#pppoe-start ##> /dev/null o que é esse "##" ai hehehe
pppoe-start &> /dev/null
# limpando as regras
iptables -F
iptables -F -t nat
iptables -X -t nat
iptables -F -t filter
iptables -F -t filter
iptables -X
# politica padrao
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# redirecionamento
echo "1" > /proc/sys/net/ipv4/ip_forward
# habilitando comunicação localhost
iptables -I INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# O que é isso?? Hehehe
[B]for i in `cat $PORTSLIB`; do
iptables -A INPUT -p tcp --dport $i -j ACCEPT
iptables -A FORWARD -p tcp --dport $i -j ACCEPT
iptables -A OUTPUT -p tcp --sport $i -j ACCEPT
done[/B]
# liberar ssh
iptables -A INPUT -p tcp --dport 22 -i ppp0 -j ACCEPT
[B]iptables -A FORWARD -p tcp --dport 22 -i ppp0 -j ACCEPT ? # Você tem algum servidor que precisa de ssh interno?[/B]
# bloqueando QUALQUER PING
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Isso aqui ta legal!
iptables -N PING-MORTE
iptables -A INPUT -p icmp --icmp-type echo-request -j PING-MORTE
iptables -A PING-MORTE -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A PING-MORTE -j DROP
#bloquear ataque do tipo SYN-FLOOD
echo "0" > /proc/sys/net/ipv4/tcp_syncookies
iptables -N syn-flood
iptables -A INPUT -i ppp0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
[B]#Bloqueio de ataque ssh de força bruta, porque la em cima voce coloca o ssh em 22 e aqui 2354? brutal force ssh nao tem porta!
iptables -N SSH-BRUT-FORCE
iptables -A INPUT -i ppp0 -p tcp --dport 2354 -j SSH-BRUT-FORCE
iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A SSH-BRUT-FORCE -j DROP[/B]
#Bloqueio de scanners ocultos (Shealt Scan)
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST, FIN,ACK,SYN, -m limit --limit 1/s -j ACCEPT
####Bloqueia Portscan ####
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-option 64 -j DROP
iptables -A INPUT -p tcp --tcp-option 128 -j DROP
### Bloqueio traceroute ###
iptables -A INPUT -p udp -s 0/0 -i ppp0 --dport 33435:33525 -j DROP
#### Bloqueio pacotes Suspeitos ou Danificados ###
iptables -A INPUT -m unclean -j DROP
### CADASTRO DE CLIENTES ###
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
### Maquina Jeferson ###
iptables -t filter -A FORWARD -d 0/0 -s 172.16.100.2 -m mac --mac-source 00:15:e9:b4:6d:0a -j ACCEPT
iptables -t filter -A INPUT -s 172.16.100.2 -d 0/0 -m mac --mac-source 00:15:e9:b4:6d:0a -j ACCEPT
[B]# masquerade para qual interface?? TODAS??
iptables -t nat -A POSTROUTING -s 172.16.100.0/24 -j MASQUERADE[/B]
### Iniciando o Squid ####
squid -D
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128