Fórum Ubuntu Linux - PT
Suporte Técnico => Internet, Redes e Segurança => Tópico iniciado por: Paulo Bergo em 10 de Fevereiro de 2011, 15:08
-
Olá pessoal...
Tento bloquear alguns endereços na nossa rede (geralmente de usuários que estão fazendo mal-uso do acesso)... porém a regra não funciona...
Exemplo:
Meu notebook, com Ubuntu 9.4 64, tem o IP 11.1.199.235 mac 00:a1:e2:c3:0a:14
Um dos servidores (de teste), Ubuntu 10.04, tem o IP 11.1.2.176.
Neste servidor, entro com a seguinte regra:
iptables -A INPUT -s 11.1.199.235 -j DROP
ou
iptables -A INPUT -m mac --mac-source 00:a1:e2:c3:0a:14 -j DROP
Porém, o Notebook continua a acessar os recursos do servidor, como se nada tivesse acontecido...
O que está faltando?
Grato por qualquer dica!
Abraços
-
O que está faltando?
É preciso ver o resto do firewall, se há alguma outra regra liberando o acesso antes.
Pode postar a saída do comando abaixo?
sudo iptables -L -v -n
-
É prá já!
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
44389 41M ACCEPT tcp -- * * 191.167.252.1 0.0.0.0/0 tcp flags:!0x17/0x02
1928 423K ACCEPT udp -- * * 191.167.252.1 0.0.0.0/0
4384 282K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
57105 5513K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
104K 29M DROP all -- eth0 * 0.0.0.0/0 255.255.255.255
549K 57M DROP all -- * * 0.0.0.0/0 10.0.255.255
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
2733 1243K DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
8 320 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LSI all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
233K 155M INBOUND all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Input'
0 0 DROP all -- * * 11.1.199.235 0.0.0.0/0
0 0 DROP all -- * * 11.1.199.235 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Forward'
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12 578 ACCEPT tcp -- * * 11.1.2.176 191.167.252.1 tcp dpt:53
1969 126K ACCEPT udp -- * * 11.1.2.176 191.167.252.1 udp dpt:53
4384 282K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
18 1970 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
262 10480 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
323K 28M OUTBOUND all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Output'
Chain INBOUND (1 references)
pkts bytes target prot opt in out source destination
218K 154M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
884 73766 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 11.1.2.176 0.0.0.0/0
128 25344 ACCEPT all -- * * 172.20.0.51 0.0.0.0/0
0 0 ACCEPT all -- * * 11.1.199.121 0.0.0.0/0
420 20468 ACCEPT all -- * * 11.1.199.133 0.0.0.0/0
0 0 ACCEPT all -- * * 11.1.199.133 0.0.0.0/0
0 0 ACCEPT all -- * * 11.1.199.133 0.0.0.0/0
0 0 ACCEPT all -- * * 11.1.199.133 0.0.0.0/0
0 0 ACCEPT tcp -- * * 11.1.2.176 0.0.0.0/0 tcp dpt:5900
0 0 ACCEPT udp -- * * 11.1.2.176 0.0.0.0/0 udp dpt:5900
1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3010
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3010
165 8796 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80
0 0 ACCEPT tcp -- * * 11.1.199.133 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT udp -- * * 11.1.199.133 0.0.0.0/0 udp dpt:3306
13670 1211K LSI all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOG_FILTER (5 references)
pkts bytes target prot opt in out source destination
Chain LSI (2 references)
pkts bytes target prot opt in out source destination
13670 1211K LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
8 392 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
8 392 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
9 540 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
9 540 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
13282 1177K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
13653 1210K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LSO (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound '
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTBOUND (1 references)
pkts bytes target prot opt in out source destination
79257 5098K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
236K 22M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
282 19778 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7701 635K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Grato pela atenção!!!
-
Hmmmm. Vc está usando o ufw... nesse caso o ideal seria que vc fizesse o bloqueio pelo próprio ufw, também.