[HELP] Blocking subnets by command line or script



  • Good evening,

    I'm trying to change my firewall to pfsense, currently I'm using CentOS with iptables, and I'm using a shell script which is essential to work on pfSense:

    
    # carrega modulos necessarios
    modprobe ip_tables
    modprobe iptable_nat
    modprobe ip_nat_ftp
    modprobe ip_conntrack_ftp
    modprobe ip_conntrack
    
    iptables -F
    iptables -X
    iptables -Z
    
    #limpa as regras de nat na memoria se tiver
    iptables -t nat -F
    iptables -t nat -X
    iptables -t nat -Z
    
    #limpa as mangle
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -t mangle -Z
    
    S=$(mysql -h 200.xxx.xxx.xxx -u rede -p -e "select * from xxe_lab" xxe)
    
    # a procura retornou algum registro ?!
      [ "$S" ] || { echo "Registro não encontrado";exit; }
    
     # colocar um TAB como IFS
      IFS="$(echo -e '\t')"
      # Apagamos a primeira linha, pois ela contém o nome dos campos
      S=$(echo "$S" | sed '1d')
    
      echo "$S" | while read id_lab descricao_lab ip_inicio_lab ip_fim_lab drop_lab;do
    
    if [ $drop_lab = '1' ];then
      for ((i=$ip_inicio_lab; i <= $ip_fim_lab; i++))
        do
    #      echo "$i xxx"
          iptables -A FORWARD -d 10.80.2.$i -s 200.xxx.xxx.xxx/24 -j ACCEPT
          iptables -A FORWARD -s 10.80.2.$i -d 200.xxx.xxx.xxx/24 -j ACCEPT
          iptables -A FORWARD -d 10.80.2.$i -s 10.80.1.134 -j ACCEPT
          iptables -A FORWARD -s 10.80.2.$i -d 10.80.1.134 -j ACCEPT
          iptables -A FORWARD -d 10.80.2.$i -j DROP
          iptables -A FORWARD -s 10.80.2.$i -j DROP
          iptables -A INPUT -p tcp --dport 3128 -s 10.80.2.$i -j DROP
        done
      fi
    done
    
    

    basically it connects to a database and checks whether the table is drop_labs = 1 every minute by crontab then he drops the connections of the labs to nobody navigate.
    I have installed mysql-client on pfsense to search the table, but not found any command that is equivalent to iptables to drop those IP's. I tried using the easyrule but every 1 minute he's adding the same rules causing an overload and there is no command to delete those rules except on GUI.

    Does anyone have an idea to solve this? Thank you.

    EDIT: Maybe using SQUID?



  • Someone knows why this sintaxe is not disabling the rule?

    curl -k -b cookies.txt -c cookies.txt –data 'login=Login&usernamefld=USER&passwordfld=PASS' --data 'if=lan&act=toggle&id=13' http://xxx.xxx.xxx.xxx:1234/firewall_rules.php



  • after 8 hours of effort and research I came to this solution:

    curl -v -k -b cookies.txt -c cookies.txt –data 'login=Login&usernamefld=USER&passwordfld=PASSWORD' --get 'http://xxx.xxx.xxx.xxx:1234/firewall_rules.php?if=lan' --data-urlencode POST 'http://xxx.xxx.xxx.xxx:1234/firewall_rules.php?if=lan&act=toggle&id=13'



  • Well I finished the script.

    #!/bin/sh

    This script will be executed after all the other init scripts.

    You can put your own initialization stuff in here if you don't

    want to do the full Sys V style init stuff.

    S=$(mysql -h xxx.xxx.xxx.xxx -u rede -psenha -e "select * from xxe_lab" xxe)

    a procura retornou algum registro ?!

    [ "$S" ] || { echo "Registro nao encontrado";exit; }

    colocar um TAB como IFS

    IFS="$(echo -e '\t')"
      # Apagamos a primeira linha, pois ela contem o nome dos campos
      S=$(echo "$S" | sed '1d')
      echo "$S"

    echo "$S" | while read id_lab descricao_lab ip_inicio_lab ip_fim_lab drop_lab;do

    #–-------------------------------------------------------------------------------------------------------------------------------------

    #se o laboratorio GRANDE estive bloqueado no SGI entao...
    if [ $id_lab = '1' ] && [ $drop_lab = '1' ];then

    #cria um cookie com o login
    curl -s -k -c /root/cookies.txt -b /root/cookies.txt –data 'login=Login&usernamefld=admin&passwordfld=pfsense' https://xxx.xxx.xxx.xxx:5050/firewall_rules.php

    #com a sessao criada aplica a regra 49 da aba LAN
    curl -s -k -c /root/cookies.txt -b /root/cookies.txt --data 'login=Login&usernamefld=admin&passwordfld=pfsense' --get 'https://xxx.xxx.xxx.xxx:5050/firewall_rules.php?if=lan' --data-urlencode POST
    'https://xxx.xxx.xxx.xxx:5050/firewall_rules.php?if=lan&act=toggle&id=49'

    #aplica a regra para funcionamento
    #curl -s -k -c /root/cookies.txt -b /root/cookies.txt --data 'login=Login&usernamefld=admin&passwordfld=pfsense' --data "apply=aply" https://xxx.xxx.xxx.xxx:5050/firewall_rules.php
    /etc/rc.filter_configure

    #conecta no banco e muda o valor do drop_lab para 3 do lab GRANDE
    mysql -h xxx.xxx.xxx.xxx -u rede -psenha -e "update xxe_lab set drop_lab=3 where id_lab=1" xxe

    #mata as conexoes ativas
    pfctl -k 10.80.2.128/26

    fi
    #--------------------------------------------------------------------------------------------------------------------------------
    #se o laboratorio PEQUENO estive bloqueado no SGI entao...
    if [ $id_lab = '2' ] && [ $drop_lab = '1' ];then

    #cria um cookie com o login
    curl -s -k -c /root/cookies.txt -b /root/cookies.txt –data 'login=Login&usernamefld=admin&passwordfld=pfsense' https://xxx.xxx.xxx.xxx:5050/firewall_rules.php

    #com a sessao criada aplica a regra 50 da aba LAN
    curl -s -k -c /root/cookies.txt -b /root/cookies.txt --data 'login=Login&usernamefld=admin&passwordfld=pfsense' --get 'https://xxx.xxx.xxx.xxx:5050/firewall_rules.php?if=lan' --data-urlencode POST
    'https://xxx.xxx.xxx.xxx:5050/firewall_rules.php?if=lan&act=toggle&id=50'

    #aplica a regra para funcionamento
    #curl -s -k -c /root/cookies.txt -b /root/cookies.txt --data 'login=Login&usernamefld=admin&passwordfld=pfsense' --data "apply=aply" https://xxx.xxx.xxx.xxx:5050/firewall_rules.php
    /etc/rc.filter_configure

    #conecta no banco e muda o valor do drop_lab para 3 do lab PEQUENO
    mysql -h xxx.xxx.xxx.xxx -u rede -psenha -e "update xxe_lab set drop_lab=3 where id_lab=2" xxe

    #mata as conexoes ativas
    pfctl -k 10.80.2.192/27 | pfctl -k 10.80.2.224/29

    fi

    #---------------------------------------------------------------------------------------------------------------------------------------

    #se o laboratorio GRANDE NAO estiver  bloqueado no SGI entao...
    if [ $id_lab = '1' ] && [ $drop_lab = '0' ];then

    #cria um cookie com o login
    curl -s -k -c /root/cookies.txt -b /root/cookies.txt –data 'login=Login&usernamefld=admin&passwordfld=pfsense' https://xxx.xxx.xxx.xxx:5050/firewall_rules.php

    #com a sessao criada aplica a regra 49 da aba LAN
    curl -s -k -c /root/cookies.txt -b /root/cookies.txt --data 'login=Login&usernamefld=admin&passwordfld=pfsense' --get 'https://xxx.xxx.xxx.xxx:5050/firewall_rules.php?if=lan' --data-urlencode POST
    'https://xxx.xxx.xxx.xxx:5050/firewall_rules.php?if=lan&act=toggle&id=49'

    #aplica a regra para funcionamento
    #curl -s -k -c /root/cookies.txt -b /root/cookies.txt --data 'login=Login&usernamefld=admin&passwordfld=pfsense' --data "apply=aply" https://xxx.xxx.xxx.xxx:5050/firewall_rules.php
    /etc/rc.filter_configure

    #conecta no banco e muda o valor do drop_lab para 4 do lab GRANDE
    mysql -h xxx.xxx.xxx.xxx -u rede -psenha -e "update xxe_lab set drop_lab=4 where id_lab=1" xxe
    fi

    #---------------------------------------------------------------------------------------------------------------------------------------

    #se o laboratorio PEQUENO NAO estiver  bloqueado no SGI entao...
    if [ $id_lab = '2' ] && [ $drop_lab = '0' ];then

    #cria um cookie com o login
    curl -s -k -c /root/cookies.txt -b /root/cookies.txt –data 'login=Login&usernamefld=admin&passwordfld=pfsense' https://xxx.xxx.xxx.xxx:5050/firewall_rules.php

    #com a sessao criada aplica a regra 49 da aba LAN
    curl -s -k -c /root/cookies.txt -b /root/cookies.txt --data 'login=Login&usernamefld=admin&passwordfld=pfsense' --get 'https://xxx.xxx.xxx.xxx:5050/firewall_rules.php?if=lan' --data-urlencode POST
    'https://xxx.xxx.xxx.xxx:5050/firewall_rules.php?if=lan&act=toggle&id=50'

    #aplica a regra para funcionamento
    #curl -s -k -c /root/cookies.txt -b /root/cookies.txt --data 'login=Login&usernamefld=admin&passwordfld=pfsense' --data "apply=aply" https://xxx.xxx.xxx.xxx:5050/firewall_rules.php
    /etc/rc.filter_configure

    #conecta no banco e muda o valor do drop_lab para 4 do lab GRANDE
    mysql -h xxx.xxx.xxx.xxx -u rede -psenha -e "update xxe_lab set drop_lab=4 where id_lab=2" xxe
    fi

    #---------------------------------------------------------------------------------------------------------------------------------------

    done



  • Good job.  Thanks for posting this.  I'm sure it will help someone else down the road.