[HELP] Blocking subnets by command line or script
-
Good evening,
I'm trying to change my firewall to pfsense, currently I'm using CentOS with iptables, and I'm using a shell script which is essential to work on pfSense:
# carrega modulos necessarios modprobe ip_tables modprobe iptable_nat modprobe ip_nat_ftp modprobe ip_conntrack_ftp modprobe ip_conntrack iptables -F iptables -X iptables -Z #limpa as regras de nat na memoria se tiver iptables -t nat -F iptables -t nat -X iptables -t nat -Z #limpa as mangle iptables -t mangle -F iptables -t mangle -X iptables -t mangle -Z S=$(mysql -h 200.xxx.xxx.xxx -u rede -p -e "select * from xxe_lab" xxe) # a procura retornou algum registro ?! [ "$S" ] || { echo "Registro não encontrado";exit; } # colocar um TAB como IFS IFS="$(echo -e '\t')" # Apagamos a primeira linha, pois ela contém o nome dos campos S=$(echo "$S" | sed '1d') echo "$S" | while read id_lab descricao_lab ip_inicio_lab ip_fim_lab drop_lab;do if [ $drop_lab = '1' ];then for ((i=$ip_inicio_lab; i <= $ip_fim_lab; i++)) do # echo "$i xxx" iptables -A FORWARD -d 10.80.2.$i -s 200.xxx.xxx.xxx/24 -j ACCEPT iptables -A FORWARD -s 10.80.2.$i -d 200.xxx.xxx.xxx/24 -j ACCEPT iptables -A FORWARD -d 10.80.2.$i -s 10.80.1.134 -j ACCEPT iptables -A FORWARD -s 10.80.2.$i -d 10.80.1.134 -j ACCEPT iptables -A FORWARD -d 10.80.2.$i -j DROP iptables -A FORWARD -s 10.80.2.$i -j DROP iptables -A INPUT -p tcp --dport 3128 -s 10.80.2.$i -j DROP done fi done
basically it connects to a database and checks whether the table is drop_labs = 1 every minute by crontab then he drops the connections of the labs to nobody navigate.
I have installed mysql-client on pfsense to search the table, but not found any command that is equivalent to iptables to drop those IP's. I tried using the easyrule but every 1 minute he's adding the same rules causing an overload and there is no command to delete those rules except on GUI.Does anyone have an idea to solve this? Thank you.
EDIT: Maybe using SQUID?
-
Someone knows why this sintaxe is not disabling the rule?
curl -k -b cookies.txt -c cookies.txt –data 'login=Login&usernamefld=USER&passwordfld=PASS' --data 'if=lan&act=toggle&id=13' http://xxx.xxx.xxx.xxx:1234/firewall_rules.php
-
after 8 hours of effort and research I came to this solution:
curl -v -k -b cookies.txt -c cookies.txt –data 'login=Login&usernamefld=USER&passwordfld=PASSWORD' --get 'http://xxx.xxx.xxx.xxx:1234/firewall_rules.php?if=lan' --data-urlencode POST 'http://xxx.xxx.xxx.xxx:1234/firewall_rules.php?if=lan&act=toggle&id=13'
-
Well I finished the script.
#!/bin/sh
This script will be executed after all the other init scripts.
You can put your own initialization stuff in here if you don't
want to do the full Sys V style init stuff.
S=$(mysql -h xxx.xxx.xxx.xxx -u rede -psenha -e "select * from xxe_lab" xxe)
a procura retornou algum registro ?!
[ "$S" ] || { echo "Registro nao encontrado";exit; }
colocar um TAB como IFS
IFS="$(echo -e '\t')"
# Apagamos a primeira linha, pois ela contem o nome dos campos
S=$(echo "$S" | sed '1d')
echo "$S"echo "$S" | while read id_lab descricao_lab ip_inicio_lab ip_fim_lab drop_lab;do
#–-------------------------------------------------------------------------------------------------------------------------------------
#se o laboratorio GRANDE estive bloqueado no SGI entao...
if [ $id_lab = '1' ] && [ $drop_lab = '1' ];then#cria um cookie com o login
curl -s -k -c /root/cookies.txt -b /root/cookies.txt –data 'login=Login&usernamefld=admin&passwordfld=pfsense' https://xxx.xxx.xxx.xxx:5050/firewall_rules.php#com a sessao criada aplica a regra 49 da aba LAN
curl -s -k -c /root/cookies.txt -b /root/cookies.txt --data 'login=Login&usernamefld=admin&passwordfld=pfsense' --get 'https://xxx.xxx.xxx.xxx:5050/firewall_rules.php?if=lan' --data-urlencode POST
'https://xxx.xxx.xxx.xxx:5050/firewall_rules.php?if=lan&act=toggle&id=49'#aplica a regra para funcionamento
#curl -s -k -c /root/cookies.txt -b /root/cookies.txt --data 'login=Login&usernamefld=admin&passwordfld=pfsense' --data "apply=aply" https://xxx.xxx.xxx.xxx:5050/firewall_rules.php
/etc/rc.filter_configure#conecta no banco e muda o valor do drop_lab para 3 do lab GRANDE
mysql -h xxx.xxx.xxx.xxx -u rede -psenha -e "update xxe_lab set drop_lab=3 where id_lab=1" xxe#mata as conexoes ativas
pfctl -k 10.80.2.128/26fi
#--------------------------------------------------------------------------------------------------------------------------------
#se o laboratorio PEQUENO estive bloqueado no SGI entao...
if [ $id_lab = '2' ] && [ $drop_lab = '1' ];then#cria um cookie com o login
curl -s -k -c /root/cookies.txt -b /root/cookies.txt –data 'login=Login&usernamefld=admin&passwordfld=pfsense' https://xxx.xxx.xxx.xxx:5050/firewall_rules.php#com a sessao criada aplica a regra 50 da aba LAN
curl -s -k -c /root/cookies.txt -b /root/cookies.txt --data 'login=Login&usernamefld=admin&passwordfld=pfsense' --get 'https://xxx.xxx.xxx.xxx:5050/firewall_rules.php?if=lan' --data-urlencode POST
'https://xxx.xxx.xxx.xxx:5050/firewall_rules.php?if=lan&act=toggle&id=50'#aplica a regra para funcionamento
#curl -s -k -c /root/cookies.txt -b /root/cookies.txt --data 'login=Login&usernamefld=admin&passwordfld=pfsense' --data "apply=aply" https://xxx.xxx.xxx.xxx:5050/firewall_rules.php
/etc/rc.filter_configure#conecta no banco e muda o valor do drop_lab para 3 do lab PEQUENO
mysql -h xxx.xxx.xxx.xxx -u rede -psenha -e "update xxe_lab set drop_lab=3 where id_lab=2" xxe#mata as conexoes ativas
pfctl -k 10.80.2.192/27 | pfctl -k 10.80.2.224/29fi
#---------------------------------------------------------------------------------------------------------------------------------------
#se o laboratorio GRANDE NAO estiver bloqueado no SGI entao...
if [ $id_lab = '1' ] && [ $drop_lab = '0' ];then#cria um cookie com o login
curl -s -k -c /root/cookies.txt -b /root/cookies.txt –data 'login=Login&usernamefld=admin&passwordfld=pfsense' https://xxx.xxx.xxx.xxx:5050/firewall_rules.php#com a sessao criada aplica a regra 49 da aba LAN
curl -s -k -c /root/cookies.txt -b /root/cookies.txt --data 'login=Login&usernamefld=admin&passwordfld=pfsense' --get 'https://xxx.xxx.xxx.xxx:5050/firewall_rules.php?if=lan' --data-urlencode POST
'https://xxx.xxx.xxx.xxx:5050/firewall_rules.php?if=lan&act=toggle&id=49'#aplica a regra para funcionamento
#curl -s -k -c /root/cookies.txt -b /root/cookies.txt --data 'login=Login&usernamefld=admin&passwordfld=pfsense' --data "apply=aply" https://xxx.xxx.xxx.xxx:5050/firewall_rules.php
/etc/rc.filter_configure#conecta no banco e muda o valor do drop_lab para 4 do lab GRANDE
mysql -h xxx.xxx.xxx.xxx -u rede -psenha -e "update xxe_lab set drop_lab=4 where id_lab=1" xxe
fi#---------------------------------------------------------------------------------------------------------------------------------------
#se o laboratorio PEQUENO NAO estiver bloqueado no SGI entao...
if [ $id_lab = '2' ] && [ $drop_lab = '0' ];then#cria um cookie com o login
curl -s -k -c /root/cookies.txt -b /root/cookies.txt –data 'login=Login&usernamefld=admin&passwordfld=pfsense' https://xxx.xxx.xxx.xxx:5050/firewall_rules.php#com a sessao criada aplica a regra 49 da aba LAN
curl -s -k -c /root/cookies.txt -b /root/cookies.txt --data 'login=Login&usernamefld=admin&passwordfld=pfsense' --get 'https://xxx.xxx.xxx.xxx:5050/firewall_rules.php?if=lan' --data-urlencode POST
'https://xxx.xxx.xxx.xxx:5050/firewall_rules.php?if=lan&act=toggle&id=50'#aplica a regra para funcionamento
#curl -s -k -c /root/cookies.txt -b /root/cookies.txt --data 'login=Login&usernamefld=admin&passwordfld=pfsense' --data "apply=aply" https://xxx.xxx.xxx.xxx:5050/firewall_rules.php
/etc/rc.filter_configure#conecta no banco e muda o valor do drop_lab para 4 do lab GRANDE
mysql -h xxx.xxx.xxx.xxx -u rede -psenha -e "update xxe_lab set drop_lab=4 where id_lab=2" xxe
fi#---------------------------------------------------------------------------------------------------------------------------------------
done
-
Good job. Thanks for posting this. I'm sure it will help someone else down the road.