我想阻止对某些 mac 地址的 Web 访问(http 和 https)。我能够使用 squid 对 http 执行此操作,但它仍然允许 https 网站通过。
acl denylist arp "/etc/squid/mac-deny-list.lst
http_access deny denylist
我如何对 https/443 执行相同操作?
我试过使用 iptables
iptables -I INPUT -p tcp --dport 443 -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP
和
iptables -I FORWARD -p tcp --dport 443 -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP
我也尝试过使用REJECT
而不是DROP
。都不起作用。
我的其余 iptables 规则是:
*nat
:PREROUTING ACCEPT [467:49957]
:POSTROUTING ACCEPT [4:784]
:OUTPUT ACCEPT [6:960]
-A PREROUTING -i eth1.10 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [122012:18388989]
:FORWARD ACCEPT [10802:1834986]
:OUTPUT ACCEPT [1807836:1494699352]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5667 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -p udp -m udp --dport 162 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -m state --state NEW -j ACCEPT
-A FORWARD -i eth1.10 -o eth0 -j ACCEPT
COMMIT
更新
Chain INPUT (policy ACCEPT 1 packets, 334 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 MAC XX:XX:XX:XX:XX:XX
41 2624 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
386 42629 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
60371 5794K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
6558K 2220M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5667
60264 3616K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5666
3 211 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:161
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:162
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- eth1.10 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 MAC XX:XX:XX:XX:XX:XX
61M 46G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
48857 3337K ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 state NEW
159K 17M ACCEPT all -- eth1.10 eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 49 packets, 6584 bytes)
pkts bytes target prot opt in out source destination
TCPDUMP(截断)
tcpdump -e -i eth1.10 '!(host 10.15.248.122)' and 'ether host 00:60:dd:44:85:43'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1.10, link-type EN10MB (Ethernet), capture size 65535 bytes
14:01:47.452656 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 116: resolver1.opendns.com.domain > 172.31.235.114.63561: 6769 2/0/0 CNAME star.c10r.facebook.com., A 31.13.77.6 (74)
14:01:47.470098 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 66: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [S.], seq 2645004585, ack 3584915781, win 14100, options [mss 1410,nop,nop,sackOK,nop,wscale 8], length 0
14:01:47.485180 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 54: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], ack 518, win 67, length 0
14:01:47.485398 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 236: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [P.], seq 1:183, ack 518, win 67, length 182
14:01:47.500703 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 54: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], ack 634, win 67, length 0
14:01:47.500891 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 111: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [P.], seq 183:240, ack 634, win 67, length 57
14:01:47.503275 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 54: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], ack 691, win 67, length 0
14:01:47.503302 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 54: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], ack 736, win 67, length 0
14:01:47.503372 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 54: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], ack 1181, win 78, length 0
14:01:47.503585 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 99: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [P.], seq 240:285, ack 1181, win 78, length 45
14:01:47.566820 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1464: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], seq 285:1695, ack 1181, win 78, length 1410
14:01:47.566838 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 266: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [P.], seq 1695:1907, ack 1181, win 78, length 212
14:01:47.566965 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1464: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], seq 1907:3317, ack 1181, win 78, length 1410
14:01:47.567072 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1282: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [P.], seq 3317:4545, ack 1181, win 78, length 1228
14:01:47.569446 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1464: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], seq 4545:5955, ack 1181, win 78, length 1410
14:01:47.569562 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1464: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], seq 5955:7365, ack 1181, win 78, length 1410
14:01:47.569682 00:08:54:23:fa:93 (oui Unknown) > 00:60:dd:44:85:43 (oui Unknown), ethertype IPv4 (0x0800), length 1464: edge-star-shv-01-sjc2.facebook.com.https > 172.31.235.114.50452: Flags [.], seq 7365:8775, ack 1181, win 78, length 1410
@马特
# Generated by iptables-save v1.4.7 on Tue May 12 14:44:35 2015
*filter
:INPUT ACCEPT [53:6397]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [822:337604]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5667 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -p udp -m udp --dport 162 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -m state --state NEW -j ACCEPT
-A FORWARD -i eth1.10 -o eth0 -j ACCEPT
-A FORWARD -i eth1.10 -p tcp -m tcp --dport 443 -m mac --mac-source 00:60:DD:44:85:43 -j DROP
COMMIT
# Completed on Tue May 12 14:44:35 2015
# Generated by iptables-save v1.4.7 on Tue May 12 14:44:35 2015
*nat
:PREROUTING ACCEPT [325:31771]
:POSTROUTING ACCEPT [16:1474]
:OUTPUT ACCEPT [308:20843]
-A PREROUTING -i eth1.10 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue May 12 14:44:35 2015
接口详细信息
eth0 - 192.168.2.22 (/24) (public/outside/NAT)
eth1.10 - 172.31.235.19 (/24) (private/inside/vlan10)
答案1
问题在于 MAC 过滤规则是在接受后才进行处理的。因此永远不会到达。
您需要做的是改变这两行的顺序:
-A FORWARD -i eth1.10 -o eth0 -j ACCEPT
-A FORWARD -i eth1.10 -p tcp -m tcp --dport 443 -m mac --mac-source 00:60:DD:44:85:43 -j DROP
因此它们变成:
-A FORWARD -i eth1.10 -p tcp -m tcp --dport 443 -m mac --mac-source 00:60:DD:44:85:43 -j DROP
-A FORWARD -i eth1.10 -o eth0 -j ACCEPT
如果你使用 iptables-save 格式,你只需要编辑 iptables-save 的输出并运行 iptables-restore 并传入该文件。即
sudo iptables-save > rules
... edit 'rules'
sudo iptables-restore < rules
或者,只需编辑您用来创建规则的脚本/生成器。
注意:由于您正在过滤内部地址,我会使用 REJECT 而不是 DROP,否则用户可能不会意识到他们已被阻止,并想知道为什么他们的浏览器会在那里停留很长时间。
答案2
我相信您实际上需要将 MAC 过滤器放入 PREROUTING 链中,因为 iptables 在内部重写了某些字段。
从当网桥和 netfilter 代码在内核中编译时,进行路由的链式遍历
这里解释的副作用发生在内核中启用 netfilter 代码、路由 IP 数据包并且该数据包的出站设备是逻辑桥接设备时。在 iptables FORWARD 链中过滤 MAC 源时会遇到副作用。从前面的部分应该可以清楚看出,iptables FORWARD 链的遍历被推迟到数据包进入桥接代码时。这样做是为了让我们能够在桥接端口出站设备上进行过滤。这对 MAC 源地址有副作用,因为 IP 代码会将 MAC 源地址更改为桥接设备的 MAC 地址。