Code-Schnipsel Layer7
Zur Navigation springen
Zur Suche springen
Layer7 Filter auf spezifische MAC-Adressen anwenden
#!/bin/sh fkt_insert() { IP_P2P="edk,dc,kazaa,gnu,bit,apple,winmx,soul,ares,mute,waste,xdcc" LAYER7="skypetoskype,skypeout,h323,nntp,ntp,pop3,smtp,ssl,vnc,rdp,pcanywhere,msnmessenger,jabber,aim,irc,smb,telnet,ssh,ftp,http,dns" TARGET="MAC_$1" echo "Generating rules for target $1 ..." $IPT -N $TARGET test $1 = "unknown" && $IPT -I FORWARD -j $TARGET test $1 != "unknown" && $IPT -I FORWARD -m mac --mac-source $1 -j $TARGET for PROTO in $IP_P2P; do $IPT -I $TARGET -m ipp2p --$PROTO -j DROP ; done for PROTO in $LAYER7; do $IPT -I $TARGET -m layer7 --l7proto $PROTO -j ACCEPT ; done $IPT -I $TARGET -p icmp -j ACCEPT # icmp $IPT -A $TARGET -p tcp --dport 443 -j ACCEPT # https $IPT -A $TARGET -p tcp --dport 995 -j ACCEPT # secure pop $IPT -A $TARGET -p tcp -j ACCEPT # unknown tcp $IPT -A $TARGET -p udp -j ACCEPT # unkwown udp } IFS="," IPT="/usr/sbin/iptables" case $1 in start) echo "Inserting layer7-filters..." fkt_insert unknown # alle fkt_insert 00:02:2D:52:CF:3C # bastian fkt_insert 00:04:75:F8:ED:67 # sylvia ;; stop) echo "Back to original firewall setup..." /etc/init.d/S45firewall restart ;; restart) $0 stop $0 start ;; status) $IPT -nxvL ;; *) echo "Usage: $0 start|stop|restart|status" ;; esac