#!/bin/bash
#### Criando variáveis.
iptables="/sbin/iptables"
ip=$(ifconfig ppp0 |grep "inet addr" | awk -F: {'print $2'} | awk {'print $1'})
rlocal=192.168.0.0/24
DNS1=200.149.55.140
DNS2=200.165.132.147
#### Carregando Módulos.
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_MASQUERADE
modprobe ipt_LOG
#### Limpando tabelas e chains
$iptables -X
$iptables -t nat -X
$iptables -t mangle -X
$iptables -F
$iptables -t nat -F
$iptables -t mangle -F
$iptables -Z
$iptables -t nat -Z
$iptables -t mangle -Z
#### Policiamento padrão.
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP
$iptables -t nat -P OUTPUT DROP
$iptables -t nat -P PREROUTING DROP
$iptables -t nat -P POSTROUTING DROP
#### Ativando o roteamento de pacotes.
echo "1" > /proc/sys/net/ipv4/ip_forward
##
#### REGRAS
######
#================== Tabela FILTER
#================== Chain INPUT ========================
$iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
$iptables -A INPUT -p udp -i ppp0 -s $DNS1 --sport 53 --dport 1024: -j ACCEPT
$iptables -A INPUT -p udp -i ppp0 -s $DNS2 --sport 53 --dport 1024: -j ACCEPT
$iptables -A INPUT -p tcp -i ppp0 --dport 1024: --sport 80 -j ACCEPT
$iptables -A INPUT -p tcp -i ppp0 --dport 1024: --sport 443 -j ACCEPT
$iptables -A INPUT -p tcp -i ppp0 --sport 1024: --dport 22 -j ACCEPT
$iptables -A INPUT -p tcp -i eth1 --sport 1024: --dport 22 -j ACCEPT
$iptables -A INPUT -j LOG --log-prefix "DROP-INPUT "
$iptables -A INPUT -j DROP
#===================================================
#================== Chain OUTPUT =======================
$iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
$iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
$iptables -A OUTPUT -p udp -o ppp0 -d $DNS1 --dport 53 --sport 1024: -j ACCEPT
$iptables -A OUTPUT -p udp -o ppp0 -d $DNS2 --dport 53 --sport 1024: -j ACCEPT
$iptables -A OUTPUT -p tcp -o ppp0 --sport 1024: --dport 80 -j ACCEPT
$iptables -A OUTPUT -p tcp -o ppp0 --sport 1024: --dport 443 -j ACCEPT
$iptables -A OUTPUT -p tcp -o ppp0 --sport 22 --dport 1024: -j ACCEPT
$iptables -A OUTPUT -p tcp -o eth1 --sport 22 --dport 1024: -j ACCEPT
$iptables -A OUTPUT -j LOG --log-prefix "DROP-OUTPUT "
$iptables -A OUTPUT -j DROP
#===================================================
#================== Chain FORWARD ======================
$iptables -A FORWARD -p udp -i eth1 -s $rlocal --sport 1024: -o ppp0 -d $DNS1 --dport 53 -j ACCEPT
$iptables -A FORWARD -p udp -i eth1 -s $rlocal --sport 1024: -o ppp0 -d $DNS2 --dport 53 -j ACCEPT
$iptables -A FORWARD -j LOG --log-prefix "DROP-FORWARD "
$iptables -A FORWARD -j DROP
#===================================================
##
#### Tabela NAT
######
#================== Chain OUTPUT ====================================================
$iptables -t nat -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
$iptables -t nat -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
$iptables -t nat -A OUTPUT -p udp -o ppp0 -d $DNS1 --dport 53 --sport 1024: -j ACCEPT
$iptables -t nat -A OUTPUT -p udp -o ppp0 -d $DNS2 --dport 53 --sport 1024: -j ACCEPT
$iptables -t nat -A OUTPUT -p tcp -o ppp0 --sport 1024: --dport 80 -j ACCEPT
$iptables -t nat -A OUTPUT -p tcp -o ppp0 --sport 1024: --dport 443 -j ACCEPT
$iptables -t nat -A OUTPUT -j LOG --log-prefix "DROP_NAT-OUTPUT "
$iptables -t nat -A OUTPUT -j DROP
#===================================================
#================== Chain PREROUTING ====================================================
$iptables -t nat -A PREROUTING -p icmp -m limit --limit 1/s -j ACCEPT
$iptables -t nat -A PREROUTING -p tcp -i ppp0 --sport 1024: --dport 22 -j ACCEPT
$iptables -t nat -A PREROUTING -p tcp -i eth1 --sport 1024: --dport 22 -j ACCEPT
$iptables -t nat -A PREROUTING -p udp -i eth1 -d $DNS1 --dport 53 --sport 1024: -j ACCEPT
$iptables -t nat -A PREROUTING -p udp -i eth1 -d $DNS2 --dport 53 --sport 1024: -j ACCEPT
$iptables -t nat -A PREROUTING -p tcp -s $rlocal -i eth1 --sport 1024: --dport 80 -j ACCEPT
$iptables -t nat -A PREROUTING -j LOG --log-prefix "DROP_NAT-PREROUTING "
$iptables -t nat -A PREROUTING -j DROP
#===================================================
#================== Chain POSTROUTING ===================
$iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-request -j ACCEPT
$iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-reply -j ACCEPT
$iptables -t nat -A POSTROUTING -p udp -o ppp0 -d $DNS1 --dport 53 --sport 1024: -j ACCEPT
$iptables -t nat -A POSTROUTING -p udp -o ppp0 -d $DNS2 --dport 53 --sport 1024: -j ACCEPT
$iptables -t nat -A POSTROUTING -p tcp -o ppp0 --sport 1024: --dport 80 -j ACCEPT
$iptables -t nat -A POSTROUTING -p tcp -o ppp0 --sport 1024: --dport 443 -j ACCEPT
$iptables -t nat -A POSTROUTING -p tcp -o ppp0 -j MASQUERADE
$iptables -t nat -A POSTROUTING -j LOG --log-prefix "DROP_NAT-POSTROUTING "
$iptables -t nat -A POSTROUTING -j DROP
#===================================================