ป้องกัน Ultrasurf tips จาก yim แห่งthaibsd
สำหรับ freebsd ใช้ route add -net 65.49.2.0/24 10.00.2
สำหรับ linux ใช้ route add -net 65.49.2.0/24 gw 127.0.0.1
ของท่าน chet แห่ง linuxthai
ไฟล์วอลผมครับ
#!/bin/sh
#
# Firewall script for ChilliSpot
# A Wireless LAN Access Point Controller
#
# Uses $EXTIF (eth0) as the external interface (Internet or intranet) and
# $INTIF (eth1) as the internal interface (access points).
#
#
# SUMMARY
# * All connections originating from chilli are allowed.
# * Only ssh is allowed in on external interface.
# * Nothing is allowed in on internal interface.
# * Forwarding is allowed to and from the external interface, but disallowed
# to and from the internal interface.
# * NAT is enabled on the external interface.
IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"
#Flush all rules
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
#Set default behaviour
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#Block Ultrasurf
iptables -A FORWARD -p tcp --dport 9666 -j DROP
iptables -A FORWARD -p udp --dport 9666 -j DROP
$IPTABLES -A INPUT -s 67.15.183.30 -j DROP
$IPTABLES -A FORWARD -s 67.15.183.30 -j DROP
$IPTABLES -A OUTPUT -s 67.15.183.30 -j DROP
$IPTABLES -A INPUT -p tcp -m tcp --dport 9666 -j DROP
$IPTABLES -A FORWARD -p tcp -m tcp --dport 9666 -j DROP
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 9666 -j DROP
#iptables -A FORWARD -p tcp --dport 443 -j DROP_CUSTOM
#iptables -A FORWARD -p udp --dport 443 -j DROP_CUSTOM
IPALLOW=`cat /root/special.txt | awk '{print $1}'`
iptables -N DROP_CUSTOM
for ipall in $IPALLOW
do
iptables -A DROP_CUSTOM -s $ipall -j ACCEPT
iptables -A DROP_CUSTOM -d $ipall -j ACCEPT
done
iptables -A DROP_CUSTOM -j DROP
# เจอคำพวกนี้ผ่านตา อย่าให้เล็ดลอด
iptables -A FORWARD -m string --string "info_hash" --algo bm --to 65535 -j DROP
iptables -A FORWARD -m string --string ".torrent" --algo bm --to 65535 -j DROP
iptables -A FORWARD -m string --string "get_peers" --algo bm --to 65535 -j DROP
iptables -A FORWARD -m string --string "announce_peers" --algo bm --to 65535 -j DROP
#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT
#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP
#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT
#Allow ICMP echo on other interfaces (input).
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP
##### chalee edit
#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 10000 --syn -j ACCEPT
#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 3128 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 3306 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 10000 --syn -j ACCEPT
#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
##Allow transparent proxy ##
$IPTABLES -A INPUT -p tcp -m tcp --dport 8080 --syn -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 8080 --syn -j DROP
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp -d 192.168.0.0/16 --dport 80 -j RETURN
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp -d 172.16.0.0/12 --dport 80 -j RETURN
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp -d 10.0.0.0/8 --dport 80 -j RETURN
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
# Drop package wrom Virus Input, Output
$IPTABLES -A INPUT -p tcp --dport 135 -j DROP
$IPTABLES -A INPUT -p udp --dport 135 -j DROP
$IPTABLES -A INPUT -p tcp --dport 445 -j DROP
$IPTABLES -A INPUT -p udp --dport 445 -j DROP
$IPTABLES -A INPUT -p tcp --dport 4444 -j DROP
$IPTABLES -A INPUT -p udp --dport 4444 -j DROP
$IPTABLES -A INPUT -p tcp --dport 5554 -j DROP
$IPTABLES -A INPUT -p udp --dport 5554 -j DROP
$IPTABLES -A INPUT -p tcp --dport 9996 -j DROP
$IPTABLES -A INPUT -p udp --dport 9996 -j DROP
$IPTABLES -A INPUT -p tcp --dport 137 -j DROP
$IPTABLES -A INPUT -p udp --dport 137 -j DROP
$IPTABLES -A INPUT -p tcp --dport 138 -j DROP
$IPTABLES -A INPUT -p udp --dport 138 -j DROP
$IPTABLES -A INPUT -p tcp --dport 139 -j DROP
$IPTABLES -A INPUT -p udp --dport 139 -j DROP
$IPTABLES -A OUTPUT -p tcp --dport 135 -j DROP
$IPTABLES -A OUTPUT -p udp --dport 135 -j DROP
$IPTABLES -A OUTPUT -p tcp --dport 445 -j DROP
$IPTABLES -A OUTPUT -p udp --dport 445 -j DROP
$IPTABLES -A OUTPUT -p tcp --dport 4444 -j DROP
$IPTABLES -A OUTPUT -p udp --dport 4444 -j DROP
$IPTABLES -A OUTPUT -p tcp --dport 5554 -j DROP
$IPTABLES -A OUTPUT -p udp --dport 5554 -j DROP
$IPTABLES -A OUTPUT -p tcp --dport 9996 -j DROP
$IPTABLES -A OUTPUT -p udp --dport 9996 -j DROP
$IPTABLES -A OUTPUT -p tcp --dport 137 -j DROP
$IPTABLES -A OUTPUT -p udp --dport 137 -j DROP
$IPTABLES -A OUTPUT -p tcp --dport 138 -j DROP
$IPTABLES -A OUTPUT -p udp --dport 138 -j DROP
$IPTABLES -A OUTPUT -p tcp --dport 139 -j DROP
ส่วนไอพีที่ผมใส่ไปมีแค่นี้ครับ
217.12.8.76
64.4.20.169
97.74.144.165