Bloquear todo o tráfego na interface específica

0

Eu estava tentando bloquear todo o tráfego em uma interface específica (que é sem fio externa), exceto a navegação usando ufw :

 sudo ufw enable
 sudo ufw deny out on wlx00252245ed96
 sudo ufw allow out on wlx00252245ed96 to any from any port 80 proto tcp 
 sudo ufw allow out on wlx00252245ed96 to any from any port 80 proto udp
 sudo ufw allow out on wlx00252245ed96 to any from any port 443 proto tcp 
 sudo ufw allow out on wlx00252245ed96 to any from any port 443 proto udp

No entanto, ainda não consigo navegar! Estou faltando alguma coisa?

Aqui está o status ufw:

~$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   DENY OUT    Anywhere on wlx00252245ed96
Anywhere                   ALLOW OUT   80/tcp on wlx00252245ed96 
Anywhere                   ALLOW OUT   80/udp on wlx00252245ed96 
Anywhere                   ALLOW OUT   443/tcp on wlx00252245ed96
Anywhere                   ALLOW OUT   443/udp on wlx00252245ed96
Anywhere (v6)              DENY OUT    Anywhere (v6) on wlx00252245ed96
Anywhere (v6)              ALLOW OUT   80/tcp (v6) on wlx00252245ed96
Anywhere (v6)              ALLOW OUT   80/udp (v6) on wlx00252245ed96
Anywhere (v6)              ALLOW OUT   443/tcp (v6) on wlx00252245ed96
Anywhere (v6)              ALLOW OUT   443/udp (v6) on wlx00252245ed96

e aqui está o iptables -L -v:

Chain INPUT (policy DROP 1 packets, 32 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2329  780K ACCEPT     udp  --  ens33  any     anywhere             anywhere             udp dpt:bootps
    0     0 ACCEPT     tcp  --  ens33  any     anywhere             anywhere             tcp dpt:bootps
  232 14695 ACCEPT     udp  --  ens33  any     anywhere             anywhere             udp dpt:domain
    0     0 ACCEPT     tcp  --  ens33  any     anywhere             anywhere             tcp dpt:domain
13379 3073K ufw-before-logging-input  all  --  any    any     anywhere             anywhere            
13379 3073K ufw-before-input  all  --  any    any     anywhere             anywhere            
  787  782K ufw-after-input  all  --  any    any     anywhere             anywhere            
  761  779K ufw-after-logging-input  all  --  any    any     anywhere             anywhere            
  761  779K ufw-reject-input  all  --  any    any     anywhere             anywhere            
  761  779K ufw-track-input  all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
10621 1128K ACCEPT     all  --  any    ens33   anywhere             10.42.0.0/24         state RELATED,ESTABLISHED
  845 89027 ACCEPT     all  --  ens33  any     10.42.0.0/24         anywhere            
    0     0 ACCEPT     all  --  ens33  ens33   anywhere             anywhere            
    0     0 REJECT     all  --  any    ens33   anywhere             anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  ens33  any     anywhere             anywhere             reject-with icmp-port-unreachable
    8   528 ufw-before-logging-forward  all  --  any    any     anywhere             anywhere            
    8   528 ufw-before-forward  all  --  any    any     anywhere             anywhere            
    8   528 ufw-after-forward  all  --  any    any     anywhere             anywhere            
    8   528 ufw-after-logging-forward  all  --  any    any     anywhere             anywhere            
    8   528 ufw-reject-forward  all  --  any    any     anywhere             anywhere            
    8   528 ufw-track-forward  all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 1 packets, 48 bytes)
 pkts bytes target     prot opt in     out     source               destination         
22932 2072K ufw-before-logging-output  all  --  any    any     anywhere             anywhere            
22932 2072K ufw-before-output  all  --  any    any     anywhere             anywhere            
  920  162K ufw-after-output  all  --  any    any     anywhere             anywhere            
  920  162K ufw-after-logging-output  all  --  any    any     anywhere             anywhere            
  920  162K ufw-reject-output  all  --  any    any     anywhere             anywhere            
  920  162K ufw-track-output  all  --  any    any     anywhere             anywhere            

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    6   468 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:netbios-ns
    1   229 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:netbios-dgm
    0     0 ufw-skip-to-policy-input  tcp  --  any    any     anywhere             anywhere             tcp dpt:netbios-ssn
    0     0 ufw-skip-to-policy-input  tcp  --  any    any     anywhere             anywhere             tcp dpt:microsoft-ds
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:bootps
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:bootpc
    0     0 ufw-skip-to-policy-input  all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    32 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
    0     0 ufw-user-forward  all  --  any    any     anywhere             anywhere            

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   49  3100 ACCEPT     all  --  lo     any     anywhere             anywhere            
    5   803 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ufw-logging-deny  all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
    1   360 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:bootps dpt:bootpc
    8   729 ufw-not-local  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     udp  --  any    any     anywhere             224.0.0.251          udp dpt:mdns
    0     0 ACCEPT     udp  --  any    any     anywhere             239.255.255.250      udp dpt:1900
    8   729 ufw-user-input  all  --  any    any     anywhere             anywhere            

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   49  3100 ACCEPT     all  --  any    lo      anywhere             anywhere            
   13  2099 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
   67  8696 ufw-user-output  all  --  any    any     anywhere             anywhere            

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL
    1    32 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
    7   697 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    7   697 DROP       all  --  any    any     anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             ctstate NEW
    6  1968 ACCEPT     udp  --  any    any     anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   59  6632 DROP       all  --  any    wlx00252245ed96  anywhere             anywhere            
    0     0 ACCEPT     tcp  --  any    wlx00252245ed96  anywhere             anywhere             tcp spt:http
    0     0 ACCEPT     udp  --  any    wlx00252245ed96  anywhere             anywhere             udp spt:http
    0     0 ACCEPT     tcp  --  any    wlx00252245ed96  anywhere             anywhere             tcp spt:https
    0     0 ACCEPT     udp  --  any    wlx00252245ed96  anywhere             anywhere             udp spt:https
    
por Alex9766 05.11.2016 / 13:26

1 resposta

0

Existem pelo menos dois problemas. Primeiro, sua regra de negação geral precede suas regras de permissão específicas e, portanto, você nunca atingirá as regras de permissão. Segundo, suas regras de permissão são baseadas na porta de origem, mas precisam ser baseadas na porta de destino.

Como uma nota secundária, para o que você está querendo fazer, você não precisa do udp.

Para um funcionamento adequado, existem alguns outros problemas. Por exemplo, é provável que você precise permitir a porta 53 para serviços DNS (tcp e udp).

Então (e disclaimer, eu não uso ufw, apenas iptables, então adivinhando a sintaxe):

sudo ufw allow out on wlx00252245ed96 to any port 80 proto tcp from any
sudo ufw allow out on wlx00252245ed96 to any port 443 proto tcp from any
sudo ufw deny out on wlx00252245ed96

No iptables, o que você deseja para as regras de permissão é (no meu computador de teste. Eu não posso fazer o exemplo de regra DROP porque ele quebrará meu computador de teste):

Chain OUTPUT (policy ACCEPT 55 packets, 3244 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     tcp  --  *      enp9s0  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
       0        0 ACCEPT     tcp  --  *      enp9s0  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    
por Doug Smythies 05.11.2016 / 16:41