Caros, meu dhcpd, para 110 micros est� com 100 endere�os de maquina cadastrados (mac-address) mas eu quero um controle para que se um usu�rio mudar o IP n�o consiga navegar para isso eu copiei o "arquivo1" abaixo e cadastrei a lista no "maclist", so que n�o funcionou.
J� usaram isso, tem alguma dica? Arquivo1: #!/bin/bash # http://www.zago.eti.br/firewall/iptables-mac.txt # 5.1 - O Script Completo # Script de Firewall para bloqueio por MACaddress # Criado por Carlos Eduardo Langoni # 23/01/2003 # Source 'em up . /etc/init.d/functions # IPT=/usr/local/sbin/iptables IPT=/sbin/iptables # PROGRAMA=/bin/firewall PROGRAMA=/etc/firewall.ric NET_IFACE=eth1 LAN_IFACE=eth0 MACLIST=/etc/maclist echo 1 > /proc/sys/net/ipv4/ip_forward iptables -F #limpa todas as regras antigas case $1 in start) $IPT -F $IPT -t nat -F $IPT -t filter -P FORWARD DROP for i in `cat $MACLIST`; do STATUS=`echo $i | cut -d ';' -f 1` IPSOURCE= `echo $i | cut -d ';' -f 3` MACSOURCE=`echo $i | cut -d ';' -f 2` #Se status = a ent�o eu libera a conexao if [ $STATUS = "a" ]; then insmod ip_nat_ftp iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 1024:65000 -j TOS --set-tos 00 iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 25 -j TOS --set-tos 16 iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 110 -j TOS --set-tos 16 iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 443 -j TOS --set-tos 16 iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 80 -j TOS --set-tos 16 iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 22 -j TOS --set-tos 16 # da prioridade nas portas iptables -t filter -A FORWARD -d 0/0 -s $IPSOURCE -m mac --mac-source $MACSOURCE -j ACCEPT iptables -t filter -A FORWARD -d $IPSOURCE -s 0/0 -j ACCEPT iptables -t nat -A POSTROUTING -s $IPSOURCE -o eth1 -j MASQUERADE iptables -t filter -A INPUT -s $IPSOURCE -d 0/0 -m mac --mac-source $MACSOURCE -j ACCEPT iptables -t filter -A OUTPUT -s $IPSOURCE -d 0/0 -j ACCEPT # Se for <> a ent�o bloqueia else iptables -t filter -A FORWARD -m mac --mac-source $MACSOURCE -j DROP iptables -t filter -A INPUT -m mac --mac-source $MACSOURCE -j DROP iptables -t filter -A OUTPUT -m mac --mac-source $MACSOURCE -j DROP fi done iptables -t nat -A POSTROUTING -s 172.1.1.0/255.255.255.0 -j MASQUERADE iptables -t filter -A FORWARD -s 172.1.1.0/255.255.255.0 -d 0/0 -j ACCEPT iptables -t filter -A FORWARD -d 172.1.1.0/255.255.255.0 -s 0/0 -j ACCEPT iptables -t filter -A INPUT -s 172.1.1.0/255.255.255.0 -d 0/0 -j ACCEPT iptables -t filter -A OUTPUT -s 172.1.1.0/255.255.255.0 -d 0/0 -j ACCEPT # iptables -t nat -A PREROUTING -p tcp -s 0/0 -i eth0 --dport 80 -j DNAT --to 200.165.48.122:3128 iptables -t nat -A PREROUTING -p tcp -s 0/0 -i eth1 --dport 80 -j DNAT -- TO 200.168.12x.1xx:3128 echo "FIREWALL ATIVADO SISTEMA PREPARADO" ;; stop) iptables -F iptables -Z iptables -t nat -F iptables -t filter -P FORWARD ACCEPT echo "FIREWALL DESCARREGADO SISTEMA LIBERADO" ;; restart) $PROGRAMA stop $PROGRAMA start ;; esac Maclist: #a=ativo; mac address ; i ; client a;00:E0:7D:C4:E8:E3;10.168.0.8;7122 a;00:E0:7D:DC:28:45;10.168.0.81;8051 a;00:08:54:05:8B:17;10.168.0.7;9032 --------------------------------------------------------------------------- Esta lista � patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br Regras de utiliza��o da lista: http://linux-br.conectiva.com.br FAQ: http://www.zago.eti.br/menu.html
