#!/bin/sh
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#---------------------------------
# Configuração Básica
#---------------------------------
IPTABLES=`which iptables`
PERMITIR_TCP="21 20 22 80"
#1024:65535"
PERMITIR_UDP="53 5100"
INET_INT="eth0"
LAN_INT="eth1"
INTERNAL_LAN="192.168.0.0/24"
MASQ_LAN="192.168.0.0/24"
#---------------------------------
# DROP: com log colocar "LDROP"
#---------------------------------
DROP="TREJECT"
#DROP="LDROP"
#---------------------------------
# Tcp Forward: Pserv:Pestacao>Ip
#---------------------------------
TCPFORWARD="8888:8888>192.168.0.203"
#UDPFORWARD="4672:4672>192.168.0.254 6346:6346>192.168.0.254 6666:6666>192.168.0.254"
#---------------------------------
# Criando as Regras
#---------------------------------
REGRAS="ENTRADANET SAIDANET TCPPERMITIDO LDROP TREJECT"
#---------------------------------
# Habilitando o Masquerade
#---------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------------------------
# Habilitando TCP Syncookies
#---------------------------------
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
#---------------------------------
# Limpando as Regras Antigas
#---------------------------------
${IPTABLES} -t filter -F INPUT
${IPTABLES} -t filter -F OUTPUT
${IPTABLES} -t filter -F FORWARD
${IPTABLES} -t nat -F PREROUTING
${IPTABLES} -t nat -F OUTPUT
${IPTABLES} -t nat -F POSTROUTING
${IPTABLES} -t mangle -F PREROUTING
${IPTABLES} -t mangle -F OUTPUT
for chain in ${REGRAS} ; do
${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -N ${chain}
done
${IPTABLES} -t filter -P INPUT ACCEPT
${IPTABLES} -t filter -P OUTPUT ACCEPT
${IPTABLES} -t filter -P FORWARD DROP
#---------------------------------
# Trafego Local
#---------------------------------
for subnet in ${INTERNAL_LAN} ; do
#${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT
${IPTABLES} -t filter -A FORWARD -s 192.168.0.50 -j ACCEPT
${IPTABLES} -t filter -A FORWARD -s 192.168.0.51 -j ACCEPT
${IPTABLES} -t filter -A FORWARD -s 192.168.0.52 -j ACCEPT
${IPTABLES} -t filter -A FORWARD -d ${subnet} -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -t nat -A POSTROUTING -o eth0 -j MASQUERADE
done
#---------------------------------
#PROXY TRANSPARENTE
#---------------------------------
#${IPTABLES} -t nat -A PREROUTING -s ${subnet} -p tcp --dport 80 -j REDIRECT --to-port 3128
#---------------------------------
# Terminado configuraçao de regras
#---------------------------------
${IPTABLES} -t filter -A INPUT -i ${INET_INT} -j ENTRADANET
${IPTABLES} -t filter -A OUTPUT -o ${INET_INT} -j SAIDANET
${IPTABLES} -t filter -A LDROP -p tcp -m limit --limit 2/s -j LOG --log-level info --log-prefix "TCP Dropped "
${IPTABLES} -t filter -A LDROP -p udp -m limit --limit 2/s -j LOG --log-level info --log-prefix "UDP Dropped "
${IPTABLES} -t filter -A LDROP -p icmp -m limit --limit 2/s -j LOG --log-level info --log-prefix "ICMP Dropped "
${IPTABLES} -t filter -A LDROP -f -m limit --limit 2/s -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
${IPTABLES} -t filter -A LDROP -j DROP
${IPTABLES} -t filter -A TREJECT -p tcp -j REJECT --reject-with tcp-reset
${IPTABLES} -t filter -A TREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
${IPTABLES} -t filter -A TREJECT -j REJECT
#---------------------------------
# Protegendo contra TCP SYN Flood
#---------------------------------
${IPTABLES} -t filter -A TCPPERMITIDO -p tcp --syn -m limit --limit 4/s -j ACCEPT
${IPTABLES} -t filter -A TCPPERMITIDO -p tcp ! --syn -j ACCEPT
${IPTABLES} -t filter -A TCPPERMITIDO -m limit --limit 2/s -j LOG --log-prefix "Mismatch in TCP"
${IPTABLES} -t filter -A TCPPERMITIDO -j ${DROP}
#---------------------------------
# Pacotes com flag invalidas
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -m state --state INVALID -j ${DROP}
#---------------------------------
# Descartando Ping flood
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
${IPTABLES} -t filter -A ENTRADANET -p icmp --icmp-type ! echo-request -j ACCEPT
#---------------------------------
# Portas TCP a serem abertas
#---------------------------------
if [ "$PERMITIR_TCP" != "" ] ; then
for port in ${PERMITIR_TCP} ; do
${IPTABLES} -t filter -A ENTRADANET -p tcp --dport ${port} -j TCPPERMITIDO
done
fi
#--------------------------------
#Teste com UDP ports
#--------------------------------
if [ "$PERMITIR_UDP" != "" ] ; then
for port in ${PERMITIR_UDP} ; do
${IPTABLES} -t filter -A ENTRADANET -p udp --dport ${port} -j ACCEPT
done
fi
#---------------------------------
# Pacotes com flags validas
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -m state --state ESTABLISHED -j ACCEPT
#---------------------------------
# TOS ]]
#---------------------------------
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos 0x10
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos 0x10
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos 0x10
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos 0x02
#PASSIVE FTP
${IPTABLES} -A ENTRADANET -p tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
${IPTABLES} -A ENTRADANET -p tcp --sport 21 --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
${IPTABLES} -A ENTRADANET -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
#---------------------------------
# Regras padrao
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -j ${DROP}
${IPTABLES} -t filter -A SAIDANET -j ACCEPT
modprobe ip_nat_ftp