服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 按照mac地址阻止https。 鱿鱼或iptables
Intereting Posts
SATA vs SAS vs SSD for Virtual Machine Automation 厨师服务器与厨师独奏 HOSTS文件被忽略 SCOM规则 – NTFS – 延迟写入丢失 列出所有使用ssh的mysql用户 从备份中恢复数据库时出错 从子域服务器获取命名主服务器 我在哪里可以获得Microsoft Exchange Online的SLA /中断信息*超过30天*? SVN + SSH安全 OpenVZ Ubuntu容器的证书问题 在MDT部署期间连接到Microsoft VPN 附件上传不适用于osTicket MSExchangeMailSubmission服务未列出或正在运行; 发送邮件不工作 Exchange 2013 NDR攻击 通过邮件界面发送Postfix时反弹工作,但不适用于在CiviCRM上发送邮件

按照mac地址阻止https。 鱿鱼或iptables

我想阻止networking访问(http和https)到某些mac地址。 我能够使用鱿鱼做到这一点,但它仍然让https网站通过。 

acl denylist arp "/etc/squid/mac-deny-list.lst http_access deny denylist

https / 443怎样才能做到这一点?

我试过使用iptables 

 iptables -I INPUT -p tcp --dport 443 -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP 

  iptables -I FORWARD -p tcp --dport 443 -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP

我也尝试使用REJECT而不是DROP 。 都没有工作。

我的iptables规则的其余部分是: 

 *nat :PREROUTING ACCEPT [467:49957] :POSTROUTING ACCEPT [4:784] :OUTPUT ACCEPT [6:960] -A PREROUTING -i eth1.10 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [122012:18388989] :FORWARD ACCEPT [10802:1834986] :OUTPUT ACCEPT [1807836:1494699352] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5667 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT -A INPUT -p udp -m udp --dport 161 -j ACCEPT -A INPUT -p udp -m udp --dport 162 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i tun0 -m state --state NEW -j ACCEPT -A FORWARD -i eth1.10 -o eth0 -j ACCEPT COMMIT

更新 

 Chain INPUT (policy ACCEPT 1 packets, 334 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 MAC XX:XX:XX:XX:XX:XX 41 2624 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 386 42629 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 60371 5794K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 6558K 2220M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5667 60264 3616K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5666 3 211 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:161 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:162 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- eth1.10 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 MAC XX:XX:XX:XX:XX:XX 61M 46G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 48857 3337K ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 state NEW 159K 17M ACCEPT all -- eth1.10 eth0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 49 packets, 6584 bytes) pkts bytes target prot opt in out source destination

TCPDUMP(截断) 

 tcpdump -e -i eth1.10 '!(host 10.15.248.122)' and 'ether host 00:60:dd:44:85:43' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1.10, link-type EN10MB (Ethernet), capture size 65535 bytes 14:01:47.452656 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 116: resolver1.opendns.com.domain > 172.31.235.114.63561: 6769 2/0/0 CNAME star.c10r.facebook.com., A 31.13.77.6 (74) 14:01:47.470098 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 66: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [S.], seq 2645004585, ack 3584915781, win 14100, options [mss 1410,nop,nop,sackOK,nop,wscale 8], length 0 14:01:47.485180 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 54: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], ack 518, win 67, length 0 14:01:47.485398 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 236: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [P.], seq 1:183, ack 518, win 67, length 182 14:01:47.500703 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 54: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], ack 634, win 67, length 0 14:01:47.500891 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 111: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [P.], seq 183:240, ack 634, win 67, length 57 14:01:47.503275 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 54: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], ack 691, win 67, length 0 14:01:47.503302 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 54: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], ack 736, win 67, length 0 14:01:47.503372 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 54: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], ack 1181, win 78, length 0 14:01:47.503585 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 99: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [P.], seq 240:285, ack 1181, win 78, length 45 14:01:47.566820 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1464: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], seq 285:1695, ack 1181, win 78, length 1410 14:01:47.566838 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 266: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [P.], seq 1695:1907, ack 1181, win 78, length 212 14:01:47.566965 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1464: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], seq 1907:3317, ack 1181, win 78, length 1410 14:01:47.567072 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1282: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [P.], seq 3317:4545, ack 1181, win 78, length 1228 14:01:47.569446 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1464: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], seq 4545:5955, ack 1181, win 78, length 1410 14:01:47.569562 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1464: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], seq 5955:7365, ack 1181, win 78, length 1410 14:01:47.569682 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1464: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], seq 7365:8775, ack 1181, win 78, length 1410

@马特 

 # Generated by iptables-save v1.4.7 on Tue May 12 14:44:35 2015 *filter :INPUT ACCEPT [53:6397] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [822:337604] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5667 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT -A INPUT -p udp -m udp --dport 161 -j ACCEPT -A INPUT -p udp -m udp --dport 162 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i tun0 -m state --state NEW -j ACCEPT -A FORWARD -i eth1.10 -o eth0 -j ACCEPT -A FORWARD -i eth1.10 -p tcp -m tcp --dport 443 -m mac --mac-source 00:60:DD:44:85:43 -j DROP COMMIT # Completed on Tue May 12 14:44:35 2015 # Generated by iptables-save v1.4.7 on Tue May 12 14:44:35 2015 *nat :PREROUTING ACCEPT [325:31771] :POSTROUTING ACCEPT [16:1474] :OUTPUT ACCEPT [308:20843] -A PREROUTING -i eth1.10 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Tue May 12 14:44:35 2015

接口细节 

 eth0 - 192.168.2.22 (/24) (public/outside/NAT) eth1.10 - 172.31.235.19 (/24) (private/inside/vlan10)

问题是MACfilter规则在接受之后被处理。 所以它永远不会到达。

你需要做的是改变这两行的顺序: 

  -A FORWARD -i eth1.10 -o eth0 -j ACCEPT -A FORWARD -i eth1.10 -p tcp -m tcp --dport 443 -m mac --mac-source 00:60:DD:44:85:43 -j DROP

所以他们成为: 

 -A FORWARD -i eth1.10 -p tcp -m tcp --dport 443 -m mac --mac-source 00:60:DD:44:85:43 -j DROP -A FORWARD -i eth1.10 -o eth0 -j ACCEPT

如果使用iptables-save格式,则只需编辑iptables-save的输出,然后运行iptables-restore传入该文件。 即 

 sudo iptables-save > rules ... edit 'rules' sudo iptables-restore < rules

或者,也可以编辑您正在使用的任何脚本/生成器来创build规则。

注意:因为你在过滤内部地址,所以我会使用REJECT而不是DROP,否则用户可能没有意识到他们已经被阻塞,并且想知道为什么他们的浏览器在那里呆了很长一段时间。

我相信你实际上需要把MACfilter放在PREROUTING链中,因为iptables在内部重写了一些字段。

从链路遍历路由,当桥梁和netfilter代码编译在内核中

当在内核中启用netfilter代码时,会发生这里所说的副作用,IP数据包被路由,并且该数据包的输出设备是逻辑桥设备。 在iptables FORWARD链中对MAC源进行过滤时会遇到副作用。 从前面的部分应该清楚的是,iptables FORWARD链的遍历被推迟,直到数据包在桥代码中。 这样做是为了让我们可以在网桥端口输出设备上进行过滤。 这会对MAC源地址产生负面影响,因为IP代码已将MAC源地址更改为桥接设备的MAC地址。