Question about Firewall rules
-
Hi everyone! I have an iptables script (Yes, i know pfsense doesn't use iptables) but i think it's a clever script.
This script was on a debian server with squid in transparent mode, and was for blocking https (443) connections for domains like youtube.com without blocking google.com domain. Both domains use same ip address.
My question is: Is it possible to achieve something like this firewall rules on pfsense?
I'll let you the firewall script below
#! /bin/sh # BLOCKING HTTPS CONNECTIONS / PORT 443 echo "Starting Firewall. " echo "Applying Firewall Rules .........." iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t nat -Z #iptables -P INPUT ACCEPT #iptables -P OUTPUT ACCEPT #iptables -P FORWARD DROP INTERNET="eth0" LAN="eth1" IPLAN="172.16.0.0/12" RED="172.20.5" MOVIL="172.20.10" echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/ip_forward iptables -A INPUT -i lo -j ACCEPT # Localhost iptables -A OUTPUT -o lo -j ACCEPT # Localhost #--------------------------------------------------------------------- iptables -A FORWARD -p tcp --dport 443 -j ACCEPT # HTTPS iptables -A INPUT -i $INTERNET -p tcp --dport 20 -j ACCEPT # FTP iptables -A INPUT -i $INTERNET -p tcp --dport 21 -j ACCEPT # FTP #iptables -A INPUT -i $INTERNET -p tcp --dport 22 -j ACCEPT # SSH #iptables -A INPUT -i $INTERNET -p tcp --dport 25 -j ACCEPT # SMTP #iptables -A INPUT -i $INTERNET -p tcp --dport 53 -j ACCEPT # DNS #iptables -A INPUT -i $INTERNET -p tcp --dport 80 -j ACCEPT # WEB #iptables -A INPUT -i $INTERNET -p tcp --dport 110 -j ACCEPT # POP #iptables -A INPUT -i $INTERNET -p tcp --dport 143 -j ACCEPT # IMAP #iptables -A INPUT -i $INTERNET -p tcp --dport 1433 -j ACCEPT # SQL Server #iptables -A INPUT -i $INTERNET -p tcp --dport 3306 -j ACCEPT # MySQL iptables -A INPUT -p tcp --dport 20 -j ACCEPT # FTP iptables -A INPUT -p tcp --dport 21 -j ACCEPT # FTP iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT # FTP iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT # FTP iptables -A INPUT -p tcp --dport 22 -j ACCEPT # SSH iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT # SSH iptables -A INPUT -p tcp --dport 25 -j ACCEPT # SMTP iptables -A OUTPUT -p tcp --sport 25 -j ACCEPT # SMTP iptables -A INPUT -p tcp --dport 80 -j ACCEPT # WEB iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT # WEB iptables -A INPUT -p tcp --dport 110 -j ACCEPT # POP MAIL iptables -A OUTPUT -p tcp --sport 110 -j ACCEPT # POP MAIL iptables -A INPUT -p tcp --dport 143 -j ACCEPT # IMAP MAIL iptables -A OUTPUT -p tcp --sport 143 -j ACCEPT # IMAP MAIL #iptables -A INPUT -p tcp --dport 1433 -j ACCEPT # SQL Server #iptables -A OUTPUT -p tcp --sport 1433 -j ACCEPT # SQL Server #iptables -A INPUT -p tcp --dport 3306 -j ACCEPT # MySQL #iptables -A OUTPUT -p tcp --sport 3306 -j ACCEPT # MySQL iptables -A INPUT -p tcp --dport 7777 -j ACCEPT # CNPSS iptables -A OUTPUT -p tcp --sport 7777 -j ACCEPT # CNPSS #----------------------------------------------------------------------- iptables -t nat -A PREROUTING -s $IPLAN -p tcp --dport 80 -j DNAT --to 172.20.5.1:3128 iptables -t nat -A POSTROUTING -s $IPLAN -o $INTERNET -j MASQUERADE # ACCESS LEVELS FOR UNRESTRICTED IP # WEBSITES RESTRICTIONS ARE MADE BY SQUID, FIREWALL ONLY CONTROLS HTTPS ACCESS # --------------------------------------- FIREWALL LEVELS # 1° LEVEL - NO RESTRICTIONS # 2° LEVEL - ACCESS ONLY FACEBOOK + TWITTER + YOUTUBE + DROPBOX, BLOCKED PEER-TO-PEER # 3° LEVEL - ACCESS ONLY FACEBOOK; TWITTER, YOUTUBE, DROPBOX, BLOCKED PEER-TO-PEER iptables -A FORWARD -d 151.101.0.0/16 -j ACCEPT iptables -A OUTPUT -p tcp -d 151.101.0.0/16 -j ACCEPT # Schoology iptables -A FORWARD -p tcp -d schoology.com --dport 443 -j ACCEPT #iptables -A OUTPUT -p tcp -d www.schoology.com -j ACCEPT #iptables -A OUTPUT -p tcp -d schoology.com -j ACCEPT # UNRESTRICTED IP ( ACCESS LEVEL 1) #----------------------------------------------------------------------------- iptables -A FORWARD -s $RED.41 -o $INTERNET -j ACCEPT # USER iptables -A FORWARD -s $RED.42 -o $INTERNET -j ACCEPT # USER iptables -A FORWARD -s $RED.48 -o $INTERNET -j ACCEPT # USER iptables -A FORWARD -s $RED.49 -o $INTERNET -j ACCEPT # USER iptables -A FORWARD -s $RED.55 -o $INTERNET -j ACCEPT # USER iptables -A FORWARD -s $RED.57 -o $INTERNET -j ACCEPT # USER iptables -A FORWARD -s $RED.68 -o $INTERNET -j ACCEPT # USER iptables -A FORWARD -s $RED.69 -o $INTERNET -j ACCEPT # USER iptables -A FORWARD -s $RED.70 -o $INTERNET -j ACCEPT # USER iptables -A FORWARD -s $RED.76 -o $INTERNET -j ACCEPT # USER iptables -A FORWARD -s $RED.129 -o $INTERNET -j ACCEPT # USER iptables -A FORWARD -s $RED.141 -o $INTERNET -j ACCEPT # USER iptables -A FORWARD -s $RED.168 -o $INTERNET -j ACCEPT # USER iptables -A FORWARD -s $RED.170 -o $INTERNET -j ACCEPT # USER iptables -A FORWARD -s $RED.249 -o $INTERNET -j ACCEPT # USER iptables -A FORWARD -s $RED.218 -o $INTERNET -j ACCEPT # USER #---------------------------------------------------------------------------- # APPLE SERVERS #---------------------------- #iptables -A FORWARD -d 74.125.0.0/16 -j ACCEPT # Google iptables -A FORWARD -s 17.142.160.59 -j ACCEPT iptables -A FORWARD -s 17.172.224.47 -j ACCEPT iptables -A FORWARD -s 17.178.96.59 -j ACCEPT iptables -A FORWARD -s $MOVIL.10 -o $INTERNET -j ACCEPT # CELL PHONE iptables -A FORWARD -s $MOVIL.15 -o $INTERNET -j ACCEPT # CELL PHONE iptables -A FORWARD -s $MOVIL.19 -o $INTERNET -j ACCEPT # CELL PHONE iptables -A FORWARD -s $MOVIL.20 -o $INTERNET -j ACCEPT # CELL PHONE iptables -A FORWARD -s $MOVIL.21 -o $INTERNET -j ACCEPT # CELL PHONE iptables -A FORWARD -s $MOVIL.36 -o $INTERNET -j ACCEPT # CELL PHONE iptables -A FORWARD -s $MOVIL.77 -o $INTERNET -j ACCEPT # CELL PHONE iptables -A FORWARD -s $MOVIL.78 -o $INTERNET -j ACCEPT # CELL PHONE iptables -A FORWARD -s $MOVIL.39 -o $INTERNET -j ACCEPT # CELL PHONE iptables -A FORWARD -s $MOVIL.40 -o $INTERNET -j ACCEPT # CELL PHONE iptables -A FORWARD -s $MOVIL.44 -o $INTERNET -j ACCEPT # CELL PHONE iptables -A FORWARD -s $MOVIL.85 -o $INTERNET -j ACCEPT # TABLET # BLOCKED TORRENT DOWNLOADS #---------------------------------------------------------------------------- iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j DROP iptables -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP iptables -A FORWARD -m string --algo bm --string "peer_id" -j DROP iptables -A FORWARD -m string --algo bm --string ".torrent" -j DROP iptables -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP iptables -A FORWARD -m string --algo bm --string "torrent" -j DROP iptables -A FORWARD -m string --algo bm --string "announce" -j DROP iptables -A FORWARD -m string --algo bm --string "info_hash" -j DROP iptables -A FORWARD -m string --algo bm --string "get_peers" -j DROP iptables -A FORWARD -m string --algo bm --string "announce_peer" -j DROP iptables -A FORWARD -m string --algo bm --string "find_node" -j DROP # BLOCKED TORRENT Y P2P # BY MODULE ----- apt-get install xtables-addons-common # iptables -m ipp2p --help #------------------------------------------------------- #iptables -A FORWARD -p tcp -m ipp2p --edk -j DROP #iptables -A FORWARD -p udp -m ipp2p --edk -j DROP #iptables -A FORWARD -p tcp -m ipp2p --dc -j DROP #iptables -A FORWARD -p tcp -m ipp2p --kazaa -j DROP #iptables -A FORWARD -p udp -m ipp2p --kazaa -j DROP #iptables -A FORWARD -p tcp -m ipp2p --gnu -j DROP #iptables -A FORWARD -p udp -m ipp2p --gnu -j DROP #iptables -A FORWARD -p tcp -m ipp2p --bit -j DROP #iptables -A FORWARD -p udp -m ipp2p --bit -j DROP #iptables -A FORWARD -p tcp -m ipp2p --apple -j DROP #iptables -A FORWARD -p tcp -m ipp2p --winmx -j DROP #iptables -A FORWARD -p tcp -m ipp2p --soul -j DROP #iptables -A FORWARD -p tcp -m ipp2p --ares -j DROP # IP WITH HTTPS - 443 ACCESS GRANTED (ACCESS LEVEL 2) #----------------------------------------------------------------------------- iptables -A FORWARD -s $RED.56 -p tcp --dport 443 -j ACCEPT # USER iptables -A FORWARD -s $RED.59 -p tcp --dport 443 -j ACCEPT # USER iptables -A FORWARD -s $RED.67 -p tcp --dport 443 -j ACCEPT # USER iptables -A FORWARD -s $RED.69 -p tcp --dport 443 -j ACCEPT # USER iptables -A FORWARD -s $RED.73 -p tcp --dport 443 -j ACCEPT # USER iptables -A FORWARD -s $RED.74 -p tcp --dport 443 -j ACCEPT # USER iptables -A FORWARD -s $RED.77 -p tcp --dport 443 -j ACCEPT # USER iptables -A FORWARD -s $RED.79 -p tcp --dport 443 -j ACCEPT # USER iptables -A FORWARD -s $RED.80 -p tcp --dport 443 -j ACCEPT # USER iptables -A FORWARD -s $RED.102 -p tcp --dport 443 -j ACCEPT # USER iptables -A FORWARD -s $RED.104 -p tcp --dport 443 -j ACCEPT # USER iptables -A FORWARD -s $RED.150 -p tcp --dport 443 -j ACCEPT # USER iptables -A FORWARD -s $RED.176 -p tcp --dport 443 -j ACCEPT # USER iptables -A FORWARD -s $RED.201 -p tcp --dport 443 -j ACCEPT # USER #---------------------- # BLOCKING YOUTUBE AND TWITTER # TO BLOCK YOUTUBE, FIRST WE NEED TO ACCEPT GOOGLE REQUESTS BECAUSE BOTH DOMAINS # DEPENDS ON SAME SERVERS OR IP ADDRESS BUT DOMAIN REQUEST IS INDEPENDENT. # AFTER THIS, I PERMIT ACCESS TO GOOGLE DOMAIN BUT NOT TO YOUTUBE DOMAIN #----------------------------------------------------------------------------- iptables -A FORWARD -m string --string "google.com" --algo bm -j ACCEPT iptables -A FORWARD -m string --string "youtube.com" --algo bm -j DROP #iptables -A FORWARD -m string --string "dropbox.com" --algo bm -j DROP iptables -A FORWARD -d 199.59.148.0/22 -j DROP # Twitter # BLOCKED YOUTUBE, BLOCKED DOWNLOADS, UBLOCKED FACEBOOK (ACCESS LEVEL 3 #----------------------------------------------------------------------------- iptables -A FORWARD -s $RED.49 -p tcp --dport 443 -j ACCEPT # USER # BLOCKED FACEBOOK SERVERS #----------------------------------------------------------------------------- iptables -A FORWARD -d 65.201.208.24/29 -j DROP iptables -A FORWARD -d 65.204.104.128/28 -j DROP iptables -A FORWARD -d 66.92.180.48/29 -j DROP iptables -A FORWARD -d 67.200.105.48/28 -j DROP iptables -A FORWARD -d 69.63.176.0/30 -j DROP iptables -A FORWARD -d 69.171.224.0/20 -j DROP iptables -A FORWARD -d 74.119.76.0/19 -j DROP iptables -A FORWARD -d 204.25.20.0/22 -j DROP iptables -A FORWARD -d 66.220.144.0/20 -j DROP iptables -A FORWARD -d 173.252.64.0/18 -j DROP # SCHOOLOGY.COM #---------------------------------------------------------- #iptables -A FORWARD -d 151.101.0.0/16 -j ACCEPT #iptables -A FORWARD -m string --string "schoology.com" --algo bm -j ACCEPT #iptables -I INPUT -p tcp --dport 443 -m string --string "schoology.com" --algo bm -j ACCEPT # GRANT ACCESS TO HTTPS - 443 WEBSITES #------------------------------------------------------------------------------- #iptables -A FORWARD -s 52.2.100.81 -p tcp --dport 443 -j ACCEPT # WEBSITE #iptables -A FORWARD -s 52.204.251.50 -p tcp --dport 443 -j ACCEPT # WEBSITE #iptables -A FORWARD -s 107.23.6.245 -p tcp --dport 443 -j ACCEPT # WEBSITE #iptables -A FORWARD -s 52.21.168.68 -p tcp --dport 443 -j ACCEPT # WEBSITE #iptables -A FORWARD -p tcp -m iprange --dst-range 74.125.0.0-74.125.255.255 --dport 443 -j ACCEPT # Google iptables -A FORWARD -d 74.125.0.0/16 -j ACCEPT # Google #iptables -A FORWARD -p tcp -d accounts.google.com --dport 443 -j ACCEPT # Gmail #iptables -A FORWARD -p tcp -m iprange --dst-range 172.194.46.0-173.194.46.255 --dport 443 -j ACCEPT # Gmail #iptables -A FORWARD -p tcp -d mail.google.com --dport 443 -j ACCEPT # Gmail #iptables -A FORWARD -s 187.210.186.221 -p tcp --dport 443 -j ACCEPT # WEBSITE #iptables -A FORWARD -s 187.191.75.171 -p tcp --dport 443 -j ACCEPT # WEBSITE #iptables -A FORWARD -p tcp -d www.website.com --dport 443 -j ACCEPT # #iptables -A FORWARD -s 65.66.206.154 -p tcp --dport 443 -j ACCEPT # Hotmail #iptables -A FORWARD -p tcp -d live.com --dport 443 -j ACCEPT # Hotmail #iptables -A FORWARD -p tcp -d login.live.com --dport 443 -j ACCEPT # Hotmail #iptables -A FORWARD -p tcp -d secure.shared.live.com --dport 443 -j ACCEPT # Hotmail #iptables -A FORWARD -p tcp -d outlook.com --dport 443 -j ACCEPT # Hotmail #iptables -A FORWARD -d 157.54.0.0/15 -j ACCEPT # Outlook.com #iptables -A FORWARD -d 157.56.0.0/14 -j ACCEPT # Outlook.com #iptables -A FORWARD -d 157.60.0.0/16 -j ACCEPT # Outlook.com #iptables -A FORWARD -d 132.245.0.0/16 -j ACCEPT # Outlook.com #iptables -A FORWARD -d 131.253.62.0/23 -j DROP # login.live.com #iptables -A FORWARD -d 131.253.128.0/17 -j DROP # login.live.com #iptables -A FORWARD -d 131.253.61.0/24 -j DROP # login.live.com #iptables -A FORWARD -d 131.253.64.0/18 -j DROP # login.live.com #iptables -A FORWARD -d 65.52.0.0/14 -j DROP # mail.live.com iptables -A FORWARD -d 189.202.196.50 -j ACCEPT iptables -A FORWARD -d 189.203.200.235 -j ACCEPT # ALL PORTS BLOCKED #------------------------------------------------------------------------------- #iptables -A INPUT -j DROP #iptables -A OUTPUT -j DROP #iptables -A FORWARD -j LOG #iptables -A FORWARD -p tcp --dport 443 -j DROP # HTTPS
What i want to know or confirm is if i can configure something like this:
# BLOCKING YOUTUBE AND TWITTER # TO BLOCK YOUTUBE, FIRST WE NEED TO ACCEPT GOOGLE REQUESTS BECAUSE BOTH DOMAINS # DEPENDS ON SAME SERVERS OR IP ADDRESS BUT DOMAIN REQUEST IS INDEPENDENT. # AFTER THIS, I PERMIT ACCESS TO GOOGLE DOMAIN BUT NOT TO YOUTUBE DOMAIN #----------------------------------------------------------------------------- iptables -A FORWARD -m string --string "google.com" --algo bm -j ACCEPT iptables -A FORWARD -m string --string "youtube.com" --algo bm -j DROP #iptables -A FORWARD -m string --string "dropbox.com" --algo bm -j DROP iptables -A FORWARD -d 199.59.148.0/22 -j DROP # Twitter
So i can make an IP alias on firewall rules to block some users on LAN
Best regards!
-
There is no iptables on FreeBSD. Wrong forum, dude.
-
you could probably accomplish this with squid using URL lists.
-
PF is a strict layer 3 packet filter and that means that it won't look inside the data payload on the packets no matter what you do. As noted you'll need a proxy of some sort to accomplish layer 7 filtering on pfSense.
-
Also with Snort you can do something like this.
For example https://forum.pfsense.org/index.php?topic=84227.0 -
There is no iptables on FreeBSD. Wrong forum, dude.
Thanks for answer dude.
I'll quote
Hi everyone! I have an iptables script (Yes, i know pfsense doesn't use iptables) but i think it's a clever script.
This script was on a debian server with squid in transparent mode, and was for blocking https (443) connections for domains like youtube.com without blocking google.com domain. Both domains use same ip address.
My question is: Is it possible to achieve something like this firewall rules on pfsense?
:-)
-
Also with Snort you can do something like this.
For example https://forum.pfsense.org/index.php?topic=84227.0Look very interesting!! I'll try to make some test on virtualbox.
Thanks a lot
-
you could probably accomplish this with squid using URL lists.
Thanks for your answer, the problem is https sites over transparent squid.
-
@kpa:
PF is a strict layer 3 packet filter and that means that it won't look inside the data payload on the packets no matter what you do. As noted you'll need a proxy of some sort to accomplish layer 7 filtering on pfSense.
Thank for your answer
-
you could probably accomplish this with squid using URL lists.
Thanks for your answer, the problem is https sites over transparent squid.
squid can handle https sites, just not transparently IIRC. youll have to load the cert on each computer passing through the proxy at that point.
HOWEVER, a IP alias in pfsense "Firewall->Alias->IP->Add->Type: URL (IPs)" can accept hostnames and domain names. If your goal is to just block access to these sites, you can create an alias, add all the websites/domains in there you want, and create a deny rule when user traffic is destined to them. This is accomplished by pfsense periodically doing a nslookup on anything in that list, and adding every IP it receives in response to its list.
This would affectively stop http and https, as well as any traffic to the destined hosts.
-
squid can handle https sites, just not transparently IIRC. youll have to load the cert on each computer passing through the proxy at that point.
HOWEVER, a IP alias in pfsense "Firewall->Alias->IP->Add->Type: URL (IPs)" can accept hostnames and domain names. If your goal is to just block access to these sites, you can create an alias, add all the websites/domains in there you want, and create a deny rule when user traffic is destined to them. This is accomplished by pfsense periodically doing a nslookup on anything in that list, and adding every IP it receives in response to its list.
This would affectively stop http and https, as well as any traffic to the destined hosts.
I'll try this, thank you