3.747
Bearbeitungen
Änderungen
Code-Schnipsel Layer7 (Quelltext anzeigen)
Version vom 20. Februar 2007, 12:22 Uhr
, 12:22, 20. Feb. 2007+layer7
=Layer7 Filter auf spezifische MAC-Adressen anwenden=
<pre>
#!/bin/sh
fkt_insert() {
IP_P2P="edk,dc,kazaa,gnu,bit,apple,winmx,soul,ares,mute,waste,xdcc"
LAYER7="skypetoskype,skypeout,h323,nntp,ntp,pop3,smtp,ssl,vnc,rdp,pcanywhere,msnmessenger,jabber,aim,irc,smb,telnet,ssh,ftp,http,dns"
TARGET="MAC_$1"
echo "Generating rules for target $1 ..."
$IPT -N $TARGET
test $1 = "unknown" && $IPT -I FORWARD -j $TARGET
test $1 != "unknown" && $IPT -I FORWARD -m mac --mac-source $1 -j $TARGET
for PROTO in $IP_P2P; do $IPT -I $TARGET -m ipp2p --$PROTO -j DROP ; done
for PROTO in $LAYER7; do $IPT -I $TARGET -m layer7 --l7proto $PROTO -j ACCEPT ; done
$IPT -I $TARGET -p icmp -j ACCEPT # icmp
$IPT -A $TARGET -p tcp --dport 443 -j ACCEPT # https
$IPT -A $TARGET -p tcp --dport 995 -j ACCEPT # secure pop
$IPT -A $TARGET -p tcp -j ACCEPT # unknown tcp
$IPT -A $TARGET -p udp -j ACCEPT # unkwown udp
}
IFS=","
IPT="/usr/sbin/iptables"
case $1 in
start)
echo "Inserting layer7-filters..."
fkt_insert unknown # alle
fkt_insert 00:02:2D:52:CF:3C # bastian
fkt_insert 00:04:75:F8:ED:67 # sylvia
;;
stop)
echo "Back to original firewall setup..."
/etc/init.d/S45firewall restart
;;
restart)
$0 stop
$0 start
;;
status)
$IPT -nxvL
;;
*)
echo "Usage: $0 start|stop|restart|status"
;;
esac
</pre>
<pre>
#!/bin/sh
fkt_insert() {
IP_P2P="edk,dc,kazaa,gnu,bit,apple,winmx,soul,ares,mute,waste,xdcc"
LAYER7="skypetoskype,skypeout,h323,nntp,ntp,pop3,smtp,ssl,vnc,rdp,pcanywhere,msnmessenger,jabber,aim,irc,smb,telnet,ssh,ftp,http,dns"
TARGET="MAC_$1"
echo "Generating rules for target $1 ..."
$IPT -N $TARGET
test $1 = "unknown" && $IPT -I FORWARD -j $TARGET
test $1 != "unknown" && $IPT -I FORWARD -m mac --mac-source $1 -j $TARGET
for PROTO in $IP_P2P; do $IPT -I $TARGET -m ipp2p --$PROTO -j DROP ; done
for PROTO in $LAYER7; do $IPT -I $TARGET -m layer7 --l7proto $PROTO -j ACCEPT ; done
$IPT -I $TARGET -p icmp -j ACCEPT # icmp
$IPT -A $TARGET -p tcp --dport 443 -j ACCEPT # https
$IPT -A $TARGET -p tcp --dport 995 -j ACCEPT # secure pop
$IPT -A $TARGET -p tcp -j ACCEPT # unknown tcp
$IPT -A $TARGET -p udp -j ACCEPT # unkwown udp
}
IFS=","
IPT="/usr/sbin/iptables"
case $1 in
start)
echo "Inserting layer7-filters..."
fkt_insert unknown # alle
fkt_insert 00:02:2D:52:CF:3C # bastian
fkt_insert 00:04:75:F8:ED:67 # sylvia
;;
stop)
echo "Back to original firewall setup..."
/etc/init.d/S45firewall restart
;;
restart)
$0 stop
$0 start
;;
status)
$IPT -nxvL
;;
*)
echo "Usage: $0 start|stop|restart|status"
;;
esac
</pre>