File "rc.firewall-attec.sh"

Full path: /www/wwwroot/fabriciovc.eti.br/downloads/iptables/backups/rc.firewall-attec.sh
File size: 8.58 KiB (8791 bytes)
MIME-type: text/x-shellscript
Charset: utf-8

Download   Open   Back

#!/bin/bash

#---------------------------------------------------------------------------------
# Autor: Fabricio Vaccari Constanski
#        fabriciovc@fabriciovc.eti.br
# Ultima Atualizacao: 26/02/2009
#---------------------------------------------------------------------------------
#---------------------------------------------------------------------------------
# Comando iptables
IPTABLES=`which iptables`
# Comando modprobe
MODPROBE=`which modprobe`
# /proc/sys/net/ipv4
PSNI=/proc/sys/net/ipv4
#---------------------------------------------------------------------------------
# Habilita repasse de pacotes
echo 1 > $PSNI/ip_forward
# Habilitar protecao contra synflood
echo 1 > $PSNI/tcp_syncookies
# Habilitar verificacao de rota de origem (Protecao p/ IP Spoofing)
for RP in $PSNI/conf/*/rp_filter ; do echo 1 > $RP ; done
# Controle de ICMP
echo 0 > $PSNI/icmp_echo_ignore_all
echo 1 > $PSNI/icmp_echo_ignore_broadcasts
#---------------------------------------------------------------------------------
# Carregando módulos
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
#---------------------------------------------------------------------------------
# Limpando regras e cadeias anteriores
$IPTABLES -t filter -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t filter -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
#---------------------------------------------------------------------------------
# Definindo politica padrao ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#---------------------------------------------------------------------------------
# Liberar SSH
$IPTABLES -A INPUT -p tcp -m tcp --dport 22022 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -i eth0 -d 192.168.1.253/32 -p tcp -m tcp \
					--dport 22 -j REDIRECT --to-port 22022
$IPTABLES -A PREROUTING -t nat -i tun+ -d 192.168.1.253/32 -p tcp -m tcp \
					--dport 22 -j REDIRECT --to-port 22022
#---------------------------------------------------------------------------------
case $1 in 
  start)
    #-----------------------------------------------------------------------------
    # Definindo politica padrao DROP
    $IPTABLES -P INPUT DROP
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P OUTPUT ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar loopback
    $IPTABLES -A INPUT -s 127.0.0.1/32 -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar Servidores
    $IPTABLES -A FORWARD -s 192.168.1.250/32 -j ACCEPT
    $IPTABLES -A FORWARD -s 192.168.1.253/32 -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar IPS
    # renato
    $IPTABLES -A FORWARD -s 192.168.1.1/32 -j ACCEPT
    # fabio
    $IPTABLES -A FORWARD -s 192.168.1.5/32 -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar MSN
    $IPTABLES -A FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
    $IPTABLES -A FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1080 -j ACCEPT
    $IPTABLES -A FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar Rede Local
    $IPTABLES -A INPUT -s 192.168.1.0/24 -j ACCEPT
    #$IPTABLES -A FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j DROP
    $IPTABLES -A FORWARD -s 192.168.1.0/24 -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar VPN
    $IPTABLES -A INPUT -i tun+ -j ACCEPT
    $IPTABLES -A FORWARD -i tun+ -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar retorno de conexoes
    $IPTABLES -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar FTP
    $IPTABLES -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -m tcp --dport 21 -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar SMTP
    $IPTABLES -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar DNS
    $IPTABLES -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
    $IPTABLES -A INPUT -p udp -m udp --dport 53 -j ACCEPT
    $IPTABLES -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
    $IPTABLES -A INPUT -p udp -m udp --sport 53 -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT
    $IPTABLES -A FORWARD -p udp -m udp --dport 53 -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -m tcp --sport 53 -j ACCEPT
    $IPTABLES -A FORWARD -p udp -m udp --sport 53 -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar HTTP
    $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar POP
    $IPTABLES -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar ntpdate (NTP)
    $IPTABLES -A INPUT -p udp -m udp --dport 123 -j ACCEPT
    $IPTABLES -A FORWARD -p udp -m udp --dport 123 -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar IMAP
    $IPTABLES -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -m tcp --dport 143 -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar SNMP
    $IPTABLES -A INPUT -p udp -m udp --dport 161 -j ACCEPT
    $IPTABLES -A FORWARD -p udp -m udp --dport 161 -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar IMAPS
    $IPTABLES -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -m tcp --dport 993 -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar POPS
    $IPTABLES -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -m tcp --dport 995 -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar MySQL
    $IPTABLES -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -m tcp --dport 3306 -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar XMPP
    $IPTABLES -A FORWARD -p tcp -m tcp --dport 5222 -j ACCEPT
    #-----------------------------------------------------------------------------
    # Liberar ping (ICMP)
    $IPTABLES -A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
    $IPTABLES -A INPUT -p icmp --icmp-type 3 -m limit --limit 2/s -j ACCEPT
    $IPTABLES -A INPUT -p icmp --icmp-type 5 -m limit --limit 2/s -j ACCEPT
    $IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
    $IPTABLES -A INPUT -p icmp --icmp-type 11 -m limit --limit 2/s -j ACCEPT
    $IPTABLES -A INPUT -p icmp --icmp-type 12 -m limit --limit 2/s -j ACCEPT
    $IPTABLES -A FORWARD -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
    $IPTABLES -A FORWARD -p icmp --icmp-type 3 -m limit --limit 2/s -j ACCEPT
    $IPTABLES -A FORWARD -p icmp --icmp-type 5 -m limit --limit 2/s -j ACCEPT
    $IPTABLES -A FORWARD -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
    $IPTABLES -A FORWARD -p icmp --icmp-type 11 -m limit --limit 2/s -j ACCEPT
    $IPTABLES -A FORWARD -p icmp --icmp-type 12 -m limit --limit 2/s -j ACCEPT
    #-----------------------------------------------------------------------------
    # Negar Ident
    $IPTABLES -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
    #-----------------------------------------------------------------------------
    # Reset em conexoes para portas desconhecidas
    $IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
    #-----------------------------------------------------------------------------
    # Mascaramento
    $IPTABLES -A POSTROUTING -t nat -s 192.168.1.0/24 -j MASQUERADE
    #-----------------------------------------------------------------------------
  ;;
  stop)
    exit 0
  ;;
  nat)
    # Mascaramento
    $IPTABLES -A POSTROUTING -t nat -s 192.168.1.0/24 -j MASQUERADE
    exit 0
  ;;
  *)
    echo "Use: ./rc.firewall {start|stop}"
  ;;
esac

PHP File Manager