File "rc.firewall-redeinterna.sh"
Full path: /www/wwwroot/fabriciovc.eti.br/downloads/windows/iptables/backups/rc.firewall-redeinterna.sh
File size: 6.68 KiB (6837 bytes)
MIME-type: text/x-shellscript
Charset: utf-8
#!/bin/sh
#==============================================================================
# Copyright (C) 2009 - Fabricio Vaccari Constanski #
# http://www.fabriciovc.eti.br | fabriciovc@fabriciovc.eti.br #
# #
# Este trabalho esta licenciado sob uma Licenca Creative Commons #
# Atribuicao-Compartilhamento pela mesma Licenca 2.5 Brasil. Para ver a copia #
# desta licenca, acesse: http://creativecommons.org/licenses/by-sa/2.5/br/ #
# ou envie uma carta para Creative Commons, 171 Second Street, Suite 300, #
# San Francisco, California 94105, USA. #
# #
# Ultima Atualizacao: 18/09/2009 - Fabricio Vaccari Constanski #
#==============================================================================
#------------------------------------------------------------------------------
# Comando iptables
IPTABLES=`which iptables`
# Comando modprobe
MODPROBE=`which modprobe`
# /proc/sys/net/ipv4
PSNI=/proc/sys/net/ipv4
#------------------------------------------------------------------------------
# Habilita repasse de pacotes
echo 1 > $PSNI/ip_forward
# Habilitar protecao contra synflood
echo 1 > $PSNI/tcp_syncookies
# Habilitar verificacao de rota de origem (Protecao p/ IP Spoofing)
for RP in $PSNI/conf/*/rp_filter ; do echo 1 > $RP ; done
# Controle de ICMP
echo 0 > $PSNI/icmp_echo_ignore_all
echo 1 > $PSNI/icmp_echo_ignore_broadcasts
#------------------------------------------------------------------------------
# Variaveis de rede
REDELOCAL='10.3.0.0/24' # IP da rede local - rede interna
IPLOCAL='10.3.0.254/32' # IP da maquina local ligado a rede interna
#------------------------------------------------------------------------------
# Carregando módulos
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
#------------------------------------------------------------------------------
# Limpando regras e cadeias anteriores
$IPTABLES -t filter -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t filter -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
#------------------------------------------------------------------------------
# Definindo politica padrao ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#------------------------------------------------------------------------------
# Liberar SSH
PORTASSH=22022
$IPTABLES -A INPUT -p tcp -m tcp --dport $PORTASSH -j ACCEPT
$IPTABLES -A PREROUTING -t nat -s $REDELOCAL -d $IPLOCAL \
-p tcp -m tcp --dport 22 -j REDIRECT --to-port $PORTASSH
#------------------------------------------------------------------------------
case $1 in
start)
#--------------------------------------------------------------------------
# Definindo politica padrao DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
#--------------------------------------------------------------------------
# Liberar servidores
IPS_SERVIDORES='10.2.0.230-10.2.0.254'
$IPTABLES -A FORWARD -m iprange --src-range $IPS_SERVIDORES -j ACCEPT
#--------------------------------------------------------------------------
# Liberar loopback
$IPTABLES -A INPUT -s 127.0.0.1/32 -j ACCEPT
#--------------------------------------------------------------------------
# Liberar rede interna
$IPTABLES -A INPUT -s $REDELOCAL -j ACCEPT
$IPTABLES -A FORWARD -s $REDELOCAL -p tcp -m tcp --dport 80 -j DROP
$IPTABLES -A FORWARD -s $REDELOCAL -j ACCEPT
#--------------------------------------------------------------------------
# Liberar retorno de conexoes
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#--------------------------------------------------------------------------
# Liberar VPN
$IPTABLES -A INPUT -i tun+ -j ACCEPT
$IPTABLES -A FORWARD -i tun+ -j ACCEPT
#--------------------------------------------------------------------------
# Liberar DNS
$IPTABLES -A INPUT -s $REDELOCAL -p tcp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -s $REDELOCAL -p udp -m udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --sport 53 -j ACCEPT
$IPTABLES -A FORWARD -s $REDELOCAL -p tcp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s $REDELOCAL -p udp -m udp --dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p tcp -m tcp --sport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p udp -m udp --sport 53 -j ACCEPT
#--------------------------------------------------------------------------
# Liberar ntpdate (NTP)
$IPTABLES -A INPUT -p udp -m udp --sport 123 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m udp --dport 123 -j ACCEPT
#--------------------------------------------------------------------------
# Liberar ping (ICMP)
$IPTABLES -A INPUT -p icmp --icmp-type 0 -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 5 -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 12 -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 3 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 5 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 11 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 12 -m limit --limit 2/s -j ACCEPT
#--------------------------------------------------------------------------
# Negar Ident
$IPTABLES -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
#--------------------------------------------------------------------------
# Reset em conexoes para portas desconhecidas
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
#--------------------------------------------------------------------------
# NAT da rede interna
$IPTABLES -A POSTROUTING -t nat -s $REDELOCAL -j MASQUERADE
#--------------------------------------------------------------------------
;;
nat)
$IPTABLES -A POSTROUTING -t nat -s $REDELOCAL -j MASQUERADE
exit 0
;;
stop)
exit 0
;;
*)
echo "Use: ./rc.firewall {start|stop}"
;;
esac