Sbloccare l'accesso ai servizi gmail con iptables
Se non si conoscono tutti gli ip assegnati ad un hostname (come nel caso dei server smtp ed imap dei servizi gmail), si può identificare e sbloccare tutto il netblock assegnato a quel proivder.
Sblocco SMTP
Elencare i netblock dichiarati come record SPF:
#!/bin/bash
NETBLOCKS=$(host -4 -t txt _spf.google.com | grep _spf.google.com | cut -f 2 --delimiter='"' | sed -e 's/include:\|~all\|v=spf1//g')
for NETBLOCK in ${NETBLOCKS}
do
#echo NETBLOCK=${NETBLOCK}
LIST="$LIST $(host -4 -t txt ${NETBLOCK} |grep ${NETBLOCK}| cut -f 2 --delimiter='"' | sed -e 's/ip4:\|~all\|v=spf1//g' | sed -e 's/ /\n/g' | grep '^[0-9]')"
done
echo $LIST | tr ' ' '\n' | sort -V -t '/' -k 1
Ad esempio, saranno:
NETBLOCK=_netblocks.google.com 64.18.0.0/20 64.233.160.0/19 66.102.0.0/20 66.249.80.0/20 72.14.192.0/18 74.125.0.0/16 108.177.8.0/21 173.194.0.0/16 207.126.144.0/20 209.85.128.0/17 216.58.192.0/19 216.239.32.0/19 NETBLOCK=_netblocks2.google.com ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 NETBLOCK=_netblocks3.google.com
- Altro script:
dig @8.8.8.8 +short _spf.google.com TXT \
|awk '
BEGIN {RS=" " ; FS=":"} ;
$1="include" {print $2}
' \
|sed -e '/^\s*$/d' \
|while read NETBLOCK ; do
dig @8.8.8.8 +short "${NETBLOCK}" TXT \
|awk '
BEGIN {RS=" " ; FS=":"} ;
$1 ~ /^ip4/ {print $2} ;
$1 ~ /^ip6/ {s = ""; for (i = 2; i <= NF; i++) s = s":"$i; print s }
' \
|sed -e 's/^://' ;
done
Sblocco server IMAP
- Per sbloccare imap, troviamo il primo ip associato all'host:
$ host imap.googlemail.com imap.googlemail.com is an alias for googlemail-imap.l.google.com. googlemail-imap.l.google.com has address 74.125.206.16
- Identifichiamo il netblock associato:
$ whois 74.125.206.16 | grep CIDR CIDR: 74.125.0.0/16
- Basterà quindi utilizzare il seguente parametro per sbloccare la porta 993:
--destination 64.233.160.0/19
- Per SMTP, l'ip è:
$ host smtp.googlemail.com smtp.googlemail.com is an alias for googlemail-smtp.l.google.com. googlemail-smtp.l.google.com has address 64.233.167.16
- Il netblock è
$ whois 64.233.167.16 | grep CIDR CIDR: 64.233.160.0/19
- Nel caso specifico, è prudente sbloccare entrambi i netblock in questo modo:
GMAIL_IMAP="74.125.0.0/16"
# imap.googlemail.com 74.125.206.16 74.125.0.0/16
GMAIL_SMTP="64.233.160.0/19"
#smtp.googlemail.com 64.233.167.16 64.233.160.0/19
GMAIL_NET="${GMAIL_IMAP} ${GMAIL_SMTP}"
# ------------------------------------------------------------------
# SMTP GMAIL (smtps 465)
# ----------------
for NET in $GMAIL_NET
do
$IPTABLES -A FORWARD -p tcp \
-i $LAN0_IF -s $LAN0_NET --sport $UNPRIVPORTS \
-o $WAN0_IF -d $NET --dport 465 \
-j ACCEPT
done
# ------------------------------------------------------------------
# IMAP GMAIL (imapss 993)
# ----------------
for NET in $GMAIL_NET
do
$IPTABLES -A FORWARD -p tcp \
-i $LAN0_IF -s $LAN0_NET --sport $UNPRIVPORTS \
-o $WAN0_IF -d $NET --dport 993 \
-j ACCEPT
done
Riferimenti
- [SOLVED Sorting an IP address list w/ CIDR notation]