hmmm..
det der er i det er at jeg skal fortsætte en medarbejders arbejde som har sagt op.
han har lavet et lang script til iptables som bruger en masse "alias" for forskellige ting...
jeg poster líge scriptet her, så kunne du måske fortælle mig hvor jeg skal sætte det ind... det skal fungere sådan at IP : 130.227.119.20(
www.dating.dk) skal blokeres for alle brugere.
------------- SCRIPT ----------------
#!/bin/sh
### Initialisation - don't touch!
${FAILSAFE:+exit}
. /etc/functions.sh
getip()
{
if [ $# -eq 1 ] && if_valid $1; then
ifconfig $1|awk -F' +|:' '$2=="inet" {print $4}'
fi
}
### Configuration
# Networks
NETWORKS="wan lan dmz usr"
# IP adresses - for DNAT'ing
SSHSERVER="192.168.1.70"
FTPSERVER="192.168.1.70"
WWWSERVER="192.168.1.70"
SMTPSERVER="192.168.1.70"
IMAPSERVER="192.168.1.70"
### Get interface names from nvram
for net in $NETWORKS; do
iface="$(nvram get ${net}_ifname)"
eval "${net}_iface=${iface}"
eval "${net}_ipaddr=$(getip ${iface})"
done
### Clear
for table in $(cat /proc/net/ip_tables_names); do
iptables -t $table -F
iptables -t $table -X
done
iptables -F
iptables -X
### Modules
#insmod ipt_limit
### Enable forward
echo "1" > /proc/sys/net/ipv4/ip_forward
### Default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
### Divide and Conquer the chains
iptables -N any_in
iptables -N any_out
iptables -N any2any
for net in $NETWORKS; do
eval "net_iface=\${${net}_iface}"
iptables -N ${net}_in
iptables -N ${net}_out
iptables -N ${net}2any
iptables -N any2${net}
for othernet in $NETWORKS; do
eval "othernet_iface=\${${othernet}_iface}"
iptables -N ${net}2${othernet}
done
done
### Allow everything from lan, the admin/debug interface
iptables -A lan_in -j ACCEPT
iptables -A lan_out -j ACCEPT
iptables -A lan2any -j ACCEPT
# Allow icmp in all directions
iptables -A any2any -p icmp -j ACCEPT
iptables -A any_in -p icmp -j ACCEPT
iptables -A any_out -p icmp -j ACCEPT
### Rules
# WAN
iptables -A wan_in -p udp --dport 68 --sport 67 -j ACCEPT # DHCP
iptables -A wan_in -p tcp --dport 113 -j ACCEPT # Ident
iptables -A wan_in -p udp --sport 123 -j ACCEPT # NTP
iptables -A wan_in -p udp --dport 123 -j ACCEPT # NTP
iptables -A wan_out -p tcp --dport 21 -j ACCEPT # FTP
iptables -A wan_out -p udp --dport 53 -j ACCEPT # DNS
iptables -A wan_out -p tcp --dport 53 -j ACCEPT # DNS
iptables -A wan_out -p tcp --dport 80 -j ACCEPT # HTTP
iptables -A wan_out -p udp --sport 123 -j ACCEPT # NTP
iptables -A wan_out -p udp --dport 123 -j ACCEPT # NTP
# DMZ
iptables -A dmz_in -p tcp --dport 22 -j ACCEPT # SSH
iptables -A dmz_in -p udp --dport 53 -j ACCEPT # DNS
iptables -A dmz_in -p tcp --dport 53 -j ACCEPT # DNS
iptables -A dmz_in -p udp --dport 67 --sport 68 -j ACCEPT # DHCP
iptables -A dmz_in -p udp --sport 123 -j ACCEPT # NTP
iptables -A dmz_in -p udp --dport 123 -j ACCEPT # NTP
iptables -A dmz_out -p tcp --dport 113 -j ACCEPT # Ident
iptables -A dmz2wan -p tcp --dport 21 -j ACCEPT # FTP
iptables -A dmz2wan -p tcp --dport 80 -j ACCEPT # HTTP
iptables -A dmz2wan -p udp --sport 123 -j ACCEPT # NTP
iptables -A dmz2wan -p udp --dport 123 -j ACCEPT # NTP
iptables -A dmz2wan -p tcp --dport 443 -j ACCEPT # HTTPS
iptables -A dmz2wan -p tcp --dport 873 -j ACCEPT # Rsync
# USR (Regular user's network)
iptables -A usr_in -p tcp --dport 22 -j ACCEPT # SSH
iptables -A usr_in -p udp --dport 53 -j ACCEPT # DNS
iptables -A usr_in -p tcp --dport 53 -j ACCEPT # DNS
iptables -A usr_in -p udp --dport 67 --sport 68 -j ACCEPT # DHCP
iptables -A usr_in -p udp --sport 123 -j ACCEPT # NTP
iptables -A usr_in -p udp --dport 123 -j ACCEPT # NTP
iptables -A usr_out -p tcp --dport 113 -j ACCEPT # Ident
iptables -A usr_out -p udp --sport 123 -j ACCEPT # NTP
iptables -A usr_out -p udp --dport 123 -j ACCEPT # NTP
iptables -A usr2wan -p tcp --dport 21 -j ACCEPT # FTP
iptables -A usr2wan -p tcp --dport 22 -j ACCEPT # SSH
iptables -A usr2wan -p tcp --dport 80 -j ACCEPT # HTTP
iptables -A usr2wan -p udp --dport 123 -j ACCEPT # NTP
iptables -A usr2wan -p tcp --dport 143 -j ACCEPT # IMAP
iptables -A usr2wan -p tcp --dport 443 -j ACCEPT # HTTPS
iptables -A usr2wan -p tcp --dport 873 -j ACCEPT # Rsync
iptables -A usr2wan -p tcp --dport 5190 -j ACCEPT # ICQ
iptables -A usr2wan -p tcp --dport 6666:6669 -j ACCEPT # IRC
iptables -A usr2wan -p tcp --dport 5000:5050 -j ACCEPT # Yahoo
iptables -A usr2wan -p tcp --dport 5222:5269 -j ACCEPT # Jabber
iptables -A usr2wan -p udp --dport 5060 -j ACCEPT # SIP (VoIP)
iptables -A usr2wan -p udp --dport 27000:27500 -j ACCEPT # Steam/Half-Life
iptables -A usr2wan -p tcp --dport 27030:27039 -j ACCEPT # Steam/Half-Life
iptables -A usr2wan -p udp --dport 1200 -j ACCEPT # Steam/Half-Life
iptables -A usr2wan -p udp --dport 23400:28900 -j ACCEPT # Steam/Half-Life
iptables -A usr2wan -p udp --dport 27000:27015 -j ACCEPT # Half-Life
iptables -A usr2wan -p udp --dport 27950:27970 -j ACCEPT # Quake3
iptables -A usr2wan -p tcp --dport 45648 -j ACCEPT # TeamSpeak
iptables -A usr2wan -p udp --dport 7777:7778 -j ACCEPT # Unreal Tournament
iptables -A usr2wan -p udp --dport 8080 -j ACCEPT # Unreal Tournament
iptables -A usr2wan -p tcp --dport 43594 -j ACCEPT # Runescape
iptables -A usr2wan -p tcp --dport 3724 -j ACCEPT # World of Warcraft
iptables -A usr2wan -p tcp --dport 8000:9000 -j ACCEPT # Netradio
iptables -A usr2wan -p tcp --dport 19700:19800 -j ACCEPT # Netradio
iptables -A usr2wan -p tcp --dport 554 -j ACCEPT # RealMedia
iptables -A usr2wan -p udp --dport 554 -j ACCEPT # RealMedia
iptables -A usr2wan -p tcp --dport 2401 -j ACCEPT # CVS
iptables -A usr2wan -p tcp --dport 1755 -j ACCEPT # WindowsMediaPlayer
### DNAT'ing and other nat stuff
if [ "$wan_ipaddr" ]; then
iptables -t nat -A PREROUTING -p tcp --dport 21 -d $wan_ipaddr \
-j DNAT --to-destination $FTPSERVER
iptables -t nat -A PREROUTING -p tcp --dport 22 -d $wan_ipaddr \
-j DNAT --to-destination $SSHSERVER
iptables -t nat -A PREROUTING -p tcp --dport 80 -d $wan_ipaddr \
-j DNAT --to-destination $WWWSERVER
iptables -t nat -A PREROUTING -p tcp --dport 25 -d $wan_ipaddr \
-j DNAT --to-destination $SMTPSERVER
iptables -t nat -A PREROUTING -p tcp --dport 143 -d $wan_ipaddr \
-j DNAT --to-destination $IMAPSERVER
iptables -A any2dmz -d $FTPSERVER -p tcp --dport 21 -j ACCEPT
iptables -A any2dmz -d $SSHSERVER -p tcp --dport 22 -j ACCEPT
iptables -A any2dmz -d $WWWSERVER -p tcp --dport 80 -j ACCEPT
iptables -A any2dmz -d $SMTPSERVER -p tcp --dport 25 -j ACCEPT
iptables -A any2dmz -d $IMAPSERVER -p tcp --dport 143 -j ACCEPT
# Masquerading on wan
iptables -t nat -A POSTROUTING -o $wan_iface -s ! $wan_ipaddr -j MASQUERADE
else
echo "wan does not have an ip address" 1>&2
fi
# Stateful inspection
iptables -A any_in -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A any_out -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A any2any -m state --state ESTABLISHED,RELATED -j ACCEPT
# Divide and Conquer, part 2
# Links everything together
iptables -A any_in -j RETURN
iptables -A any_out -j RETURN
iptables -A any2any -j RETURN
for net in $NETWORKS; do
eval "net_iface=\${${net}_iface}"
iptables -A ${net}_in -j RETURN
iptables -A ${net}_out -j RETURN
iptables -A ${net}2any -j RETURN
iptables -A any2${net} -j RETURN
iptables -A INPUT -i ${net_iface} -j ${net}_in
iptables -A OUTPUT -o ${net_iface} -j ${net}_out
iptables -A FORWARD -i ${net_iface} -j ${net}2any
iptables -A FORWARD -o ${net_iface} -j any2${net}
for othernet in $NETWORKS; do
eval "othernet_iface=\${${othernet}_iface}"
iptables -A ${net}2${othernet} -j RETURN
iptables -A FORWARD -i ${net_iface} -o ${othernet_iface} -j ${net}2${othernet}
done
done
iptables -A INPUT -j any_in
iptables -A OUTPUT -j any_out
iptables -A FORWARD -j any2any
# Debugging (logs unmatched packets)
if [ "$DEBUG" ]; then
iptables -A INPUT -j LOG --log-prefix 'Unmatched input '
iptables -A OUTPUT -j LOG --log-prefix 'Unmatched output '
iptables -A FORWARD -j LOG --log-prefix 'Unmatched forward '
---------------------- SCRIPT SLUT ----------------
håber du kan hjælpe :)