Question about Firewall rules



  • Hi everyone!  I have an iptables script (Yes, i know pfsense doesn't use iptables) but i think it's a clever script.

    This script was on a debian server with squid in transparent mode, and was for blocking https (443) connections for domains like youtube.com without blocking google.com domain. Both domains use same ip address.

    My question is: Is it possible to achieve something like this firewall rules on pfsense?

    I'll let you the firewall script below

    #! /bin/sh
    # BLOCKING HTTPS CONNECTIONS / PORT 443
    
    echo "Starting Firewall. "
    echo "Applying Firewall Rules .........."
    
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t nat -Z
    
    #iptables -P INPUT ACCEPT
    #iptables -P OUTPUT ACCEPT
    #iptables -P FORWARD DROP
    
    INTERNET="eth0"
    LAN="eth1"
    IPLAN="172.16.0.0/12"
    RED="172.20.5"
    MOVIL="172.20.10"
    
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    iptables -A INPUT -i lo -j ACCEPT	# Localhost
    iptables -A OUTPUT -o lo -j ACCEPT	# Localhost
    #---------------------------------------------------------------------
    iptables -A FORWARD -p tcp --dport 443 -j ACCEPT	# HTTPS
    
    iptables -A INPUT -i $INTERNET -p tcp --dport 20 -j ACCEPT	# FTP
    iptables -A INPUT -i $INTERNET -p tcp --dport 21 -j ACCEPT	# FTP
    
    #iptables -A INPUT -i $INTERNET -p tcp --dport 22 -j ACCEPT	# SSH
    #iptables -A INPUT -i $INTERNET -p tcp --dport 25 -j ACCEPT	# SMTP
    #iptables -A INPUT -i $INTERNET -p tcp --dport 53 -j ACCEPT	# DNS
    #iptables -A INPUT -i $INTERNET -p tcp --dport 80 -j ACCEPT	# WEB
    #iptables -A INPUT -i $INTERNET -p tcp --dport 110 -j ACCEPT	# POP
    #iptables -A INPUT -i $INTERNET -p tcp --dport 143 -j ACCEPT	# IMAP
    #iptables -A INPUT -i $INTERNET -p tcp --dport 1433 -j ACCEPT	# SQL Server
    #iptables -A INPUT -i $INTERNET -p tcp --dport 3306 -j ACCEPT	# MySQL
    
    iptables -A INPUT -p tcp --dport 20 -j ACCEPT		# FTP
    iptables -A INPUT -p tcp --dport 21 -j ACCEPT		# FTP
    iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT		# FTP
    iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT		# FTP
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT		# SSH
    iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT		# SSH
    iptables -A INPUT -p tcp --dport 25 -j ACCEPT		# SMTP
    iptables -A OUTPUT -p tcp --sport 25 -j ACCEPT		# SMTP
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT		# WEB
    iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT		# WEB
    iptables -A INPUT -p tcp --dport 110 -j ACCEPT		# POP MAIL
    iptables -A OUTPUT -p tcp --sport 110 -j ACCEPT		# POP MAIL
    iptables -A INPUT -p tcp --dport 143 -j ACCEPT		# IMAP MAIL
    iptables -A OUTPUT -p tcp --sport 143 -j ACCEPT		# IMAP MAIL
    #iptables -A INPUT -p tcp --dport 1433 -j ACCEPT	# SQL Server
    #iptables -A OUTPUT -p tcp --sport 1433 -j ACCEPT	# SQL Server
    #iptables -A INPUT -p tcp --dport 3306 -j ACCEPT	# MySQL
    #iptables -A OUTPUT -p tcp --sport 3306 -j ACCEPT	# MySQL
    
    iptables -A INPUT -p tcp --dport 7777 -j ACCEPT		# CNPSS
    iptables -A OUTPUT -p tcp --sport 7777 -j ACCEPT	# CNPSS
    
    #-----------------------------------------------------------------------
    iptables -t nat -A PREROUTING -s $IPLAN -p tcp --dport 80 -j DNAT --to 172.20.5.1:3128
    iptables -t nat -A POSTROUTING -s $IPLAN -o $INTERNET -j MASQUERADE
    
    # ACCESS LEVELS FOR UNRESTRICTED IP
    # WEBSITES RESTRICTIONS ARE MADE BY SQUID, FIREWALL ONLY CONTROLS HTTPS ACCESS
    
    # --------------------------------------- FIREWALL LEVELS
    # 1° LEVEL -  NO RESTRICTIONS
    # 2° LEVEL -  ACCESS ONLY  FACEBOOK + TWITTER + YOUTUBE + DROPBOX, BLOCKED PEER-TO-PEER
    # 3° LEVEL - ACCESS ONLY FACEBOOK;  TWITTER, YOUTUBE, DROPBOX, BLOCKED PEER-TO-PEER
    
    iptables -A FORWARD -d 151.101.0.0/16 -j ACCEPT
    iptables -A OUTPUT -p tcp -d 151.101.0.0/16 -j ACCEPT	# Schoology
    iptables -A FORWARD -p tcp -d schoology.com --dport 443 -j ACCEPT
    #iptables -A OUTPUT -p tcp -d www.schoology.com -j ACCEPT	
    #iptables -A OUTPUT -p tcp -d schoology.com -j ACCEPT
    
    # UNRESTRICTED IP ( ACCESS LEVEL 1)
    #-----------------------------------------------------------------------------
    iptables -A FORWARD -s $RED.41 -o $INTERNET -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.42 -o $INTERNET -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.48 -o $INTERNET -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.49 -o $INTERNET -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.55 -o $INTERNET -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.57 -o $INTERNET -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.68 -o $INTERNET -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.69 -o $INTERNET -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.70 -o $INTERNET -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.76 -o $INTERNET -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.129 -o $INTERNET -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.141 -o $INTERNET -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.168 -o $INTERNET -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.170 -o $INTERNET -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.249 -o $INTERNET -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.218 -o $INTERNET -j ACCEPT	# USER
    #----------------------------------------------------------------------------
    # APPLE SERVERS
    #----------------------------
    #iptables -A FORWARD -d 74.125.0.0/16 -j ACCEPT		# Google
    iptables -A FORWARD -s 17.142.160.59 -j ACCEPT
    iptables -A FORWARD -s 17.172.224.47 -j ACCEPT
    iptables -A FORWARD -s 17.178.96.59 -j ACCEPT
    
    iptables -A FORWARD -s $MOVIL.10 -o $INTERNET -j ACCEPT		# CELL PHONE
    iptables -A FORWARD -s $MOVIL.15 -o $INTERNET -j ACCEPT		# CELL PHONE
    iptables -A FORWARD -s $MOVIL.19 -o $INTERNET -j ACCEPT		# CELL PHONE
    iptables -A FORWARD -s $MOVIL.20 -o $INTERNET -j ACCEPT		# CELL PHONE
    iptables -A FORWARD -s $MOVIL.21 -o $INTERNET -j ACCEPT		# CELL PHONE
    iptables -A FORWARD -s $MOVIL.36 -o $INTERNET -j ACCEPT		# CELL PHONE
    iptables -A FORWARD -s $MOVIL.77 -o $INTERNET -j ACCEPT		# CELL PHONE
    iptables -A FORWARD -s $MOVIL.78 -o $INTERNET -j ACCEPT		# CELL PHONE
    iptables -A FORWARD -s $MOVIL.39 -o $INTERNET -j ACCEPT		# CELL PHONE
    iptables -A FORWARD -s $MOVIL.40 -o $INTERNET -j ACCEPT		# CELL PHONE
    iptables -A FORWARD -s $MOVIL.44 -o $INTERNET -j ACCEPT		# CELL PHONE
    iptables -A FORWARD -s $MOVIL.85 -o $INTERNET -j ACCEPT 	        # TABLET
    
    # BLOCKED TORRENT DOWNLOADS
    #----------------------------------------------------------------------------
    iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j DROP
    iptables -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP
    iptables -A FORWARD -m string --algo bm --string "peer_id" -j DROP
    iptables -A FORWARD -m string --algo bm --string ".torrent" -j DROP
    iptables -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP
    iptables -A FORWARD -m string --algo bm --string "torrent" -j DROP
    iptables -A FORWARD -m string --algo bm --string "announce" -j DROP
    iptables -A FORWARD -m string --algo bm --string "info_hash" -j DROP
    
    iptables -A FORWARD -m string --algo bm --string "get_peers" -j DROP
    iptables -A FORWARD -m string --algo bm --string "announce_peer" -j DROP
    iptables -A FORWARD -m string --algo bm --string "find_node" -j DROP
    
    # BLOCKED TORRENT Y P2P
    # BY MODULE ----- apt-get install xtables-addons-common
    # iptables -m ipp2p --help
    #-------------------------------------------------------
    #iptables -A FORWARD -p tcp -m ipp2p --edk -j DROP
    #iptables -A FORWARD -p udp -m ipp2p --edk -j DROP
    #iptables -A FORWARD -p tcp -m ipp2p --dc -j DROP
    #iptables -A FORWARD -p tcp -m ipp2p --kazaa -j DROP
    #iptables -A FORWARD -p udp -m ipp2p --kazaa -j DROP
    #iptables -A FORWARD -p tcp -m ipp2p --gnu -j DROP
    #iptables -A FORWARD -p udp -m ipp2p --gnu -j DROP
    #iptables -A FORWARD -p tcp -m ipp2p --bit -j DROP
    #iptables -A FORWARD -p udp -m ipp2p --bit -j DROP
    #iptables -A FORWARD -p tcp -m ipp2p --apple -j DROP
    #iptables -A FORWARD -p tcp -m ipp2p --winmx -j DROP
    #iptables -A FORWARD -p tcp -m ipp2p --soul -j DROP
    #iptables -A FORWARD -p tcp -m ipp2p --ares -j DROP
    
    # IP WITH HTTPS - 443 ACCESS GRANTED (ACCESS LEVEL 2)
    #-----------------------------------------------------------------------------
    iptables -A FORWARD -s $RED.56 -p tcp --dport 443 -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.59 -p tcp --dport 443 -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.67 -p tcp --dport 443 -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.69 -p tcp --dport 443 -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.73 -p tcp --dport 443 -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.74 -p tcp --dport 443 -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.77 -p tcp --dport 443 -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.79 -p tcp --dport 443 -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.80 -p tcp --dport 443 -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.102 -p tcp --dport 443 -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.104 -p tcp --dport 443 -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.150 -p tcp --dport 443 -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.176 -p tcp --dport 443 -j ACCEPT	# USER
    iptables -A FORWARD -s $RED.201 -p tcp --dport 443 -j ACCEPT	# USER
    
    #----------------------
    
    # BLOCKING YOUTUBE AND TWITTER
    # TO BLOCK YOUTUBE, FIRST WE NEED TO ACCEPT GOOGLE REQUESTS BECAUSE BOTH DOMAINS
    # DEPENDS ON SAME SERVERS OR IP ADDRESS BUT DOMAIN REQUEST IS INDEPENDENT.
    # AFTER THIS, I PERMIT ACCESS TO GOOGLE DOMAIN BUT NOT TO YOUTUBE DOMAIN
    #-----------------------------------------------------------------------------
    iptables -A FORWARD -m string --string "google.com" --algo bm -j ACCEPT
    iptables -A FORWARD -m string --string "youtube.com" --algo bm -j DROP
    #iptables -A FORWARD -m string --string "dropbox.com" --algo bm -j DROP
    
    iptables -A FORWARD -d 199.59.148.0/22 -j DROP # Twitter
    
    # BLOCKED YOUTUBE, BLOCKED DOWNLOADS, UBLOCKED FACEBOOK  (ACCESS LEVEL 3
    #-----------------------------------------------------------------------------
    iptables -A FORWARD -s $RED.49 -p tcp --dport 443 -j ACCEPT	# USER
    
    # BLOCKED FACEBOOK SERVERS
    #-----------------------------------------------------------------------------
    iptables -A FORWARD -d 65.201.208.24/29 -j DROP
    iptables -A FORWARD -d 65.204.104.128/28 -j DROP
    iptables -A FORWARD -d 66.92.180.48/29 -j DROP
    iptables -A FORWARD -d 67.200.105.48/28 -j DROP
    iptables -A FORWARD -d 69.63.176.0/30 -j DROP
    iptables -A FORWARD -d 69.171.224.0/20 -j DROP
    iptables -A FORWARD -d 74.119.76.0/19 -j DROP
    iptables -A FORWARD -d 204.25.20.0/22 -j DROP
    iptables -A FORWARD -d 66.220.144.0/20 -j DROP
    iptables -A FORWARD -d 173.252.64.0/18 -j DROP
    
    # SCHOOLOGY.COM
    #----------------------------------------------------------
    #iptables -A FORWARD -d 151.101.0.0/16 -j ACCEPT
    #iptables -A FORWARD -m string --string "schoology.com" --algo bm -j ACCEPT
    #iptables -I INPUT -p tcp --dport 443 -m string --string "schoology.com" --algo bm -j ACCEPT
    
    # GRANT ACCESS TO HTTPS - 443 WEBSITES
    #-------------------------------------------------------------------------------
    
    #iptables -A FORWARD -s 52.2.100.81 -p tcp --dport 443 -j ACCEPT		# WEBSITE
    #iptables -A FORWARD -s 52.204.251.50 -p tcp --dport 443 -j ACCEPT		# WEBSITE
    #iptables -A FORWARD -s 107.23.6.245 -p tcp --dport 443 -j ACCEPT		# WEBSITE
    #iptables -A FORWARD -s 52.21.168.68 -p tcp --dport 443 -j ACCEPT		# WEBSITE
    
    #iptables -A FORWARD -p tcp -m iprange --dst-range 74.125.0.0-74.125.255.255 --dport 443 -j ACCEPT	# Google
    iptables -A FORWARD -d 74.125.0.0/16 -j ACCEPT					# Google
    #iptables -A FORWARD -p tcp -d accounts.google.com --dport 443 -j ACCEPT	# Gmail
    #iptables -A FORWARD -p tcp -m iprange --dst-range 172.194.46.0-173.194.46.255 --dport 443 -j ACCEPT	# Gmail
    #iptables -A FORWARD -p tcp -d mail.google.com --dport 443 -j ACCEPT		# Gmail
    
    #iptables -A FORWARD -s 187.210.186.221 -p tcp --dport 443 -j ACCEPT		# WEBSITE
    #iptables -A FORWARD -s 187.191.75.171 -p tcp --dport 443 -j ACCEPT		# WEBSITE
    #iptables -A FORWARD -p tcp -d www.website.com --dport 443 -j ACCEPT	# 
    
    #iptables -A FORWARD -s 65.66.206.154 -p tcp --dport 443 -j ACCEPT		# Hotmail
    #iptables -A FORWARD -p tcp -d live.com --dport 443 -j ACCEPT			# Hotmail
    #iptables -A FORWARD -p tcp -d login.live.com --dport 443 -j ACCEPT		# Hotmail
    #iptables -A FORWARD -p tcp -d secure.shared.live.com --dport 443 -j ACCEPT	# Hotmail
    #iptables -A FORWARD -p tcp -d outlook.com --dport 443 -j ACCEPT		# Hotmail
    
    #iptables -A FORWARD -d 157.54.0.0/15 -j ACCEPT		# Outlook.com
    #iptables -A FORWARD -d 157.56.0.0/14 -j ACCEPT		# Outlook.com
    #iptables -A FORWARD -d 157.60.0.0/16 -j ACCEPT		# Outlook.com
    #iptables -A FORWARD -d 132.245.0.0/16 -j ACCEPT	# Outlook.com
    #iptables -A FORWARD -d 131.253.62.0/23 -j DROP 	# login.live.com
    #iptables -A FORWARD -d 131.253.128.0/17 -j DROP 	# login.live.com
    #iptables -A FORWARD -d 131.253.61.0/24 -j DROP 	# login.live.com
    #iptables -A FORWARD -d 131.253.64.0/18 -j DROP 	# login.live.com
    #iptables -A FORWARD -d 65.52.0.0/14 -j DROP 		# mail.live.com
    
    iptables -A FORWARD -d 189.202.196.50 -j ACCEPT
    iptables -A FORWARD -d 189.203.200.235 -j ACCEPT
    
    # ALL PORTS BLOCKED
    #-------------------------------------------------------------------------------
    #iptables -A INPUT -j DROP
    #iptables -A OUTPUT -j DROP
    #iptables -A FORWARD -j LOG
    
    #iptables -A FORWARD -p tcp --dport 443 -j DROP	# HTTPS
    

    What i want to know or confirm is if i can configure something like this:

    # BLOCKING YOUTUBE AND TWITTER
    # TO BLOCK YOUTUBE, FIRST WE NEED TO ACCEPT GOOGLE REQUESTS BECAUSE BOTH DOMAINS
    # DEPENDS ON SAME SERVERS OR IP ADDRESS BUT DOMAIN REQUEST IS INDEPENDENT.
    # AFTER THIS, I PERMIT ACCESS TO GOOGLE DOMAIN BUT NOT TO YOUTUBE DOMAIN
    #-----------------------------------------------------------------------------
    iptables -A FORWARD -m string --string "google.com" --algo bm -j ACCEPT
    iptables -A FORWARD -m string --string "youtube.com" --algo bm -j DROP
    #iptables -A FORWARD -m string --string "dropbox.com" --algo bm -j DROP
    
    iptables -A FORWARD -d 199.59.148.0/22 -j DROP # Twitter
    

    So i can make an IP alias on firewall rules to block some users on LAN

    Best regards!


  • Banned

    There is no iptables on FreeBSD. Wrong forum, dude.



  • you could probably accomplish this with squid using URL lists.



  • PF is a strict layer 3 packet filter and that means that it won't look inside the data payload on the packets no matter what you do. As noted you'll need a proxy of some sort to accomplish layer 7 filtering on pfSense.



  • Also with Snort you can do something like this.
    For example https://forum.pfsense.org/index.php?topic=84227.0



  • @doktornotor:

    There is no iptables on FreeBSD. Wrong forum, dude.

    Thanks for answer dude.

    I'll quote

    Hi everyone!  I have an iptables script (Yes, i know pfsense doesn't use iptables) but i think it's a clever script.

    This script was on a debian server with squid in transparent mode, and was for blocking https (443) connections for domains like youtube.com without blocking google.com domain. Both domains use same ip address.

    My question is: Is it possible to achieve something like this firewall rules on pfsense?

    :-)



  • @Fabio72:

    Also with Snort you can do something like this.
    For example https://forum.pfsense.org/index.php?topic=84227.0

    Look very interesting!!  I'll try to make some test on virtualbox.

    Thanks a lot



  • @isolatedvirus:

    you could probably accomplish this with squid using URL lists.

    Thanks for your answer, the problem is https sites over transparent squid.



  • @kpa:

    PF is a strict layer 3 packet filter and that means that it won't look inside the data payload on the packets no matter what you do. As noted you'll need a proxy of some sort to accomplish layer 7 filtering on pfSense.

    Thank for your answer



  • @pozolero:

    @isolatedvirus:

    you could probably accomplish this with squid using URL lists.

    Thanks for your answer, the problem is https sites over transparent squid.

    squid can handle https sites, just not transparently IIRC. youll have to load the cert on each computer passing through the proxy at that point.

    HOWEVER, a IP alias in pfsense "Firewall->Alias->IP->Add->Type: URL (IPs)" can accept hostnames and domain names. If your goal is to just block access to these sites, you can create an alias, add all the websites/domains in there you want, and create a deny rule when user traffic is destined to them. This is accomplished by pfsense periodically doing a nslookup on anything in that list, and adding every IP it receives in response to its list.

    This would affectively stop http and https, as well as any traffic to the destined hosts.



  • @isolatedvirus:

    squid can handle https sites, just not transparently IIRC. youll have to load the cert on each computer passing through the proxy at that point.

    HOWEVER, a IP alias in pfsense "Firewall->Alias->IP->Add->Type: URL (IPs)" can accept hostnames and domain names. If your goal is to just block access to these sites, you can create an alias, add all the websites/domains in there you want, and create a deny rule when user traffic is destined to them. This is accomplished by pfsense periodically doing a nslookup on anything in that list, and adding every IP it receives in response to its list.

    This would affectively stop http and https, as well as any traffic to the destined hosts.

    I'll try this, thank you


Log in to reply