered: Oct 2004
Location: Atibaia/SP, Brazil
Distribution: RedHat/Fedora Core 2
Posts: 4

Rep: Reputation: 0
MAC w/ IP locked (but msn still...)

Guys...

Im using that fw script.
The ip is defined on dhcpd w/ mac address locked, and i created a rule (w/ so many helps) to lock a IP x MAC ADDRESS.

Its running ok, if i try to change my ip w/ a wrong IP, my access to server files, navigation, etc is all blocked.

BUT! MSN stills running, and if i configure my browser to use an external proxy address, i can browse the web.

Someone can helpme w/ this?


Code:
#!/bin/sh

# Variáveis
# -------------------------------------------------------
iptables=/sbin/iptables
CYBERFW=/usr/local/bin/cyber.fw
IF_EXTERNA=eth0
IF_INTERNA=eth1
MACLIST=/etc/maclist

# Ativa roteamento no kernel
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward

# Proteção contra IP spoofing
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter 

# Ativa módulos
# -------------------------------------------------------
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

# Zera regras
# -------------------------------------------------------
$iptables -F
$iptables -X
$iptables -F -t nat
$iptables -X -t nat
$iptables -F -t mangle
$iptables -X -t mangle


# Determina a política padrão 
# -------------------------------------------------------
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP 

for i in `cat $MACLIST`; do
STATUS=`echo $i | cut -d ';' -f 1`
IPSOURCE=`echo $i | cut -d ';' -f 3`
MACSOURCE=`echo $i | cut -d ';' -f 2`
#Se status = a então eu libera a conexao
if [ $STATUS = "a" ]; then
$iptables -t filter -A FORWARD -d 0/0 -s $IPSOURCE -m mac --mac-source $MACSOURCE -j ACCEPT
$iptables -t filter -A FORWARD -d $IPSOURCE -s 0/0 -j ACCEPT
$iptables -t nat -A POSTROUTING -s $IPSOURCE -o $IF_EXTERNA -j MASQUERADE
$iptables -t filter -A INPUT -s $IPSOURCE -d 0/0 -m mac --mac-source $MACSOURCE -j ACCEPT
$iptables -t filter -A OUTPUT -s $IPSOURCE -d 0/0 -j ACCEPT

# Se for = b então bloqueia o MAC
else
$iptables -t filter -A FORWARD -m mac --mac-source $MACSOURCE -j REJECT
$iptables -t filter -A INPUT -m mac --mac-source $MACSOURCE -j REJECT
$iptables -t filter -A OUTPUT -m mac --mac-source $MACSOURCE -j REJECT
fi
done

#################################################
# Tabela FILTER
#################################################


# Dropa pacotes TCP indesejáveis
# -------------------------------------------------------
$iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FW: NEW sem syn: " 
$iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP 


# Dropa pacotes mal formados
# -------------------------------------------------------
$iptables -A INPUT -i $IF_EXTERNA -m unclean -j LOG --log-level 6 --log-prefix "FW: pacote mal formado: " 
$iptables -A INPUT -i $IF_EXTERNA -m unclean -j DROP 


# Aceita os pacotes que realmente devem entrar
# -------------------------------------------------------
#$iptables -A INPUT -i ! $IF_EXTERNA -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT


# Proteção contra trinoo 
# -------------------------------------------------------
$iptables -N TRINOO
$iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FW: trinoo: " 
$iptables -A TRINOO -j DROP 
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27444 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27665 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 31335 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 34555 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 35555 -j TRINOO


# Proteção contra tronjans 
# -------------------------------------------------------
$iptables -N TROJAN
$iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FW: trojan: " 
$iptables -A TROJAN -j DROP 
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 4000 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6000 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6006 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 16660 -j TROJAN


# Proteção contra worms
# -------------------------------------------------------
$iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNA -j REJECT


# Proteção contra syn-flood
# -------------------------------------------------------
$iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT


# Proteção contra ping da morte
# -------------------------------------------------------
$iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT


# Proteção contra port scanners
# -------------------------------------------------------
$iptables -N SCANNER 
$iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FW: port scanner: " 
$iptables -A SCANNER -j DROP 
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXTERNA -j SCANNER 
$iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXTERNA -j SCANNER 
$iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXTERNA -j SCANNER 
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXTERNA -j SCANNER 
$iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXTERNA -j SCANNER 
$iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXTERNA -j SCANNER 
$iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXTERNA -j SCANNER 


# Loga tentativa de acesso a determinadas portas
# -------------------------------------------------------
$iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: ftp: "
$iptables -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: telnet: "
$iptables -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: smtp: "
$iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: http: "
$iptables -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: pop3: "
$iptables -A INPUT -p udp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: rpc: "
$iptables -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: identd: "
$iptables -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: samba: "
$iptables -A INPUT -p udp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: samba: "
$iptables -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: snmp: "
$iptables -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: irc: "
$iptables -A INPUT -p tcp --dport 3128 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: squid: "


# Libera acesso externo a determinadas portas
# -------------------------------------------------------
$iptables -A INPUT -p tcp --dport 22 -i $IF_EXTERNA -j ACCEPT

# Libera acesso de smtp para fora apenas para o IP XXX.XXX.XXX.XXX
# -------------------------------------------------------
#$iptables -A FORWARD -p tcp -d ! XXX.XXX.XXX.XXX --dport 25 -j LOG --log-level 6 --log-prefix "FW: SMTP proibido: "
#$iptables -A FORWARD -p tcp -d ! XXX.XXX.XXX.XXX --dport 25 -j REJECT


#################################################
# Tabela NAT
#################################################


# Ativa mascaramento de saída
# -------------------------------------------------------
$iptables -A POSTROUTING -t nat -o $IF_EXTERNA -j MASQUERADE


# Proxy transparente
# -------------------------------------------------------
$iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128
#$iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 8080 -j REDIRECT --to-port 3128


# Redireciona portas para outros servidores
# -------------------------------------------------------
#$iptables -t nat -A PREROUTING -d 192.168.200.1 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.1

#VoIP (web iface, working ports)
$iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.16.3
$iptables -t nat -A PREROUTING -p tcp --dport 5060 -j DNAT --to-destination 192.168.16.3
$iptables -t nat -A PREROUTING -p tcp --dport 5061 -j DNAT --to-destination 192.168.16.3
$iptables -t nat -A PREROUTING -p tcp --dport 5082 -j DNAT --to-destination 192.168.16.3

#VNC
$iptables -t nat -A PREROUTING -p tcp --dport 5140 -j DNAT --to-destination 192.168.16.140

#Camera server
$iptables -t nat -A PREROUTING -p tcp --dport 1999 -j DNAT --to-destination 192.168.16.116
$iptables -t nat -A PREROUTING -p udp --dport 1999 -j DNAT --to-destination 192.168.16.116
#$iptables -t nat -A PREROUTING -p tcp --dport 1350 -j DNAT --to-destination 192.168.16.116


# Redireciona portas na própria máquina
# -------------------------------------------------------
#$iptables -A PREROUTING -t nat -d 192.168.200.1 -p tcp --dport 5922 -j REDIRECT --to-ports 22
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Mac fans! A few questions about an old Mac... Mega Man X General 11 01-03-2007 09:01 PM
MSN Messenger for MAC petition randyriver10 General 5 09-20-2004 07:44 PM
how to use iptables -m mac --mac-source DeployedOne Linux - Security 3 08-06-2004 03:03 AM
MSN to break Linux connection used with msn I think read maximalred Linux - General 1 08-24-2003 12:40 PM
CAN WINE be made to run MSN 8 and MSN Messager maximalred Linux - Software 3 08-24-2003 07:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:52 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration