The pfSense Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - pozolero

Pages: [1] 2 3 4 5 ... 13
1
General Questions / Re: Squidguard and Facebook
« on: September 05, 2017, 11:50:05 am »
How is your pfsense configured?  Are you using squid in transparent mode?  If so, you won't be able to block facebook https connections in a safe way.  Maybe you would block pfsense using firewall rules pointing over facebook CIDR ranges using aliases.

Would you explain how do you have configured your pfsense, so i can help you better?


2
General Questions / Re: Sometimes there is a bottleneck on my lan
« on: September 05, 2017, 11:47:45 am »
Thanks for answer.  I'll do that with examples.

Regards

3
General Questions / Sometimes there is a bottleneck on my lan
« on: August 23, 2017, 11:01:45 am »
Hi everybody, i have some questions about pfsense.

I read on https://doc.pfsense.org/index.php/Low_Throughput_Troubleshooting some information related on low pfsense throughput.

I used the command prompt option on pfsense and here is the results of top -aSH command:

top aSH" border="0

And here is my network cards:

network_cards" border="0

I have 130 users between pc and laptops and 30 xerox 3320 printers.  I only have a WAN and a LAN card to manage all connections.

CPU is a Workstation Dell Precision T5400, Intel Xeon 2.33 GHz QuadCore socket LGA771, 4Gb Ram DDR2 SDRAM, HDD 500 Gb, LAN card Broadcom Gigabyte Ethernet, PCI Express Video Card 256 MB DDR2 SDRAM.

WAN card it's PCI Davicom Chip.

What i'm thinking first is to add a new PCI Express Network card to change the old PCI card that i'm using as a WAN, just to try if that improves the bottleneck that users have sometimes on a regular day.

What suggestions do you guys have?

Best regards

4
Firewalling / Re: Question about Firewall rules
« on: May 03, 2017, 02:25:43 pm »

squid can handle https sites, just not transparently IIRC. youll have to load the cert on each computer passing through the proxy at that point.

HOWEVER, a IP alias in pfsense "Firewall->Alias->IP->Add->Type: URL (IPs)" can accept hostnames and domain names. If your goal is to just block access to these sites, you can create an alias, add all the websites/domains in there you want, and create a deny rule when user traffic is destined to them. This is accomplished by pfsense periodically doing a nslookup on anything in that list, and adding every IP it receives in response to its list.

This would affectively stop http and https, as well as any traffic to the destined hosts.

I'll try this, thank you

5
Español / Re: Duda reglas firewall pfsense
« on: May 03, 2017, 09:30:33 am »
Hola

La clave en estas reglas...

Muchas gracias por responder, buscaré información al respecto.

Lo mismo pienso sobre firewall y proxy.  De hecho tenía configurado squid declarado (no transparente) + squidguard y todo excelente.  El problema es que tengo celulares en la oficina y aplicaciones de celular como twitter, facebook que para el departamento de comunicación social deben estar libres tanto en pc como en celulares, me causaron problemas.  Me pidieron cambiar la configuración a modo transparente como tenían el servidor que les comentaba era debian + squid + iptables.

Ahora no puedo filtrar las páginas seguras para hacer mis grupos y que no abusen del ancho de banda que tenemos disponible.  Ahora el problema es que todas las páginas si no la mayoría realizan conexiones seguras SSL y eso es un problema.

6
Firewalling / Re: Question about Firewall rules
« on: May 03, 2017, 09:11:24 am »
PF is a strict layer 3 packet filter and that means that it won't look inside the data payload on the packets no matter what you do. As noted you'll need a proxy of some sort to accomplish layer 7 filtering on pfSense.

Thank for your answer

7
Firewalling / Re: Question about Firewall rules
« on: May 03, 2017, 09:10:41 am »
you could probably accomplish this with squid using URL lists.

Thanks for your answer, the problem is https sites over transparent squid.

8
Firewalling / Re: Question about Firewall rules
« on: May 03, 2017, 09:09:36 am »
Also with Snort you can do something like this.
For example https://forum.pfsense.org/index.php?topic=84227.0

Look very interesting!!  I'll try to make some test on virtualbox.

Thanks a lot

9
Firewalling / Re: Question about Firewall rules
« on: May 03, 2017, 09:02:19 am »
There is no iptables on FreeBSD. Wrong forum, dude.

Thanks for answer dude.

I'll quote

Quote
Hi everyone!  I have an iptables script (Yes, i know pfsense doesn't use iptables) but i think it's a clever script.

This script was on a debian server with squid in transparent mode, and was for blocking https (443) connections for domains like youtube.com without blocking google.com domain. Both domains use same ip address.

My question is: Is it possible to achieve something like this firewall rules on pfsense?

:-)

10
Firewalling / Question about Firewall rules
« on: April 21, 2017, 10:37:49 am »
Hi everyone!  I have an iptables script (Yes, i know pfsense doesn't use iptables) but i think it's a clever script.

This script was on a debian server with squid in transparent mode, and was for blocking https (443) connections for domains like youtube.com without blocking google.com domain. Both domains use same ip address.

My question is: Is it possible to achieve something like this firewall rules on pfsense?

I'll let you the firewall script below

Code: [Select]
#! /bin/sh
# BLOCKING HTTPS CONNECTIONS / PORT 443

echo "Starting Firewall. "
echo "Applying Firewall Rules .........."

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z

#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD DROP

INTERNET="eth0"
LAN="eth1"
IPLAN="172.16.0.0/12"
RED="172.20.5"
MOVIL="172.20.10"

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A INPUT -i lo -j ACCEPT # Localhost
iptables -A OUTPUT -o lo -j ACCEPT # Localhost
#---------------------------------------------------------------------
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT # HTTPS

iptables -A INPUT -i $INTERNET -p tcp --dport 20 -j ACCEPT # FTP
iptables -A INPUT -i $INTERNET -p tcp --dport 21 -j ACCEPT # FTP

#iptables -A INPUT -i $INTERNET -p tcp --dport 22 -j ACCEPT # SSH
#iptables -A INPUT -i $INTERNET -p tcp --dport 25 -j ACCEPT # SMTP
#iptables -A INPUT -i $INTERNET -p tcp --dport 53 -j ACCEPT # DNS
#iptables -A INPUT -i $INTERNET -p tcp --dport 80 -j ACCEPT # WEB
#iptables -A INPUT -i $INTERNET -p tcp --dport 110 -j ACCEPT # POP
#iptables -A INPUT -i $INTERNET -p tcp --dport 143 -j ACCEPT # IMAP
#iptables -A INPUT -i $INTERNET -p tcp --dport 1433 -j ACCEPT # SQL Server
#iptables -A INPUT -i $INTERNET -p tcp --dport 3306 -j ACCEPT # MySQL

iptables -A INPUT -p tcp --dport 20 -j ACCEPT # FTP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT # FTP
iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT # FTP
iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT # FTP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # SSH
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT # SSH
iptables -A INPUT -p tcp --dport 25 -j ACCEPT # SMTP
iptables -A OUTPUT -p tcp --sport 25 -j ACCEPT # SMTP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # WEB
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT # WEB
iptables -A INPUT -p tcp --dport 110 -j ACCEPT # POP MAIL
iptables -A OUTPUT -p tcp --sport 110 -j ACCEPT # POP MAIL
iptables -A INPUT -p tcp --dport 143 -j ACCEPT # IMAP MAIL
iptables -A OUTPUT -p tcp --sport 143 -j ACCEPT # IMAP MAIL
#iptables -A INPUT -p tcp --dport 1433 -j ACCEPT # SQL Server
#iptables -A OUTPUT -p tcp --sport 1433 -j ACCEPT # SQL Server
#iptables -A INPUT -p tcp --dport 3306 -j ACCEPT # MySQL
#iptables -A OUTPUT -p tcp --sport 3306 -j ACCEPT # MySQL

iptables -A INPUT -p tcp --dport 7777 -j ACCEPT # CNPSS
iptables -A OUTPUT -p tcp --sport 7777 -j ACCEPT # CNPSS

#-----------------------------------------------------------------------
iptables -t nat -A PREROUTING -s $IPLAN -p tcp --dport 80 -j DNAT --to 172.20.5.1:3128
iptables -t nat -A POSTROUTING -s $IPLAN -o $INTERNET -j MASQUERADE

# ACCESS LEVELS FOR UNRESTRICTED IP
# WEBSITES RESTRICTIONS ARE MADE BY SQUID, FIREWALL ONLY CONTROLS HTTPS ACCESS

# --------------------------------------- FIREWALL LEVELS
# 1° LEVEL -  NO RESTRICTIONS
# 2° LEVEL -  ACCESS ONLY  FACEBOOK + TWITTER + YOUTUBE + DROPBOX, BLOCKED PEER-TO-PEER
# 3° LEVEL - ACCESS ONLY FACEBOOK;  TWITTER, YOUTUBE, DROPBOX, BLOCKED PEER-TO-PEER
 
iptables -A FORWARD -d 151.101.0.0/16 -j ACCEPT
iptables -A OUTPUT -p tcp -d 151.101.0.0/16 -j ACCEPT # Schoology
iptables -A FORWARD -p tcp -d schoology.com --dport 443 -j ACCEPT
#iptables -A OUTPUT -p tcp -d www.schoology.com -j ACCEPT
#iptables -A OUTPUT -p tcp -d schoology.com -j ACCEPT


# UNRESTRICTED IP ( ACCESS LEVEL 1)
#-----------------------------------------------------------------------------
iptables -A FORWARD -s $RED.41 -o $INTERNET -j ACCEPT # USER
iptables -A FORWARD -s $RED.42 -o $INTERNET -j ACCEPT # USER
iptables -A FORWARD -s $RED.48 -o $INTERNET -j ACCEPT # USER
iptables -A FORWARD -s $RED.49 -o $INTERNET -j ACCEPT # USER
iptables -A FORWARD -s $RED.55 -o $INTERNET -j ACCEPT # USER
iptables -A FORWARD -s $RED.57 -o $INTERNET -j ACCEPT # USER
iptables -A FORWARD -s $RED.68 -o $INTERNET -j ACCEPT # USER
iptables -A FORWARD -s $RED.69 -o $INTERNET -j ACCEPT # USER
iptables -A FORWARD -s $RED.70 -o $INTERNET -j ACCEPT # USER
iptables -A FORWARD -s $RED.76 -o $INTERNET -j ACCEPT # USER
iptables -A FORWARD -s $RED.129 -o $INTERNET -j ACCEPT # USER
iptables -A FORWARD -s $RED.141 -o $INTERNET -j ACCEPT # USER
iptables -A FORWARD -s $RED.168 -o $INTERNET -j ACCEPT # USER
iptables -A FORWARD -s $RED.170 -o $INTERNET -j ACCEPT # USER
iptables -A FORWARD -s $RED.249 -o $INTERNET -j ACCEPT # USER
iptables -A FORWARD -s $RED.218 -o $INTERNET -j ACCEPT # USER
#----------------------------------------------------------------------------
# APPLE SERVERS
#----------------------------
#iptables -A FORWARD -d 74.125.0.0/16 -j ACCEPT # Google
iptables -A FORWARD -s 17.142.160.59 -j ACCEPT
iptables -A FORWARD -s 17.172.224.47 -j ACCEPT
iptables -A FORWARD -s 17.178.96.59 -j ACCEPT


iptables -A FORWARD -s $MOVIL.10 -o $INTERNET -j ACCEPT # CELL PHONE
iptables -A FORWARD -s $MOVIL.15 -o $INTERNET -j ACCEPT # CELL PHONE
iptables -A FORWARD -s $MOVIL.19 -o $INTERNET -j ACCEPT # CELL PHONE
iptables -A FORWARD -s $MOVIL.20 -o $INTERNET -j ACCEPT # CELL PHONE
iptables -A FORWARD -s $MOVIL.21 -o $INTERNET -j ACCEPT # CELL PHONE
iptables -A FORWARD -s $MOVIL.36 -o $INTERNET -j ACCEPT # CELL PHONE
iptables -A FORWARD -s $MOVIL.77 -o $INTERNET -j ACCEPT # CELL PHONE
iptables -A FORWARD -s $MOVIL.78 -o $INTERNET -j ACCEPT # CELL PHONE
iptables -A FORWARD -s $MOVIL.39 -o $INTERNET -j ACCEPT # CELL PHONE
iptables -A FORWARD -s $MOVIL.40 -o $INTERNET -j ACCEPT # CELL PHONE
iptables -A FORWARD -s $MOVIL.44 -o $INTERNET -j ACCEPT # CELL PHONE
iptables -A FORWARD -s $MOVIL.85 -o $INTERNET -j ACCEPT         # TABLET

# BLOCKED TORRENT DOWNLOADS
#----------------------------------------------------------------------------
iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP
iptables -A FORWARD -m string --algo bm --string "peer_id" -j DROP
iptables -A FORWARD -m string --algo bm --string ".torrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP
iptables -A FORWARD -m string --algo bm --string "torrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "announce" -j DROP
iptables -A FORWARD -m string --algo bm --string "info_hash" -j DROP

iptables -A FORWARD -m string --algo bm --string "get_peers" -j DROP
iptables -A FORWARD -m string --algo bm --string "announce_peer" -j DROP
iptables -A FORWARD -m string --algo bm --string "find_node" -j DROP

# BLOCKED TORRENT Y P2P
# BY MODULE ----- apt-get install xtables-addons-common
# iptables -m ipp2p --help
#-------------------------------------------------------
#iptables -A FORWARD -p tcp -m ipp2p --edk -j DROP
#iptables -A FORWARD -p udp -m ipp2p --edk -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --dc -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --kazaa -j DROP
#iptables -A FORWARD -p udp -m ipp2p --kazaa -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --gnu -j DROP
#iptables -A FORWARD -p udp -m ipp2p --gnu -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --bit -j DROP
#iptables -A FORWARD -p udp -m ipp2p --bit -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --apple -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --winmx -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --soul -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --ares -j DROP


# IP WITH HTTPS - 443 ACCESS GRANTED (ACCESS LEVEL 2)
#-----------------------------------------------------------------------------
iptables -A FORWARD -s $RED.56 -p tcp --dport 443 -j ACCEPT # USER
iptables -A FORWARD -s $RED.59 -p tcp --dport 443 -j ACCEPT # USER
iptables -A FORWARD -s $RED.67 -p tcp --dport 443 -j ACCEPT # USER
iptables -A FORWARD -s $RED.69 -p tcp --dport 443 -j ACCEPT # USER
iptables -A FORWARD -s $RED.73 -p tcp --dport 443 -j ACCEPT # USER
iptables -A FORWARD -s $RED.74 -p tcp --dport 443 -j ACCEPT # USER
iptables -A FORWARD -s $RED.77 -p tcp --dport 443 -j ACCEPT # USER
iptables -A FORWARD -s $RED.79 -p tcp --dport 443 -j ACCEPT # USER
iptables -A FORWARD -s $RED.80 -p tcp --dport 443 -j ACCEPT # USER
iptables -A FORWARD -s $RED.102 -p tcp --dport 443 -j ACCEPT # USER
iptables -A FORWARD -s $RED.104 -p tcp --dport 443 -j ACCEPT # USER
iptables -A FORWARD -s $RED.150 -p tcp --dport 443 -j ACCEPT # USER
iptables -A FORWARD -s $RED.176 -p tcp --dport 443 -j ACCEPT # USER
iptables -A FORWARD -s $RED.201 -p tcp --dport 443 -j ACCEPT # USER

#----------------------

# BLOCKING YOUTUBE AND TWITTER
# TO BLOCK YOUTUBE, FIRST WE NEED TO ACCEPT GOOGLE REQUESTS BECAUSE BOTH DOMAINS
# DEPENDS ON SAME SERVERS OR IP ADDRESS BUT DOMAIN REQUEST IS INDEPENDENT.
# AFTER THIS, I PERMIT ACCESS TO GOOGLE DOMAIN BUT NOT TO YOUTUBE DOMAIN
#-----------------------------------------------------------------------------
iptables -A FORWARD -m string --string "google.com" --algo bm -j ACCEPT
iptables -A FORWARD -m string --string "youtube.com" --algo bm -j DROP
#iptables -A FORWARD -m string --string "dropbox.com" --algo bm -j DROP

iptables -A FORWARD -d 199.59.148.0/22 -j DROP # Twitter


# BLOCKED YOUTUBE, BLOCKED DOWNLOADS, UBLOCKED FACEBOOK  (ACCESS LEVEL 3
#-----------------------------------------------------------------------------
iptables -A FORWARD -s $RED.49 -p tcp --dport 443 -j ACCEPT # USER


# BLOCKED FACEBOOK SERVERS
#-----------------------------------------------------------------------------
iptables -A FORWARD -d 65.201.208.24/29 -j DROP
iptables -A FORWARD -d 65.204.104.128/28 -j DROP
iptables -A FORWARD -d 66.92.180.48/29 -j DROP
iptables -A FORWARD -d 67.200.105.48/28 -j DROP
iptables -A FORWARD -d 69.63.176.0/30 -j DROP
iptables -A FORWARD -d 69.171.224.0/20 -j DROP
iptables -A FORWARD -d 74.119.76.0/19 -j DROP
iptables -A FORWARD -d 204.25.20.0/22 -j DROP
iptables -A FORWARD -d 66.220.144.0/20 -j DROP
iptables -A FORWARD -d 173.252.64.0/18 -j DROP


# SCHOOLOGY.COM
#----------------------------------------------------------
#iptables -A FORWARD -d 151.101.0.0/16 -j ACCEPT
#iptables -A FORWARD -m string --string "schoology.com" --algo bm -j ACCEPT
#iptables -I INPUT -p tcp --dport 443 -m string --string "schoology.com" --algo bm -j ACCEPT


# GRANT ACCESS TO HTTPS - 443 WEBSITES
#-------------------------------------------------------------------------------

#iptables -A FORWARD -s 52.2.100.81 -p tcp --dport 443 -j ACCEPT # WEBSITE
#iptables -A FORWARD -s 52.204.251.50 -p tcp --dport 443 -j ACCEPT # WEBSITE
#iptables -A FORWARD -s 107.23.6.245 -p tcp --dport 443 -j ACCEPT # WEBSITE
#iptables -A FORWARD -s 52.21.168.68 -p tcp --dport 443 -j ACCEPT # WEBSITE


#iptables -A FORWARD -p tcp -m iprange --dst-range 74.125.0.0-74.125.255.255 --dport 443 -j ACCEPT # Google
iptables -A FORWARD -d 74.125.0.0/16 -j ACCEPT # Google
#iptables -A FORWARD -p tcp -d accounts.google.com --dport 443 -j ACCEPT # Gmail
#iptables -A FORWARD -p tcp -m iprange --dst-range 172.194.46.0-173.194.46.255 --dport 443 -j ACCEPT # Gmail
#iptables -A FORWARD -p tcp -d mail.google.com --dport 443 -j ACCEPT # Gmail

#iptables -A FORWARD -s 187.210.186.221 -p tcp --dport 443 -j ACCEPT # WEBSITE
#iptables -A FORWARD -s 187.191.75.171 -p tcp --dport 443 -j ACCEPT # WEBSITE
#iptables -A FORWARD -p tcp -d www.website.com --dport 443 -j ACCEPT #

#iptables -A FORWARD -s 65.66.206.154 -p tcp --dport 443 -j ACCEPT # Hotmail
#iptables -A FORWARD -p tcp -d live.com --dport 443 -j ACCEPT # Hotmail
#iptables -A FORWARD -p tcp -d login.live.com --dport 443 -j ACCEPT # Hotmail
#iptables -A FORWARD -p tcp -d secure.shared.live.com --dport 443 -j ACCEPT # Hotmail
#iptables -A FORWARD -p tcp -d outlook.com --dport 443 -j ACCEPT # Hotmail

#iptables -A FORWARD -d 157.54.0.0/15 -j ACCEPT # Outlook.com
#iptables -A FORWARD -d 157.56.0.0/14 -j ACCEPT # Outlook.com
#iptables -A FORWARD -d 157.60.0.0/16 -j ACCEPT # Outlook.com
#iptables -A FORWARD -d 132.245.0.0/16 -j ACCEPT # Outlook.com
#iptables -A FORWARD -d 131.253.62.0/23 -j DROP # login.live.com
#iptables -A FORWARD -d 131.253.128.0/17 -j DROP # login.live.com
#iptables -A FORWARD -d 131.253.61.0/24 -j DROP # login.live.com
#iptables -A FORWARD -d 131.253.64.0/18 -j DROP # login.live.com
#iptables -A FORWARD -d 65.52.0.0/14 -j DROP # mail.live.com

iptables -A FORWARD -d 189.202.196.50 -j ACCEPT
iptables -A FORWARD -d 189.203.200.235 -j ACCEPT



# ALL PORTS BLOCKED
#-------------------------------------------------------------------------------
#iptables -A INPUT -j DROP
#iptables -A OUTPUT -j DROP
#iptables -A FORWARD -j LOG

#iptables -A FORWARD -p tcp --dport 443 -j DROP # HTTPS



What i want to know or confirm is if i can configure something like this:
Code: [Select]
# BLOCKING YOUTUBE AND TWITTER
# TO BLOCK YOUTUBE, FIRST WE NEED TO ACCEPT GOOGLE REQUESTS BECAUSE BOTH DOMAINS
# DEPENDS ON SAME SERVERS OR IP ADDRESS BUT DOMAIN REQUEST IS INDEPENDENT.
# AFTER THIS, I PERMIT ACCESS TO GOOGLE DOMAIN BUT NOT TO YOUTUBE DOMAIN
#-----------------------------------------------------------------------------
iptables -A FORWARD -m string --string "google.com" --algo bm -j ACCEPT
iptables -A FORWARD -m string --string "youtube.com" --algo bm -j DROP
#iptables -A FORWARD -m string --string "dropbox.com" --algo bm -j DROP

iptables -A FORWARD -d 199.59.148.0/22 -j DROP # Twitter


So i can make an IP alias on firewall rules to block some users on LAN

Best regards!

11
Español / Re: Duda reglas firewall pfsense
« on: April 21, 2017, 10:04:25 am »
Alguien tiene una idea?  ???

12
Español / Duda reglas firewall pfsense
« on: April 20, 2017, 11:19:08 am »
Hola a todos en el foro.  Tengo un script para iptables que me proporcionaron.  Ya sé que pfsense no utiliza iptables.  Pero el script se me hizo interesante.

El script estaba implementado en un servidor linux con squid en modo transparente.  Y servía para bloquear a ciertos rangos de red las conexiones a sitios seguros SSL-443 del tipo youtube, pero sin bloquear el dominio google.com.

Mi pregunta es sobre si se puede hacer algo parecido en pfsense?

Les dejo el código del script.

Code: [Select]
#! /bin/sh
# SCRIPT PARA BLOQUEAR POR MEDIO DE FIREWALL LAS CONEXIONES SEGURAS AL PUERTO 443
echo "Iniciando Firewall. "
echo "Aplicando reglas de Firewall .........."

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z

#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD DROP

INTERNET="eth0"
LAN="eth1"
IPLAN="172.16.0.0/12"
RED="172.20.5"
MOVIL="172.20.10"

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A INPUT -i lo -j ACCEPT # Localhost
iptables -A OUTPUT -o lo -j ACCEPT # Localhost
#---------------------------------------------------------------------
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT # HTTPS

iptables -A INPUT -i $INTERNET -p tcp --dport 20 -j ACCEPT # FTP
iptables -A INPUT -i $INTERNET -p tcp --dport 21 -j ACCEPT # FTP

#iptables -A INPUT -i $INTERNET -p tcp --dport 22 -j ACCEPT # SSH
#iptables -A INPUT -i $INTERNET -p tcp --dport 25 -j ACCEPT # SMTP
#iptables -A INPUT -i $INTERNET -p tcp --dport 53 -j ACCEPT # DNS
#iptables -A INPUT -i $INTERNET -p tcp --dport 80 -j ACCEPT # WEB
#iptables -A INPUT -i $INTERNET -p tcp --dport 110 -j ACCEPT # POP
#iptables -A INPUT -i $INTERNET -p tcp --dport 143 -j ACCEPT # IMAP
#iptables -A INPUT -i $INTERNET -p tcp --dport 1433 -j ACCEPT # SQL Server
#iptables -A INPUT -i $INTERNET -p tcp --dport 3306 -j ACCEPT # MySQL

iptables -A INPUT -p tcp --dport 20 -j ACCEPT # FTP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT # FTP
iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT # FTP
iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT # FTP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # SSH
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT # SSH
iptables -A INPUT -p tcp --dport 25 -j ACCEPT # SMTP
iptables -A OUTPUT -p tcp --sport 25 -j ACCEPT # SMTP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # WEB
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT # WEB
iptables -A INPUT -p tcp --dport 110 -j ACCEPT # CORREO POP
iptables -A OUTPUT -p tcp --sport 110 -j ACCEPT # CORREO POP
iptables -A INPUT -p tcp --dport 143 -j ACCEPT # CORREO IMAP
iptables -A OUTPUT -p tcp --sport 143 -j ACCEPT # CORREO IMAP
#iptables -A INPUT -p tcp --dport 1433 -j ACCEPT # SQL Server
#iptables -A OUTPUT -p tcp --sport 1433 -j ACCEPT # SQL Server
#iptables -A INPUT -p tcp --dport 3306 -j ACCEPT # MySQL
#iptables -A OUTPUT -p tcp --sport 3306 -j ACCEPT # MySQL

iptables -A INPUT -p tcp --dport 7777 -j ACCEPT # CNPSS
iptables -A OUTPUT -p tcp --sport 7777 -j ACCEPT # CNPSS

#-----------------------------------------------------------------------
iptables -t nat -A PREROUTING -s $IPLAN -p tcp --dport 80 -j DNAT --to 172.20.5.1:3128
iptables -t nat -A POSTROUTING -s $IPLAN -o $INTERNET -j MASQUERADE

# NIVELES DE ACCESO PARA LOS JEFES
# LA RESTRICCION DE PAGINAS SE HACE A TRAVES DE SQUID, EL FIREWALL SOLO CONTROLA
# LAS PAGINAS DE ACCESO POR MEDIO DE HTTPS
# --------------------------------------- NIVELES FIREWALL
# 1er NIVEL -  SIN RESTRICCIONES
# 2do NIVEL -  ACCESO A FACEBOOK + TWITTER + YOUTUBE + DROPBOX, DESCARGAS PEER-TO-PEER DENEGADAS
# 3er NIVEL - SOLO  ACCESO A FACEBOOK;  TWITTER, YOUTUBE, DROPBOX  Y DESCARGAS PEER-TO-PEER DENEGADAS
 
iptables -A FORWARD -d 151.101.0.0/16 -j ACCEPT
iptables -A OUTPUT -p tcp -d 151.101.0.0/16 -j ACCEPT # Schoology
iptables -A FORWARD -p tcp -d schoology.com --dport 443 -j ACCEPT
#iptables -A OUTPUT -p tcp -d www.schoology.com -j ACCEPT
#iptables -A OUTPUT -p tcp -d schoology.com -j ACCEPT


# IPS SIN RESTRICCION DE PUERTOS O ACCESO ( NIVEL DE ACCESO 1)
#-----------------------------------------------------------------------------
iptables -A FORWARD -s $RED.41 -o $INTERNET -j ACCEPT # JEFE
iptables -A FORWARD -s $RED.42 -o $INTERNET -j ACCEPT # JEFE
iptables -A FORWARD -s $RED.48 -o $INTERNET -j ACCEPT # JEFE
iptables -A FORWARD -s $RED.49 -o $INTERNET -j ACCEPT # JEFE
iptables -A FORWARD -s $RED.55 -o $INTERNET -j ACCEPT # JEFE
iptables -A FORWARD -s $RED.57 -o $INTERNET -j ACCEPT # JEFE
iptables -A FORWARD -s $RED.68 -o $INTERNET -j ACCEPT # JEFE
iptables -A FORWARD -s $RED.69 -o $INTERNET -j ACCEPT # JEFE
iptables -A FORWARD -s $RED.70 -o $INTERNET -j ACCEPT # JEFE
iptables -A FORWARD -s $RED.76 -o $INTERNET -j ACCEPT # JEFE
iptables -A FORWARD -s $RED.129 -o $INTERNET -j ACCEPT # JEFE
iptables -A FORWARD -s $RED.141 -o $INTERNET -j ACCEPT # JEFE
iptables -A FORWARD -s $RED.168 -o $INTERNET -j ACCEPT # JEFE
iptables -A FORWARD -s $RED.170 -o $INTERNET -j ACCEPT # JEFE
iptables -A FORWARD -s $RED.249 -o $INTERNET -j ACCEPT # JEFE
iptables -A FORWARD -s $RED.218 -o $INTERNET -j ACCEPT # JEFE
#----------------------------------------------------------------------------
# SERVIDORES DE APPLE
#----------------------------
#iptables -A FORWARD -d 74.125.0.0/16 -j ACCEPT # Google
iptables -A FORWARD -s 17.142.160.59 -j ACCEPT
iptables -A FORWARD -s 17.172.224.47 -j ACCEPT
iptables -A FORWARD -s 17.178.96.59 -j ACCEPT


iptables -A FORWARD -s $MOVIL.10 -o $INTERNET -j ACCEPT # Celular JEFE
iptables -A FORWARD -s $MOVIL.15 -o $INTERNET -j ACCEPT # Celular JEFE
iptables -A FORWARD -s $MOVIL.19 -o $INTERNET -j ACCEPT # Celular JEFE
iptables -A FORWARD -s $MOVIL.20 -o $INTERNET -j ACCEPT # Celular JEFE
iptables -A FORWARD -s $MOVIL.21 -o $INTERNET -j ACCEPT # Celular JEFE
iptables -A FORWARD -s $MOVIL.36 -o $INTERNET -j ACCEPT # Celular JEFE
iptables -A FORWARD -s $MOVIL.77 -o $INTERNET -j ACCEPT # Celular JEFE
iptables -A FORWARD -s $MOVIL.78 -o $INTERNET -j ACCEPT # Celular JEFE
iptables -A FORWARD -s $MOVIL.39 -o $INTERNET -j ACCEPT # Celular JEFE
iptables -A FORWARD -s $MOVIL.40 -o $INTERNET -j ACCEPT # Celular JEFE
iptables -A FORWARD -s $MOVIL.44 -o $INTERNET -j ACCEPT # Celular JEFE
iptables -A FORWARD -s $MOVIL.85 -o $INTERNET -j ACCEPT # Tablet JEFE

# RESTRICCION DE DESCARGAS TORRENT
#----------------------------------------------------------------------------
iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP
iptables -A FORWARD -m string --algo bm --string "peer_id" -j DROP
iptables -A FORWARD -m string --algo bm --string ".torrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP
iptables -A FORWARD -m string --algo bm --string "torrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "announce" -j DROP
iptables -A FORWARD -m string --algo bm --string "info_hash" -j DROP

iptables -A FORWARD -m string --algo bm --string "get_peers" -j DROP
iptables -A FORWARD -m string --algo bm --string "announce_peer" -j DROP
iptables -A FORWARD -m string --algo bm --string "find_node" -j DROP

# CANCELAR DESCARGAS TORRENT Y P2P
# A TRAVES DE MODULO apt-get install xtables-addons-common
# iptables -m ipp2p --help
#-------------------------------------------------------
#iptables -A FORWARD -p tcp -m ipp2p --edk -j DROP
#iptables -A FORWARD -p udp -m ipp2p --edk -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --dc -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --kazaa -j DROP
#iptables -A FORWARD -p udp -m ipp2p --kazaa -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --gnu -j DROP
#iptables -A FORWARD -p udp -m ipp2p --gnu -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --bit -j DROP
#iptables -A FORWARD -p udp -m ipp2p --bit -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --apple -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --winmx -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --soul -j DROP
#iptables -A FORWARD -p tcp -m ipp2p --ares -j DROP


# IPS CON PUERTO 443 HABILITADO (NIVEL DE ACCESO 2)
#-----------------------------------------------------------------------------
iptables -A FORWARD -s $RED.56 -p tcp --dport 443 -j ACCEPT # USUARIO
iptables -A FORWARD -s $RED.59 -p tcp --dport 443 -j ACCEPT # USUARIO
iptables -A FORWARD -s $RED.67 -p tcp --dport 443 -j ACCEPT # USUARIO
iptables -A FORWARD -s $RED.69 -p tcp --dport 443 -j ACCEPT # USUARIO
iptables -A FORWARD -s $RED.73 -p tcp --dport 443 -j ACCEPT # USUARIO
iptables -A FORWARD -s $RED.74 -p tcp --dport 443 -j ACCEPT # USUARIO
iptables -A FORWARD -s $RED.77 -p tcp --dport 443 -j ACCEPT # USUARIO
iptables -A FORWARD -s $RED.79 -p tcp --dport 443 -j ACCEPT # USUARIO
iptables -A FORWARD -s $RED.80 -p tcp --dport 443 -j ACCEPT # USUARIO
iptables -A FORWARD -s $RED.102 -p tcp --dport 443 -j ACCEPT # USUARIO
iptables -A FORWARD -s $RED.104 -p tcp --dport 443 -j ACCEPT # USUARIO
iptables -A FORWARD -s $RED.150 -p tcp --dport 443 -j ACCEPT # USUARIO
iptables -A FORWARD -s $RED.176 -p tcp --dport 443 -j ACCEPT # USUARIO
iptables -A FORWARD -s $RED.201 -p tcp --dport 443 -j ACCEPT # USUARIO

#----------------------

# BLOQUEO DE YOUTUBE y TWITTER
# PARA BLOQUEO DE YOUTUBE PRIMERO ACEPTO LAS PETICIONES HACIA GOOGLE DEBIDO
# A QUE AMBOS DEPENDEN DE LOS MISMOS SERVIDORES(IPS), PERO LA LLAMADA AL
# DOMINIO ES INDEPENDIENTE, DERIVADO DE ESTO PERMITO EL ACCESO AL DOMINIO
# DE GOOGLE PERO NO AL DOMINIO DE YOUTUBE
#-----------------------------------------------------------------------------
iptables -A FORWARD -m string --string "google.com" --algo bm -j ACCEPT
iptables -A FORWARD -m string --string "youtube.com" --algo bm -j DROP
#iptables -A FORWARD -m string --string "dropbox.com" --algo bm -j DROP

iptables -A FORWARD -d 199.59.148.0/22 -j DROP # Twitter


# NIVEL DE ACCESO 3 YOUTUBE-NO, DESCARGAS-NO, FACEBOOK-SI
#-----------------------------------------------------------------------------
iptables -A FORWARD -s $RED.49 -p tcp --dport 443 -j ACCEPT # USUARIO


# BLOQUEO DE LOS SERVIDORES DE FACEBOOK
#-----------------------------------------------------------------------------
iptables -A FORWARD -d 65.201.208.24/29 -j DROP
iptables -A FORWARD -d 65.204.104.128/28 -j DROP
iptables -A FORWARD -d 66.92.180.48/29 -j DROP
iptables -A FORWARD -d 67.200.105.48/28 -j DROP
iptables -A FORWARD -d 69.63.176.0/30 -j DROP
iptables -A FORWARD -d 69.171.224.0/20 -j DROP
iptables -A FORWARD -d 74.119.76.0/19 -j DROP
iptables -A FORWARD -d 204.25.20.0/22 -j DROP
iptables -A FORWARD -d 66.220.144.0/20 -j DROP
iptables -A FORWARD -d 173.252.64.0/18 -j DROP


# SCHOOLOGY.COM
#----------------------------------------------------------
#iptables -A FORWARD -d 151.101.0.0/16 -j ACCEPT
#iptables -A FORWARD -m string --string "schoology.com" --algo bm -j ACCEPT
#iptables -I INPUT -p tcp --dport 443 -m string --string "schoology.com" --algo bm -j ACCEPT


# PERMITIR EL ACCESO A SITIOS PERMITIDOS QUE HACEN USO DEL PUERTO 443 (HTTPS)
#-------------------------------------------------------------------------------

#iptables -A FORWARD -s 52.2.100.81 -p tcp --dport 443 -j ACCEPT #sce.salud
#iptables -A FORWARD -s 52.204.251.50 -p tcp --dport 443 -j ACCEPT #sce.salud
#iptables -A FORWARD -s 107.23.6.245 -p tcp --dport 443 -j ACCEPT #sce.salud
#iptables -A FORWARD -s 52.21.168.68 -p tcp --dport 443 -j ACCEPT #sce.salud


#iptables -A FORWARD -p tcp -m iprange --dst-range 74.125.0.0-74.125.255.255 --dport 443 -j ACCEPT # Google
iptables -A FORWARD -d 74.125.0.0/16 -j ACCEPT # Google
#iptables -A FORWARD -p tcp -d accounts.google.com --dport 443 -j ACCEPT # Gmail
#iptables -A FORWARD -p tcp -m iprange --dst-range 172.194.46.0-173.194.46.255 --dport 443 -j ACCEPT # Gmail
#iptables -A FORWARD -p tcp -d mail.google.com --dport 443 -j ACCEPT # Gmail

#iptables -A FORWARD -s 187.210.186.221 -p tcp --dport 443 -j ACCEPT #sce.salud
#iptables -A FORWARD -s 187.191.75.171 -p tcp --dport 443 -j ACCEPT #sce.salud
#iptables -A FORWARD -p tcp -d www.sce.salud.gob.mx --dport 443 -j ACCEPT #

#iptables -A FORWARD -s 65.66.206.154 -p tcp --dport 443 -j ACCEPT # Hotmail
#iptables -A FORWARD -p tcp -d live.com --dport 443 -j ACCEPT # Hotmail
#iptables -A FORWARD -p tcp -d login.live.com --dport 443 -j ACCEPT # Hotmail
#iptables -A FORWARD -p tcp -d secure.shared.live.com --dport 443 -j ACCEPT # Hotmail
#iptables -A FORWARD -p tcp -d outlook.com --dport 443 -j ACCEPT # Hotmail

#iptables -A FORWARD -d 157.54.0.0/15 -j ACCEPT # Outlook.com
#iptables -A FORWARD -d 157.56.0.0/14 -j ACCEPT # Outlook.com
#iptables -A FORWARD -d 157.60.0.0/16 -j ACCEPT # Outlook.com
#iptables -A FORWARD -d 132.245.0.0/16 -j ACCEPT # Outlook.com
#iptables -A FORWARD -d 131.253.62.0/23 -j DROP # login.live.com
#iptables -A FORWARD -d 131.253.128.0/17 -j DROP # login.live.com
#iptables -A FORWARD -d 131.253.61.0/24 -j DROP # login.live.com
#iptables -A FORWARD -d 131.253.64.0/18 -j DROP # login.live.com
#iptables -A FORWARD -d 65.52.0.0/14 -j DROP # mail.live.com

iptables -A FORWARD -d 189.202.196.50 -j ACCEPT
iptables -A FORWARD -d 189.203.200.235 -j ACCEPT



# BLOQUEO DE TODOS LOS PUERTOS
#-------------------------------------------------------------------------------
#iptables -A INPUT -j DROP
#iptables -A OUTPUT -j DROP
#iptables -A FORWARD -j LOG

#iptables -A FORWARD -p tcp --dport 443 -j DROP # HTTPS



La línea que me llama la atención es esta:

Code: [Select]
# BLOQUEO DE YOUTUBE y TWITTER
# PARA BLOQUEO DE YOUTUBE PRIMERO ACEPTO LAS PETICIONES HACIA GOOGLE DEBIDO
# A QUE AMBOS DEPENDEN DE LOS MISMOS SERVIDORES(IPS), PERO LA LLAMADA AL
# DOMINIO ES INDEPENDIENTE, DERIVADO DE ESTO PERMITO EL ACCESO AL DOMINIO
# DE GOOGLE PERO NO AL DOMINIO DE YOUTUBE
#-----------------------------------------------------------------------------
iptables -A FORWARD -m string --string "google.com" --algo bm -j ACCEPT
iptables -A FORWARD -m string --string "youtube.com" --algo bm -j DROP
#iptables -A FORWARD -m string --string "dropbox.com" --algo bm -j DROP

iptables -A FORWARD -d 199.59.148.0/22 -j DROP # Twitter


Qué dicen?
Saludos

13
Español / Re: pfSense 2.3 – WPAD con nginx
« on: April 19, 2017, 10:30:55 am »
Que tal @Javcasta muy bueno el tutorial sobre wpad, aun no implemento.  Sólo tengo una duda:  Qué sucede cuando wpad solo sirve para que el navegador tenga salida a internet, pero no los programas que hacen usao de la configuración del proxy de manera global?

Espero haberme explicado

14
Español / Re: bloque de redes sociales y youtube
« on: March 16, 2017, 01:31:50 pm »
Bueno a mi me funciona primero usando el dns forwarder, luego creas alias ejemplo redes_sociales y dentro colocas ejemplo www.facebook.com/es-la.facebook.com/facebook.com también creas otro alias llamado deny_ip y dentro colocas las ips de los usuarios que no tendran acceso. Por ultimo creas una regla en la lan que diga lo siguiente

IPv4     TCP/UDP     ip_deny     *     red_social     80     *     Bloqueo red social HTTP
IPv4     TCP/UDP     ip_deny     *     red_social     443   *     Bloqueo red social HTTPS

Y listo asi podras bloquear sin usar el proxy ni el black list pero seria mucho mas facil si usas el proxy y con un certificado puedes filtrar con el proxy el trafico http/https. Avisame como te fue.

Podrías apuntar hacia un tutorial o la forma cómo lo hiciste?  Actualmente estoy creando alias, pero no me sale una opción de usar dominio en lugar de ip o puertos...

15
Español / Re: Problema log en tiempo real SquidGuard
« on: January 26, 2017, 12:13:47 pm »
No he hecho eso que dices, pero tengo otro servidor instalado con pfsense 2.1, actualizado a 2.3.2_1 e instalado squid+squidguard desde cero y ahi tambie sale lo mismo.  Pensé que al instalar de nuevo desde cero iban a desaparecer esos problemas porque cuando instale el servidor de producción si me aparecían los logs en tiempo real.

Lo de desinstalar no me parece buena idea, ya que tengo 150 usuarios conectados e implica dejar la oficina sin internet... :-D

Pages: [1] 2 3 4 5 ... 13