通过 mac 地址阻止 https。Squid 或 iptables

tag-icon tag-icon iptables squid webfilter
通过 mac 地址阻止 https。Squid 或 iptables

我想阻止对某些 mac 地址的 Web 访问(http 和 https)。我能够使用 squid 对 http 执行此操作,但它仍然允许 https 网站通过。

acl denylist arp "/etc/squid/mac-deny-list.lst
http_access deny denylist

我如何对 https/443 执行相同操作?

我试过使用 iptables

iptables -I INPUT -p tcp --dport 443 -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP


 iptables -I FORWARD -p tcp --dport 443 -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP

我也尝试过使用REJECT而不是DROP。都不起作用。

我的其余 iptables 规则是:

*nat
:PREROUTING ACCEPT [467:49957]
:POSTROUTING ACCEPT [4:784]
:OUTPUT ACCEPT [6:960]
-A PREROUTING -i eth1.10 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
*filter
:INPUT ACCEPT [122012:18388989]
:FORWARD ACCEPT [10802:1834986]
:OUTPUT ACCEPT [1807836:1494699352]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5667 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT 
-A INPUT -p udp -m udp --dport 161 -j ACCEPT 
-A INPUT -p udp -m udp --dport 162 -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i tun0 -m state --state NEW -j ACCEPT 
-A FORWARD -i eth1.10 -o eth0 -j ACCEPT 
COMMIT

更新

Chain INPUT (policy ACCEPT 1 packets, 334 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 MAC XX:XX:XX:XX:XX:XX
   41  2624 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
  386 42629 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
60371 5794K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
6558K 2220M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:5667 
60264 3616K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:5666 
    3   211 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:161 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:162 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  eth1.10 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 MAC XX:XX:XX:XX:XX:XX 
  61M   46G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
48857 3337K ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           state NEW 
 159K   17M ACCEPT     all  --  eth1.10 eth0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 49 packets, 6584 bytes)
 pkts bytes target     prot opt in     out     source               destination

TCPDUMP(截断)

tcpdump -e -i eth1.10 '!(host 10.15.248.122)' and 'ether host 00:60:dd:44:85:43'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1.10, link-type EN10MB (Ethernet), capture size 65535 bytes
14:01:47.452656 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 116: resolver1.opendns.com.domain > 172.31.235.114.63561: 6769 2/0/0 CNAME star.c10r.facebook.com., A 31.13.77.6 (74)
14:01:47.470098 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 66: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [S.], seq 2645004585, ack 3584915781, win 14100, options [mss 1410,nop,nop,sackOK,nop,wscale 8], length 0
14:01:47.485180 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 54: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], ack 518, win 67, length 0
14:01:47.485398 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 236: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [P.], seq 1:183, ack 518, win 67, length 182
14:01:47.500703 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 54: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], ack 634, win 67, length 0
14:01:47.500891 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 111: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [P.], seq 183:240, ack 634, win 67, length 57
14:01:47.503275 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 54: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], ack 691, win 67, length 0
14:01:47.503302 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 54: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], ack 736, win 67, length 0
14:01:47.503372 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 54: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], ack 1181, win 78, length 0
14:01:47.503585 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 99: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [P.], seq 240:285, ack 1181, win 78, length 45
14:01:47.566820 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1464: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], seq 285:1695, ack 1181, win 78, length 1410
14:01:47.566838 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 266: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [P.], seq 1695:1907, ack 1181, win 78, length 212
14:01:47.566965 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1464: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], seq 1907:3317, ack 1181, win 78, length 1410
14:01:47.567072 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1282: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [P.], seq 3317:4545, ack 1181, win 78, length 1228
14:01:47.569446 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1464: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], seq 4545:5955, ack 1181, win 78, length 1410
14:01:47.569562 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1464: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], seq 5955:7365, ack 1181, win 78, length 1410
14:01:47.569682 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1464: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], seq 7365:8775, ack 1181, win 78, length 1410

@马特

# Generated by iptables-save v1.4.7 on Tue May 12 14:44:35 2015
*filter
:INPUT ACCEPT [53:6397]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [822:337604]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5667 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT 
-A INPUT -p udp -m udp --dport 161 -j ACCEPT 
-A INPUT -p udp -m udp --dport 162 -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i tun0 -m state --state NEW -j ACCEPT 
-A FORWARD -i eth1.10 -o eth0 -j ACCEPT 
-A FORWARD -i eth1.10 -p tcp -m tcp --dport 443 -m mac --mac-source 00:60:DD:44:85:43 -j DROP 
COMMIT
# Completed on Tue May 12 14:44:35 2015
# Generated by iptables-save v1.4.7 on Tue May 12 14:44:35 2015
*nat
:PREROUTING ACCEPT [325:31771]
:POSTROUTING ACCEPT [16:1474]
:OUTPUT ACCEPT [308:20843]
-A PREROUTING -i eth1.10 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Completed on Tue May 12 14:44:35 2015

接口详细信息

eth0 - 192.168.2.22 (/24) (public/outside/NAT) 
eth1.10 - 172.31.235.19 (/24) (private/inside/vlan10)

答案1

问题在于 MAC 过滤规则是在接受后才进行处理的。因此永远不会到达。

您需要做的是改变这两行的顺序:

  -A FORWARD -i eth1.10 -o eth0 -j ACCEPT 
  -A FORWARD -i eth1.10 -p tcp -m tcp --dport 443 -m mac --mac-source 00:60:DD:44:85:43 -j DROP

因此它们变成:

-A FORWARD -i eth1.10 -p tcp -m tcp --dport 443 -m mac --mac-source 00:60:DD:44:85:43 -j DROP
-A FORWARD -i eth1.10 -o eth0 -j ACCEPT

如果你使用 iptables-save 格式,你只需要编辑 iptables-save 的输出并运行 iptables-restore 并传入该文件。即

sudo iptables-save > rules

... edit 'rules'

sudo iptables-restore < rules

或者,只需编辑您用来创建规则的脚本/生成器。

注意:由于您正在过滤内部地址,我会使用 REJECT 而不是 DROP,否则用户可能不会意识到他们已被阻止,并想知道为什么他们的浏览器会在那里停留很长时间。

答案2

我相信您实际上需要将 MAC 过滤器放入 PREROUTING 链中,因为 iptables 在内部重写了某些字段。

当网桥和 netfilter 代码在内核中编译时,进行路由的链式遍历

这里解释的副作用发生在内核中启用 netfilter 代码、路由 IP 数据包并且该数据包的出站设备是逻辑桥接设备时。在 iptables FORWARD 链中过滤 MAC 源时会遇到副作用。从前面的部分应该可以清楚看出,iptables FORWARD 链的遍历被推迟到数据包进入桥接代码时。这样做是为了让我们能够在桥接端口出站设备上进行过滤。这对 MAC 源地址有副作用,因为 IP 代码会将 MAC 源地址更改为桥接设备的 MAC 地址。

相关内容