Lo primero es configurar el Iptables del Ipcop:
lo encontramos en: /etc/rc.d/rc.firewall.local
#!/bin/sh
# Used for private firewall rules
# See how we were called.
case "$1" in
start)
## add your 'start' rules here
# (Bloque total anti msn)
#iptables -t filter -A FORWARD -s 0.0.0.0/0 -d 0.0.0.0/0 -p --sport 1863 -j DROP
#iptables -t filter -A FORWARD -d 192.168.11.0/24 -p tcp --sport 1863 -j DROP
#iptables -A FORWARD -s $LAN -d 0/0 -p tcp --dport 1863 -j REJECT
#Anti Msn
iptables -t mangle -A PREROUTING -p tcp --dport 1863 -j DROP
iptables -t mangle -A PREROUTING -d 63.208.13.126 -j DROP
iptables -t mangle -A PREROUTING -d 64.4.12.200 -j DROP
iptables -t mangle -A PREROUTING -d 64.4.12.201 -j DROP
iptables -t mangle -A PREROUTING -d 65.54.131.249 -j DROP
iptables -t mangle -A PREROUTING -d 65.54.194.118 -j DROP
iptables -t mangle -A PREROUTING -d 65.54.211.61 -j DROP
iptables -t mangle -A PREROUTING -d 207.46.104.20 -j DROP
iptables -t mangle -A PREROUTING -d 207.46.110.2 -j DROP
iptables -A FORWARD -p TCP --dport 1863 -j REJECT
iptables -A FORWARD -d 64.4.13.0/24 -j REJECT
# (Anti-MSN2)
iptables -A tcp_outbound -p TCP -s 0/0 --destination-port 1863 -j REJECT
iptables -A FORWARD -p tcp --dport 1863 -j DROP
iptables -A FORWARD -d 207.46.110.0/25 -j DROP
iptables -A FORWARD -d 207.46.109.0/25 -j DROP
iptables -A FORWARD -d 207.46.96.0/25 -j DROP
iptables -A FORWARD -d 207.46.26.0/25 -j DROP
iptables -A FORWARD -d 207.46.104.20 -j DROP
iptables -A FORWARD -d 207.46.0.0/16 -j DROP *
iptables -t mangle -A PREROUTING -p tcp --dport 1863 -j DROP
iptables -t mangle -A PREROUTING -d 63.208.13.126 -j DROP
iptables -t mangle -A PREROUTING -d 64.4.12.200 -j DROP
iptables -t mangle -A PREROUTING -d 64.4.12.201 -j DROP
iptables -t mangle -A PREROUTING -d 65.54.131.249 -j DROP
##iptables -t mangle -A PREROUTING -d 65.54.183.203 -j DROP
iptables -t mangle -A PREROUTING -d 65.54.194.118 -j DROP
##iptables -t mangle -A PREROUTING -d 65.54.211.61 -j DROP
#Bloquear por redireccion del server a otro
iptables -t nat -A PREROUTING -p TCP --dport 1863 -j DNAT --to-destination 64.233.161.104:80
#Accesos permitidos
#iptables -t filter -I FORWARD -s 0.0.0.0/0 -d 192.168.1.252/255.255.255.255 -p tcp --sport 1863 -j ACCEPT
#forzar a que toda salida http pase por Squid
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 800
;;
stop)
## add your 'stop' rules here
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
*)
echo "Usage: $0 {start|stop|reload}"
;;
esac
Y para el bloqueo de las paginas debemos de instalar el addon FilterUrrl
No hay comentarios:
Publicar un comentario