Sbloccare l'accesso ai servizi gmail con iptables: Difference between revisions

From RVM Wiki
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
mNo edit summary
mNo edit summary
Line 1: Line 1:
Se non si conoscono tutti gli ip assegnati ad un hostnae (come nel caso dei server smtp ed imap dei servizi gmail, si può identificare e sbloccare tutto il netblock assegnato a quel proivder.
Se non si conoscono tutti gli ip assegnati ad un hostname (come nel caso dei server smtp ed imap dei servizi gmail), si può identificare e sbloccare tutto il netblock assegnato a quel proivder.




Line 46: Line 46:


NETBLOCK=_netblocks3.google.com
NETBLOCK=_netblocks3.google.com
</pre>
* Altro script:
<pre>
dig @8.8.8.8 +short  _spf.google.com TXT \
  |awk '
    BEGIN {RS=" " ; FS=":"} ;
    $1="include" {print $2}
  ' \
  |sed -e '/^\s*$/d' \
  |while read NETBLOCK ; do
    dig @8.8.8.8 +short "${NETBLOCK}" TXT \
    |awk '
      BEGIN {RS=" " ; FS=":"} ;
      $1 ~ /^ip4/ {print $2} ;
      $1 ~ /^ip6/ {s = ""; for (i = 2; i <= NF; i++) s = s":"$i; print s }
    ' \
  |sed -e 's/^://' ;
done
</pre>
</pre>


Line 108: Line 128:


=Riferimenti=
=Riferimenti=
*[https://support.google.com/a/answer/60764?hl=en Google IP address ranges - Google Apps Administrator Help]


*[http://askubuntu.com/questions/146163/how-do-i-allow-all-possible-ips-for-gmail-servers-through-my-ufw-firewall dns - How do I allow all possible IPs for Gmail servers through my ufw firewall? - Ask Ubuntu]
*[http://askubuntu.com/questions/146163/how-do-i-allow-all-possible-ips-for-gmail-servers-through-my-ufw-firewall dns - How do I allow all possible IPs for Gmail servers through my ufw firewall? - Ask Ubuntu]
*[http://serverfault.com/questions/633558/how-to-isolate-google-gmail-smtp-server-ips-directly routing - How to isolate Google Gmail SMTP server IPs directly? - Server Fault]

Revision as of 12:03, 14 January 2016

Se non si conoscono tutti gli ip assegnati ad un hostname (come nel caso dei server smtp ed imap dei servizi gmail), si può identificare e sbloccare tutto il netblock assegnato a quel proivder.


Sblocco SMTP

Elencare i netblock dichiarati come record SPF: 

#!/bin/bash

NETBLOCKS=$(host -4 -t txt _spf.google.com | grep _spf.google.com | cut -f 2 --delimiter='"' | sed -e 's/include:\|~all\|v=spf1//g')

for NETBLOCK in ${NETBLOCKS}
do
	echo NETBLOCK=${NETBLOCK}
	host -4 -t txt ${NETBLOCK} |grep ${NETBLOCK}| cut -f 2 --delimiter='"' | sed -e 's/ip4:\|~all\|v=spf1//g' | sed -e 's/ /\n/g'
done

Ad esempio, saranno: 

NETBLOCK=_netblocks.google.com

64.18.0.0/20
64.233.160.0/19
66.102.0.0/20
66.249.80.0/20
72.14.192.0/18
74.125.0.0/16
108.177.8.0/21
173.194.0.0/16
207.126.144.0/20
209.85.128.0/17
216.58.192.0/19
216.239.32.0/19

NETBLOCK=_netblocks2.google.com

ip6:2001:4860:4000::/36
ip6:2404:6800:4000::/36
ip6:2607:f8b0:4000::/36
ip6:2800:3f0:4000::/36
ip6:2a00:1450:4000::/36
ip6:2c0f:fb50:4000::/36

NETBLOCK=_netblocks3.google.com
  • Altro script:
dig @8.8.8.8 +short  _spf.google.com TXT \
  |awk '
    BEGIN {RS=" " ; FS=":"} ; 
    $1="include" {print $2}
  ' \
  |sed -e '/^\s*$/d' \
  |while read NETBLOCK ; do 
    dig @8.8.8.8 +short "${NETBLOCK}" TXT \
    |awk '
      BEGIN {RS=" " ; FS=":"} ;
      $1 ~ /^ip4/ {print $2} ;
      $1 ~ /^ip6/ {s = ""; for (i = 2; i <= NF; i++) s = s":"$i; print s }
    ' \
  |sed -e 's/^://' ;
done

Sblocco server IMAP

  • Per sbloccare imap, troviamo il primo ip associato all'host:
$ host imap.googlemail.com
imap.googlemail.com is an alias for googlemail-imap.l.google.com.
googlemail-imap.l.google.com has address 74.125.206.16
  • Identifichiamo il netblock associato:
$ whois 74.125.206.16 | grep CIDR
CIDR:           74.125.0.0/16
  • Basterà quindi utilizzare il seguente parametro per sbloccare la porta 993:
--destination 64.233.160.0/19


  • Per SMTP, l'ip è:
$ host smtp.googlemail.com
smtp.googlemail.com is an alias for googlemail-smtp.l.google.com.
googlemail-smtp.l.google.com has address 64.233.167.16
  • Il netblock è
$ whois 64.233.167.16 | grep CIDR
CIDR:           64.233.160.0/19
  • Nel caso specifico, è prudente sbloccare entrambi i netblock in questo modo:
    GMAIL_IMAP="74.125.0.0/16"
    # imap.googlemail.com   74.125.206.16   74.125.0.0/16

    GMAIL_SMTP="64.233.160.0/19"
    #smtp.googlemail.com    64.233.167.16   64.233.160.0/19 

    GMAIL_NET="${GMAIL_IMAP} ${GMAIL_SMTP}"

    # ------------------------------------------------------------------
    # SMTP GMAIL (smtps 465)
    # ----------------
        for NET in $GMAIL_NET
        do
            $IPTABLES -A FORWARD -p tcp \
                -i $LAN0_IF -s $LAN0_NET  --sport $UNPRIVPORTS \
                -o $WAN0_IF -d $NET --dport 465 \
                -j ACCEPT
        done

    # ------------------------------------------------------------------
    # IMAP GMAIL (imapss 993)
    # ----------------
        for NET in $GMAIL_NET
        do  
            $IPTABLES -A FORWARD -p tcp \
                -i $LAN0_IF -s $LAN0_NET  --sport $UNPRIVPORTS \
                -o $WAN0_IF -d $NET --dport 993 \
                -j ACCEPT
        done

Riferimenti

Retrieved from "https://kb.rvmgroup.it/index.php?title=Sbloccare_l%27accesso_ai_servizi_gmail_con_iptables&oldid=9478"