Question about Firewall rules

pozolero

Hi everyone!  I have an iptables script (Yes, i know pfsense doesn't use iptables) but i think it's a clever script.

This script was on a debian server with squid in transparent mode, and was for blocking https (443) connections for domains like youtube.com without blocking google.com domain. Both domains use same ip address.

My question is: Is it possible to achieve something like this firewall rules on pfsense?

I'll let you the firewall script below

#! /bin/sh
# BLOCKING HTTPS CONNECTIONS / PORT 443

echo "Starting Firewall. "
echo "Applying Firewall Rules .........."

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z

#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD DROP

INTERNET="eth0"
LAN="eth1"
IPLAN="172.16.0.0/12"
RED="172.20.5"
MOVIL="172.20.10"

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A INPUT -i lo -j ACCEPT	# Localhost
iptables -A OUTPUT -o lo -j ACCEPT	# Localhost
#---------------------------------------------------------------------
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT	# HTTPS

iptables -A INPUT -i $INTERNET -p tcp --dport 20 -j ACCEPT	# FTP
iptables -A INPUT -i $INTERNET -p tcp --dport 21 -j ACCEPT	# FTP

#iptables -A INPUT -i $INTERNET -p tcp --dport 22 -j ACCEPT	# SSH
#iptables -A INPUT -i $INTERNET -p tcp --dport 25 -j ACCEPT	# SMTP
#iptables -A INPUT -i $INTERNET -p tcp --dport 53 -j ACCEPT	# DNS
#iptables -A INPUT -i $INTERNET -p tcp --dport 80 -j ACCEPT	# WEB
#iptables -A INPUT -i $INTERNET -p tcp --dport 110 -j ACCEPT	# POP
#iptables -A INPUT -i $INTERNET -p tcp --dport 143 -j ACCEPT	# IMAP
#iptables -A INPUT -i $INTERNET -p tcp --dport 1433 -j ACCEPT	# SQL Server
#iptables -A INPUT -i $INTERNET -p tcp --dport 3306 -j ACCEPT	# MySQL

iptables -A INPUT -p tcp --dport 20 -j ACCEPT		# FTP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT		# FTP
iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT		# FTP
iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT		# FTP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT		# SSH
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT		# SSH
iptables -A INPUT -p tcp --dport 25 -j ACCEPT		# SMTP
iptables -A OUTPUT -p tcp --sport 25 -j ACCEPT		# SMTP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT		# WEB
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT		# WEB
iptables -A INPUT -p tcp --dport 110 -j ACCEPT		# POP MAIL
iptables -A OUTPUT -p tcp --sport 110 -j ACCEPT		# POP MAIL
iptables -A INPUT -p tcp --dport 143 -j ACCEPT		# IMAP MAIL
iptables -A OUTPUT -p tcp --sport 143 -j ACCEPT		# IMAP MAIL
#iptables -A INPUT -p tcp --dport 1433 -j ACCEPT	# SQL Server
#iptables -A OUTPUT -p tcp --sport 1433 -j ACCEPT	# SQL Server
#iptables -A INPUT -p tcp --dport 3306 -j ACCEPT	# MySQL
#iptables -A OUTPUT -p tcp --sport 3306 -j ACCEPT	# MySQL

iptables -A INPUT -p tcp --dport 7777 -j ACCEPT		# CNPSS
iptables -A OUTPUT -p tcp --sport 7777 -j ACCEPT	# CNPSS

#-----------------------------------------------------------------------
iptables -t nat -A PREROUTING -s $IPLAN -p tcp --dport 80 -j DNAT --to 172.20.5.1:3128
iptables -t nat -A POSTROUTING -s $IPLAN -o $INTERNET -j MASQUERADE

# ACCESS LEVELS FOR UNRESTRICTED IP
# WEBSITES RESTRICTIONS ARE MADE BY SQUID, FIREWALL ONLY CONTROLS HTTPS ACCESS

# --------------------------------------- FIREWALL LEVELS
# 1° LEVEL -  NO RESTRICTIONS
# 2° LEVEL -  ACCESS ONLY  FACEBOOK + TWITTER + YOUTUBE + DROPBOX, BLOCKED PEER-TO-PEER
# 3° LEVEL - ACCESS ONLY FACEBOOK;  TWITTER, YOUTUBE, DROPBOX, BLOCKED PEER-TO-PEER

iptables -A FORWARD -d 151.101.0.0/16 -j ACCEPT
iptables -A OUTPUT -p tcp -d 151.101.0.0/16 -j ACCEPT	# Schoology
iptables -A FORWARD -p tcp -d schoology.com --dport 443 -j ACCEPT
#iptables -A OUTPUT -p tcp -d www.schoology.com -j ACCEPT	
#iptables -A OUTPUT -p tcp -d schoology.com -j ACCEPT

# UNRESTRICTED IP ( ACCESS LEVEL 1)
#-----------------------------------------------------------------------------
iptables -A FORWARD -s $RED.41 -o $INTERNET -j ACCEPT	# USER
iptables -A FORWARD -s $RED.42 -o $INTERNET -j ACCEPT	# USER
iptables -A FORWARD -s $RED.48 -o $INTERNET -j ACCEPT	# USER
iptables -A FORWARD -s $RED.49 -o $INTERNET -j ACCEPT	# USER
iptables -A FORWARD -s $RED.55 -o $INTERNET -j ACCEPT	# USER
iptables -A FORWARD -s $RED.57 -o $INTERNET -j ACCEPT	# USER
iptables -A FORWARD -s $RED.68 -o $INTERNET -j ACCEPT	# USER
iptables -A FORWARD -s $RED.69 -o $INTERNET -j ACCEPT	# USER
iptables -A FORWARD -s $RED.70 -o $INTERNET -j ACCEPT	# USER
iptables -A FORWARD -s $RED.76 -o $INTERNET -j ACCEPT	# USER
iptables -A FORWARD -s $RED.129 -o $INTERNET -j ACCEPT	# USER
iptables -A FORWARD -s $RED.141 -o $INTERNET -j ACCEPT	# USER
iptables -A FORWARD -s $RED.168 -o $INTERNET -j ACCEPT	# USER
iptables -A FORWARD -s $RED.170 -o $INTERNET -j ACCEPT	# USER
iptables -A FORWARD -s $RED.249 -o $INTERNET -j ACCEPT	# USER
iptables -A FORWARD -s $RED.218 -o $INTERNET -j ACCEPT	# USER
#----------------------------------------------------------------------------
# APPLE SERVERS
#----------------------------
#iptables -A FORWARD -d 74.125.0.0/16 -j ACCEPT		# Google
iptables -A FORWARD -s 17.142.160.59 -j ACCEPT
iptables -A FORWARD -s 17.172.224.47 -j ACCEPT
iptables -A FORWARD -s 17.178.96.59 -j ACCEPT

iptables -A FORWARD -s $MOVIL.10 -o $INTERNET -j ACCEPT		# CELL PHONE
iptables -A FORWARD -s $MOVIL.15 -o $INTERNET -j ACCEPT		# CELL PHONE
iptables -A FORWARD -s $MOVIL.19 -o $INTERNET -j ACCEPT		# CELL PHONE
iptables -A FORWARD -s $MOVIL.20 -o $INTERNET -j ACCEPT		# CELL PHONE
iptables -A FORWARD -s $MOVIL.21 -o $INTERNET -j ACCEPT		# CELL PHONE
iptables -A FORWARD -s $MOVIL.36 -o $INTERNET -j ACCEPT		# CELL PHONE
iptables -A FORWARD -s $MOVIL.77 -o $INTERNET -j ACCEPT		# CELL PHONE
iptables -A FORWARD -s $MOVIL.78 -o $INTERNET -j ACCEPT		# CELL PHONE
iptables -A FORWARD -s $MOVIL.39 -o $INTERNET -j ACCEPT		# CELL PHONE
iptables -A FORWARD -s $MOVIL.40 -o $INTERNET -j ACCEPT		# CELL PHONE
iptables -A FORWARD -s $MOVIL.44 -o $INTERNET -j ACCEPT		# CELL PHONE
iptables -A FORWARD -s $MOVIL.85 -o $INTERNET -j ACCEPT 	        # TABLET

# BLOCKED TORRENT DOWNLOADS
#----------------------------------------------------------------------------
iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP
iptables -A FORWARD -m string --algo bm --string "peer_id" -j DROP
iptables -A FORWARD -m string --algo bm --string ".torrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP
iptables -A FORWARD -m string --algo bm --string "torrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "announce" -j DROP
iptables -A FORWARD -m string --algo bm --string "info_hash" -j DROP

iptables -A FORWARD -m string --algo bm --string "get_peers" -j DROP
iptables -A FORWARD -m string --algo bm --string "announce_peer" -j DROP
iptables -A FORWARD -m string --algo bm --string "find_node" -j DROP

# BLOCKED TORRENT Y P2P
# BY MODULE ----- apt-get install xtables-addons-common
# iptables -m ipp2p --help
#-------------------------------------------------------
#iptables -A FORWARD -p tcp -m ipp2p --edk -j DROP
#iptables -A FORWARD -p udp -m ipp2p --edk -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --dc -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --kazaa -j DROP
#iptables -A FORWARD -p udp -m ipp2p --kazaa -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --gnu -j DROP
#iptables -A FORWARD -p udp -m ipp2p --gnu -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --bit -j DROP
#iptables -A FORWARD -p udp -m ipp2p --bit -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --apple -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --winmx -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --soul -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --ares -j DROP

# IP WITH HTTPS - 443 ACCESS GRANTED (ACCESS LEVEL 2)
#-----------------------------------------------------------------------------
iptables -A FORWARD -s $RED.56 -p tcp --dport 443 -j ACCEPT	# USER
iptables -A FORWARD -s $RED.59 -p tcp --dport 443 -j ACCEPT	# USER
iptables -A FORWARD -s $RED.67 -p tcp --dport 443 -j ACCEPT	# USER
iptables -A FORWARD -s $RED.69 -p tcp --dport 443 -j ACCEPT	# USER
iptables -A FORWARD -s $RED.73 -p tcp --dport 443 -j ACCEPT	# USER
iptables -A FORWARD -s $RED.74 -p tcp --dport 443 -j ACCEPT	# USER
iptables -A FORWARD -s $RED.77 -p tcp --dport 443 -j ACCEPT	# USER
iptables -A FORWARD -s $RED.79 -p tcp --dport 443 -j ACCEPT	# USER
iptables -A FORWARD -s $RED.80 -p tcp --dport 443 -j ACCEPT	# USER
iptables -A FORWARD -s $RED.102 -p tcp --dport 443 -j ACCEPT	# USER
iptables -A FORWARD -s $RED.104 -p tcp --dport 443 -j ACCEPT	# USER
iptables -A FORWARD -s $RED.150 -p tcp --dport 443 -j ACCEPT	# USER
iptables -A FORWARD -s $RED.176 -p tcp --dport 443 -j ACCEPT	# USER
iptables -A FORWARD -s $RED.201 -p tcp --dport 443 -j ACCEPT	# USER

#----------------------

# BLOCKING YOUTUBE AND TWITTER
# TO BLOCK YOUTUBE, FIRST WE NEED TO ACCEPT GOOGLE REQUESTS BECAUSE BOTH DOMAINS
# DEPENDS ON SAME SERVERS OR IP ADDRESS BUT DOMAIN REQUEST IS INDEPENDENT.
# AFTER THIS, I PERMIT ACCESS TO GOOGLE DOMAIN BUT NOT TO YOUTUBE DOMAIN
#-----------------------------------------------------------------------------
iptables -A FORWARD -m string --string "google.com" --algo bm -j ACCEPT
iptables -A FORWARD -m string --string "youtube.com" --algo bm -j DROP
#iptables -A FORWARD -m string --string "dropbox.com" --algo bm -j DROP

iptables -A FORWARD -d 199.59.148.0/22 -j DROP # Twitter

# BLOCKED YOUTUBE, BLOCKED DOWNLOADS, UBLOCKED FACEBOOK  (ACCESS LEVEL 3
#-----------------------------------------------------------------------------
iptables -A FORWARD -s $RED.49 -p tcp --dport 443 -j ACCEPT	# USER

# BLOCKED FACEBOOK SERVERS
#-----------------------------------------------------------------------------
iptables -A FORWARD -d 65.201.208.24/29 -j DROP
iptables -A FORWARD -d 65.204.104.128/28 -j DROP
iptables -A FORWARD -d 66.92.180.48/29 -j DROP
iptables -A FORWARD -d 67.200.105.48/28 -j DROP
iptables -A FORWARD -d 69.63.176.0/30 -j DROP
iptables -A FORWARD -d 69.171.224.0/20 -j DROP
iptables -A FORWARD -d 74.119.76.0/19 -j DROP
iptables -A FORWARD -d 204.25.20.0/22 -j DROP
iptables -A FORWARD -d 66.220.144.0/20 -j DROP
iptables -A FORWARD -d 173.252.64.0/18 -j DROP

# SCHOOLOGY.COM
#----------------------------------------------------------
#iptables -A FORWARD -d 151.101.0.0/16 -j ACCEPT
#iptables -A FORWARD -m string --string "schoology.com" --algo bm -j ACCEPT
#iptables -I INPUT -p tcp --dport 443 -m string --string "schoology.com" --algo bm -j ACCEPT

# GRANT ACCESS TO HTTPS - 443 WEBSITES
#-------------------------------------------------------------------------------

#iptables -A FORWARD -s 52.2.100.81 -p tcp --dport 443 -j ACCEPT		# WEBSITE
#iptables -A FORWARD -s 52.204.251.50 -p tcp --dport 443 -j ACCEPT		# WEBSITE
#iptables -A FORWARD -s 107.23.6.245 -p tcp --dport 443 -j ACCEPT		# WEBSITE
#iptables -A FORWARD -s 52.21.168.68 -p tcp --dport 443 -j ACCEPT		# WEBSITE

#iptables -A FORWARD -p tcp -m iprange --dst-range 74.125.0.0-74.125.255.255 --dport 443 -j ACCEPT	# Google
iptables -A FORWARD -d 74.125.0.0/16 -j ACCEPT					# Google
#iptables -A FORWARD -p tcp -d accounts.google.com --dport 443 -j ACCEPT	# Gmail
#iptables -A FORWARD -p tcp -m iprange --dst-range 172.194.46.0-173.194.46.255 --dport 443 -j ACCEPT	# Gmail
#iptables -A FORWARD -p tcp -d mail.google.com --dport 443 -j ACCEPT		# Gmail

#iptables -A FORWARD -s 187.210.186.221 -p tcp --dport 443 -j ACCEPT		# WEBSITE
#iptables -A FORWARD -s 187.191.75.171 -p tcp --dport 443 -j ACCEPT		# WEBSITE
#iptables -A FORWARD -p tcp -d www.website.com --dport 443 -j ACCEPT	# 

#iptables -A FORWARD -s 65.66.206.154 -p tcp --dport 443 -j ACCEPT		# Hotmail
#iptables -A FORWARD -p tcp -d live.com --dport 443 -j ACCEPT			# Hotmail
#iptables -A FORWARD -p tcp -d login.live.com --dport 443 -j ACCEPT		# Hotmail
#iptables -A FORWARD -p tcp -d secure.shared.live.com --dport 443 -j ACCEPT	# Hotmail
#iptables -A FORWARD -p tcp -d outlook.com --dport 443 -j ACCEPT		# Hotmail

#iptables -A FORWARD -d 157.54.0.0/15 -j ACCEPT		# Outlook.com
#iptables -A FORWARD -d 157.56.0.0/14 -j ACCEPT		# Outlook.com
#iptables -A FORWARD -d 157.60.0.0/16 -j ACCEPT		# Outlook.com
#iptables -A FORWARD -d 132.245.0.0/16 -j ACCEPT	# Outlook.com
#iptables -A FORWARD -d 131.253.62.0/23 -j DROP 	# login.live.com
#iptables -A FORWARD -d 131.253.128.0/17 -j DROP 	# login.live.com
#iptables -A FORWARD -d 131.253.61.0/24 -j DROP 	# login.live.com
#iptables -A FORWARD -d 131.253.64.0/18 -j DROP 	# login.live.com
#iptables -A FORWARD -d 65.52.0.0/14 -j DROP 		# mail.live.com

iptables -A FORWARD -d 189.202.196.50 -j ACCEPT
iptables -A FORWARD -d 189.203.200.235 -j ACCEPT

# ALL PORTS BLOCKED
#-------------------------------------------------------------------------------
#iptables -A INPUT -j DROP
#iptables -A OUTPUT -j DROP
#iptables -A FORWARD -j LOG

#iptables -A FORWARD -p tcp --dport 443 -j DROP	# HTTPS

What i want to know or confirm is if i can configure something like this:

# BLOCKING YOUTUBE AND TWITTER
# TO BLOCK YOUTUBE, FIRST WE NEED TO ACCEPT GOOGLE REQUESTS BECAUSE BOTH DOMAINS
# DEPENDS ON SAME SERVERS OR IP ADDRESS BUT DOMAIN REQUEST IS INDEPENDENT.
# AFTER THIS, I PERMIT ACCESS TO GOOGLE DOMAIN BUT NOT TO YOUTUBE DOMAIN
#-----------------------------------------------------------------------------
iptables -A FORWARD -m string --string "google.com" --algo bm -j ACCEPT
iptables -A FORWARD -m string --string "youtube.com" --algo bm -j DROP
#iptables -A FORWARD -m string --string "dropbox.com" --algo bm -j DROP

iptables -A FORWARD -d 199.59.148.0/22 -j DROP # Twitter

So i can make an IP alias on firewall rules to block some users on LAN

Best regards!

doktornotor

There is no iptables on FreeBSD. Wrong forum, dude.

isolatedvirus

you could probably accomplish this with squid using URL lists.

kpa

PF is a strict layer 3 packet filter and that means that it won't look inside the data payload on the packets no matter what you do. As noted you'll need a proxy of some sort to accomplish layer 7 filtering on pfSense.

Fabio72

Also with Snort you can do something like this.
For example https://forum.pfsense.org/index.php?topic=84227.0

pozolero

@doktornotor:

There is no iptables on FreeBSD. Wrong forum, dude.

Thanks for answer dude.

I'll quote

Hi everyone!  I have an iptables script (Yes, i know pfsense doesn't use iptables) but i think it's a clever script.

This script was on a debian server with squid in transparent mode, and was for blocking https (443) connections for domains like youtube.com without blocking google.com domain. Both domains use same ip address.

My question is: Is it possible to achieve something like this firewall rules on pfsense?

:-)

pozolero

@Fabio72:

Also with Snort you can do something like this.
For example https://forum.pfsense.org/index.php?topic=84227.0

Look very interesting!!  I'll try to make some test on virtualbox.

Thanks a lot

pozolero

@isolatedvirus:

you could probably accomplish this with squid using URL lists.

Thanks for your answer, the problem is https sites over transparent squid.

pozolero

@kpa:

PF is a strict layer 3 packet filter and that means that it won't look inside the data payload on the packets no matter what you do. As noted you'll need a proxy of some sort to accomplish layer 7 filtering on pfSense.

Thank for your answer

isolatedvirus

@pozolero:

@isolatedvirus:

you could probably accomplish this with squid using URL lists.

Thanks for your answer, the problem is https sites over transparent squid.

squid can handle https sites, just not transparently IIRC. youll have to load the cert on each computer passing through the proxy at that point.

HOWEVER, a IP alias in pfsense "Firewall->Alias->IP->Add->Type: URL (IPs)" can accept hostnames and domain names. If your goal is to just block access to these sites, you can create an alias, add all the websites/domains in there you want, and create a deny rule when user traffic is destined to them. This is accomplished by pfsense periodically doing a nslookup on anything in that list, and adding every IP it receives in response to its list.

This would affectively stop http and https, as well as any traffic to the destined hosts.

pozolero

@isolatedvirus:

squid can handle https sites, just not transparently IIRC. youll have to load the cert on each computer passing through the proxy at that point.

HOWEVER, a IP alias in pfsense "Firewall->Alias->IP->Add->Type: URL (IPs)" can accept hostnames and domain names. If your goal is to just block access to these sites, you can create an alias, add all the websites/domains in there you want, and create a deny rule when user traffic is destined to them. This is accomplished by pfsense periodically doing a nslookup on anything in that list, and adding every IP it receives in response to its list.

This would affectively stop http and https, as well as any traffic to the destined hosts.

I'll try this, thank you