File "rc.firewall-bra.sh"
Full path: /www/wwwroot/fabriciovc.eti.br/downloads/windows/xen/rc.firewall-bra.sh
File size: 13.41 KiB (13736 bytes)
MIME-type: text/x-shellscript
Charset: utf-8
#!/bin/bash
#-------------------------------------------------------------------------
# Autor: Fabricio Vaccari Constanski
# fabriciovc@allcompcs.com
# Ultima Atualizacao: 07/02/2008
# ALLCOMP Computadores e Sistemas
#-------------------------------------------------------------------------
#-------------------------------------------------------------------------
# Comando iptables
IPTABLES=`which iptables`
# Comando modprobe
MODPROBE=`which modprobe`
# Comando tc
TC=`which tc`
# /proc/sys/net/ipv4
PSNI=/proc/sys/net/ipv4
#-------------------------------------------------------------------------
# Endereco de Loopback
LOOPBACK=127.0.0.0/8
# Endereco IP local
IPLOCAL=192.168.0.254
# Rede interna da empresa (IP/Mascara)
REDELOCAL=192.168.0.0/24
# Placa de rede ligada na rede interna
IFINTERNA=eth2
# Placa de rede ligada na rede externa
IFEXTERNA=eth1
# Placa de rede ligada na DMZ
#IFDMZ=eth2
# Interface de VPN
IFTUN=tun+
#-------------------------------------------------------------------------
# Habilita repasse de pacotes
echo 1 > $PSNI/ip_forward
# Habilitar protecao contra synflood
echo 1 > $PSNI/tcp_syncookies
# Habilitar verificacao de rota de origem (Protecao p/ IP Spoofing)
for RP in $PSNI/conf/*/rp_filter ; do echo 1 > $RP ; done
# Controle de ICMP
echo 0 > $PSNI/icmp_echo_ignore_all
echo 1 > $PSNI/icmp_echo_ignore_broadcasts
#-------------------------------------------------------------------------
# Carregando módulos
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE ip_conntrack_irc
$MODPROBE ip_nat_irc
#-------------------------------------------------------------------------
# Limpando regras e cadeias anteriores
$IPTABLES -t filter -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t filter -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
#-------------------------------------------------------------------------
# Definindo politica padrao ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#-------------------------------------------------------------------------
# Remove qdisk htb associada
#$TC qdisc del dev $IFEXTERNA root
#-------------------------------------------------------------------------
# Liberar SSH
PSSH=22
$IPTABLES -A INPUT -p tcp --dport $PSSH -j ACCEPT
#-------------------------------------------------------------------------
case $1 in
start)
#---------------------------------------------------------------------
# Definindo portas dos servicos
PORTAFTP="21"
PORTASMTP="25"
PORTADNS="53"
PORTAHTTP="80"
PORTAPOP="110"
PORTANTP="123"
#PORTASAMBA="137:139"
PORTAIMAP="143"
#PORTALDAP="389"
PORTAHTTPS="443"
PORTAVPN="1194"
PORTAPROXY="3128"
PORTATS="3389"
#PORTAVNC="5900"
PORTASSH=$PSSH
#---------------------------------------------------------------------
# IPs dos Servidores
SRVWEB="192.168.0.150"
#---------------------------------------------------------------------
# Definindo IPs liberados (separar por espaco)
IPS_SRV="$SRVWEB"
#IPS_MSN="192.168.254.100"
#---------------------------------------------------------------------
# Definindo politica padrao DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
#---------------------------------------------------------------------
# Liberar loopback
$IPTABLES -A INPUT -s $LOOPBACK -j ACCEPT
#---------------------------------------------------------------------
# Liberar IPs definidos em $IPS_SRV
for IPSSRV in $IPS_SRV
do
$IPTABLES -A FORWARD -s $IPSSRV -j ACCEPT
$IPTABLES -A PREROUTING -t nat -s $IPSSRV -j RETURN
done
#---------------------------------------------------------------------
# Liberar Conectividade Social da Caixa Economica
$IPTABLES -A FORWARD -p tcp -s $REDELOCAL -d 200.201.174.207 --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $REDELOCAL -d 200.201.174.207 --dport 443 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -s $REDELOCAL -d 200.201.174.207 --dport 80 -j RETURN
$IPTABLES -A PREROUTING -t nat -p tcp -s $REDELOCAL -d 200.201.174.207 --dport 443 -j RETURN
#$IPTABLES -A PREROUTING -t nat -s $REDELOCAL -d 200.201.174.0/24 -j RETURN
#$IPTABLES -A PREROUTING -t nat -s $REDELOCAL -d 200.201.173.0/24 -j RETURN
#$IPTABLES -A PREROUTING -t nat -s $REDELOCAL -d 200.201.166.0/24 -j RETURN
#---------------------------------------------------------------------
# Liberar MSN apenas para os IPs definidos em $IPS_MSN usando L7PROTO
#for IPSMSN in $IPS_MSN
#do
# $IPTABLES -A FORWARD -m layer7 --l7proto msnmessenger -s $IPSMSN -j ACCEPT
# $IPTABLES -A FORWARD -m layer7 --l7proto msnmessenger -d $IPSMSN -j ACCEPT
#done
#---------------------------------------------------------------------
# Bloquear protocolos L7PROTO
#L7PROTO="ares bittorrent edonkey fasttrack msnmessenger napster"
#for PROTO in $L7PROTO
#do
# $IPTABLES -A FORWARD -m layer7 --l7proto $PROTO -j DROP
#done
#---------------------------------------------------------------------
# Liberar rede interna com excessao da porta 80
$IPTABLES -A INPUT -s $REDELOCAL -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $REDELOCAL --dport $PORTAHTTP -j DROP
$IPTABLES -A FORWARD -s $REDELOCAL -j ACCEPT
#---------------------------------------------------------------------
# Liberar retorno de conexoes
$IPTABLES -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------------
# Liberar SMTP
$IPTABLES -A FORWARD -p tcp --dport $PORTASMTP -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $IFEXTERNA --dport $PORTASMTP -j DNAT --to $SRVWEB
#---------------------------------------------------------------------
# Liberar DNS
$IPTABLES -A INPUT -p tcp --dport $PORTADNS -j ACCEPT
$IPTABLES -A INPUT -p udp --dport $PORTADNS -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport $PORTADNS -j ACCEPT
$IPTABLES -A INPUT -p udp --sport $PORTADNS -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport $PORTADNS -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport $PORTADNS -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport $PORTADNS -j ACCEPT
$IPTABLES -A FORWARD -p udp --sport $PORTADNS -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $IFEXTERNA --dport $PORTADNS -j DNAT --to $SRVWEB
$IPTABLES -A PREROUTING -t nat -p udp -i $IFEXTERNA --dport $PORTADNS -j DNAT --to $SRVWEB
#---------------------------------------------------------------------
# Liberar HTTP
$IPTABLES -A INPUT -p tcp --dport $PORTAHTTP -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport $PORTAHTTP -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $IFEXTERNA --dport 8080 -j REDIRECT --to-port 80
$IPTABLES -A PREROUTING -t nat -p tcp -i $IFEXTERNA --dport $PORTAHTTP -j DNAT --to $SRVWEB
#---------------------------------------------------------------------
# Liberar POP
$IPTABLES -A FORWARD -p tcp --dport $PORTAPOP -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $IFEXTERNA --dport $PORTAPOP -j DNAT --to $SRVWEB
#---------------------------------------------------------------------
# Liberar ntpdate (NTP)
$IPTABLES -A INPUT -p udp --dport $PORTANTP -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport $PORTANTP -j ACCEPT
#---------------------------------------------------------------------
# Liberar IMAP
$IPTABLES -A FORWARD -p tcp --dport $PORTAIMAP -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $IFEXTERNA --dport $PORTAIMAP -j DNAT --to $SRVWEB
#---------------------------------------------------------------------
# Liberar HTTPS
$IPTABLES -A FORWARD -p tcp --dport $PORTAHTTPS -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $IFEXTERNA --dport $PORTAHTTPS -j DNAT --to $SRVWEB
#---------------------------------------------------------------------
# Liberar OpenVPN
$IPTABLES -A INPUT -p tcp --dport $PORTAVPN -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $IFTUN -j ACCEPT
$IPTABLES -A FORWARD -p tcp -o $IFTUN -j ACCEPT
#---------------------------------------------------------------------
# Liberar TS
#$IPTABLES -A FORWARD -p tcp --dport $PORTATS -j ACCEPT
#$IPTABLES -A PREROUTING -t nat -p tcp -i $IFEXTERNA --dport $PORTATS -j DNAT --to 192.168.0.230
#---------------------------------------------------------------------
# Liberar ping (ICMP)
$IPTABLES -A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 5 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 12 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 3 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 5 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 11 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 12 -m limit --limit 2/s -j ACCEPT
#---------------------------------------------------------------------
# Negar Ident
$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --dport 113 -j REJECT --reject-with tcp-reset
#---------------------------------------------------------------------
# Reset em conexoes para portas desconhecidas
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
#---------------------------------------------------------------------
# Proxy transparente
$IPTABLES -A PREROUTING -t nat -p tcp -s $REDELOCAL -d $IPLOCAL -j RETURN
$IPTABLES -A PREROUTING -t nat -p tcp -s $REDELOCAL -d $REDELOCAL -j RETURN
$IPTABLES -A PREROUTING -t nat -p tcp -s $REDELOCAL --dport $PORTAHTTP -j REDIRECT --to-port $PORTAPROXY
#---------------------------------------------------------------------
# Habilitando MASQUERADE da rede interna
$IPTABLES -A POSTROUTING -t nat -s $REDELOCAL -j MASQUERADE
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# CARREGANDO CONTROLE DE BANDA
#---------------------------------------------------------------------
# Remove qdisk htb associada
#$TC qdisc del dev $IFEXTERNA root
#---------------------------------------------------------------------
# Define classe htb padrão (default)
#$TC qdisc add dev $IFEXTERNA root handle 1: htb default 20
#---------------------------------------------------------------------
# Cria classe htb raiz
#VEL="800"
#$TC class add dev $IFEXTERNA parent 1: classid 1:1 htb rate ${VEL}kbit
#---------------------------------------------------------------------
# Cria classes htb filhas para controle de banda
#$TC class add dev $IFEXTERNA parent 1:1 classid 1:10 htb rate 32kbit ceil 32kbit
#$TC class add dev $IFEXTERNA parent 1:1 classid 1:20 htb rate ${VEL}kbit ceil ${VEL}kbit
#---------------------------------------------------------------------
# Cria manipuladores sfq para as classes htb
#$TC qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10
#$TC qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10
#---------------------------------------------------------------------
# Cria variável "U32" para utilizacao do filtro u32 do htb
# A prioridade (prio) varia de 0 a 15. 0 (zero) e a maior a prioridade.
#U32="$TC filter add dev $IFEXTERNA parent 1:0 protocol ip prio 1 u32 "
#---------------------------------------------------------------------
# Define como o tráfego será direcionado para cada classe htb criada
#$U32 match ip sport 21 0xffff flowid 1:20
#$U32 match ip sport 22 0xffff flowid 1:20
#$U32 match ip sport 25 0xffff flowid 1:20
#$U32 match ip sport 53 0xffff flowid 1:20
#$U32 match ip sport 80 0xffff flowid 1:20
#$U32 match ip sport 110 0xffff flowid 1:20
#$U32 match ip sport 143 0xffff flowid 1:20
#$U32 match ip sport 22000 0xffff flowid 1:20
#$U32 match ip sport 3128 0xffff flowid 1:20
#$U32 match ip sport 3389 0xffff flowid 1:20
#$U32 match ip sport 5900 0xffff flowid 1:20
#$U32 match ip sport 5902 0xffff flowid 1:20
#$U32 match ip sport 8080 0xffff flowid 1:20
#$U32 match ip sport 22000 0xffff flowid 1:20
#$U32 match ip src 10.0.9.0/24 match ip dst 0.0.0.0/0 flowid 1:30
#$U32 match ip src 10.0.9.3/32 match ip dport 80 0xffff flowid 1:50
#---------------------------------------------------------------------
;;
nat)
#---------------------------------------------------------------------
# Habilitando MASQUERADE da rede interna
$IPTABLES -t nat -A POSTROUTING -s $REDELOCAL -j MASQUERADE
#---------------------------------------------------------------------
;;
stop)
#---------------------------------------------------------------------
exit 0
#---------------------------------------------------------------------
;;
*)
#echo "Use: ./rc.firewall {start|stop|nat}"
/etc/init.d/rc.firewall start
;;
esac