Code-Schnipsel Layer7

Layer7 Filter auf spezifische MAC-Adressen anwenden

#!/bin/sh

fkt_insert() {
        IP_P2P="edk,dc,kazaa,gnu,bit,apple,winmx,soul,ares,mute,waste,xdcc"
        LAYER7="skypetoskype,skypeout,h323,nntp,ntp,pop3,smtp,ssl,vnc,rdp,pcanywhere,msnmessenger,jabber,aim,irc,smb,telnet,ssh,ftp,http,dns"
        TARGET="MAC_$1"

        echo "Generating rules for target $1 ..."
 
        $IPT -N $TARGET

        test $1  = "unknown" && $IPT -I FORWARD                         -j $TARGET
        test $1 != "unknown" && $IPT -I FORWARD -m mac --mac-source $1  -j $TARGET

        for PROTO in $IP_P2P; do $IPT -I $TARGET -m ipp2p --$PROTO              -j DROP         ; done
        for PROTO in $LAYER7; do $IPT -I $TARGET -m layer7 --l7proto $PROTO     -j ACCEPT       ; done

        $IPT -I $TARGET -p icmp                 -j ACCEPT       # icmp
        $IPT -A $TARGET -p tcp --dport 443      -j ACCEPT       # https
        $IPT -A $TARGET -p tcp --dport 995      -j ACCEPT       # secure pop
        $IPT -A $TARGET -p tcp                  -j ACCEPT       # unknown tcp
        $IPT -A $TARGET -p udp                  -j ACCEPT       # unkwown udp
}

IFS=","
IPT="/usr/sbin/iptables"

case $1 in
        start)
                echo "Inserting layer7-filters..."
                fkt_insert unknown              # alle
                fkt_insert 00:02:2D:52:CF:3C    # bastian
                fkt_insert 00:04:75:F8:ED:67    # sylvia
        ;;
        stop)
                echo "Back to original firewall setup..."
                /etc/init.d/S45firewall restart
        ;;
        restart)
                $0 stop
                $0 start
        ;;
        status)
                $IPT -nxvL
        ;;
        *)
                echo "Usage: $0 start|stop|restart|status"
        ;;
esac