#!/bin/bash
# Firewall desenvolvido por William da Rocha Lima
# qualquer dúvida envie e-mail para [email protected]
# Sobre a Licença GPL
# Data: 22/02/2006
# Programas
IPT=/sbin/iptables
MODP=/sbin/modprobe
# Configuracao Rede
IFWAN=eth0
IFLAN=eth1
IPWAN=200.X.123.X
LAN=192.168.5.0/24
IFINT=192.168.5.0/24
ANY=0/0
# Servidor de Terminal Service
SERVER=192.168.5.43
# IPS Liberados para NET
IPS_ALLOW="192.168.5.1 192.168.5.2 192.168.5.43 192.168.5.56 192.168.5.196 192.168.5.63"
# Portas LIBERADAS (INPUT TCP/UDP)
INPUT_TCP="53 22 80 9022 20 21 3456 3389 3390 1723"
INPUT_UDP="53 67 80"
# PORTAS LIBERADAS (FORWARD)
FORWARD_TCP="20 22 21 25 47 53 80 110 143 1723 1863 3422 3456 3389 3390 3391 3392 3393 443 9022 9023 5800 5900"
FORWARD_UDP="20 22 21 25 47 53 80 110 143 1723 1863 3456"
# MODULOS A CARREGAR
for module in ip_tables ipt_REDIRECT ipt_MASQUERADE ipt_MARK ipt_REJECT \
ipt_TOS ipt_LOG iptable_mangle iptable_filter iptable_nat ip_nat_ftp \
ip_conntrack ip_conntrack_ftp ip_conntrack_irc \
ip_nat_irc ipt_mac ipt_state ipt_mark; do
$MODP $module
done
# ATIVANDO MASCARAMENTO NO KERNEL
echo 1 > /proc/sys/net/ipv4/ip_forward
# Protecao de ICMP e Spoofing
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Inicio das Regras
echo -n "Iniciando o Firewall "
# Limpando as Regras
echo -n "Limpando as Regras "
$IPT -F
$IPT -Z
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t nat -Z
echo -n "Ativando Compartilhamento "
# Compartilhamento
$IPT -t nat -A POSTROUTING -s 192.168.5.0/24 -d $ANY -p ALL -o $IFWAN -j MASQUERADE
echo -n "Configurando Chain INPUT"
# LoopBack Livre
$IPT -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPT -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT
$IPT -A INPUT -i $IFLAN -m state --state NEW -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# INPUT LIBERADAS
for servico in $INPUT_TCP; do
$IPT -A INPUT -p tcp --dport $servico -j ACCEPT
done
for servico in $INPUT_UDP; do
$IPT -A INPUT -p udp --dport $servico -j ACCEPT
done
echo -n "Configurando Chain FORWARD"
# Estacao para Internet
for FORWARD in $FORWARD_TCP; do
$IPT -A FORWARD -p tcp --dport $FORWARD -j ACCEPT
done
for FORWARD in $FORWARD_UDP; do
$IPT -A FORWARD -p udp --dport $FORWARD -j ACCEPT
done
# Liberando Suporte
for ALLOW_FORWARDS in $IPS_ALLOW; do
$IPT -A FORWARD -s $ALLOW_FORWARDS -j ACCEPT
done
# Bloqueando o Resto
echo -n "Configurando Prioridades de Pacotes"
# Priorizando os Liberados
for OUTPUT in $IPS_ALLOW; do
$IPT -t mangle -A OUTPUT -s $OUTPUT -o $IFWAN -p tcp --dport 0:65535 -j TOS --set-tos 16
$IPT -t mangle -A OUTPUT -s $OUTPUT -o $IFWAN -p udp --dport 0:65535 -j TOS --set-tos 16
done
# Prioridade ALTA RDP
$IPT -t mangle -A OUTPUT -o $IFWAN -p tcp --dport 3389:3390 -j TOS --set-tos 16
$IPT -t mangle -A PREROUTING -i $IFLAN -p tcp --sport 3389:3390 -j TOS --set-tos 0x10
# Entrada
$IPT -t mangle -A PREROUTING -i $IFLAN -p udp --sport 0:65535 -j TOS --set-tos 0x00
$IPT -t mangle -A PREROUTING -i $IFLAN -p tcp --sport 0:65535 -j TOS --set-tos 0x00
# SAIDA
$IPT -t mangle -A OUTPUT -o $IFWAN -p tcp --dport 10:65535 -j TOS --set-tos 0x00
$IPT -t mangle -A OUTPUT -o $IFWAN -p udp --dport 10:65535 -j TOS --set-tos 0x00
echo -n "Configurando Redirecionamento de Portas"
# Redirecionamento do Proxy
$IPT -t nat -A PREROUTING -i $IFLAN -p tcp --dport 80 -j REDIRECT --to-port 3128
# Servidor RDP
$IPT -t nat -A PREROUTING -d $IPWAN -p tcp --dport 3389 -j DNAT --to-destination 192.168.5.43
$IPT -t nat -A PREROUTING -d $IPWAN -p tcp --dport 9009 -j DNAT --to-destination 192.168.5.196
$IPT -t nat -A PREROUTING -d $IPWAN -p tcp --dport 21 -j DNAT --to-destination 192.168.5.1:21
$IPT -t nat -A PREROUTING -d $IPWAN -p tcp --dport 20 -j DNAT --to-destination 192.168.5.1:20
$IPT -t nat -A PREROUTING -d $IPWAN -p tcp --dport 80 -j DNAT --to-destination 192.168.5.2
$IPT -t nat -A PREROUTING -d $IPWAN -p tcp --dport 80 -j DNAT --to-destination 192.168.5.1
echo -n "Ativando Segurança"
# Bloqueando PINGS, Spoofings
$IPT -A INPUT -p icmp --icmp-type time-exceeded -j DROP
$IPT -A FORWARD -p icmp --icmp-type time-exceeded -j DROP
# Fechando o RESTO
$IPT -A INPUT -i $IFWAN -j DROP
$IPT -A FORWARD -s $LAN -j DROP
echo " [ OK ]"