############
# Limpa Regras
Wan="eth0"
INT_1="eth1"
INT_2="eth2"
#Limpa regras Padrões
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
iptables -t nat -X
iptables -t filter -F
iptables -t filter -X
iptables -t mangle -F
iptables -t mangle -X
echo "Excluindo Regras padrões ...... [OK]"
#Cria Regras Padrões
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
echo "Criando Regras padrões ........ [OK]"
# Manter conexoes jah estabeleINT_2as para nao parar
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Mantendo Conexões ............. [OK]"
###Carregar os módulos, temos muitas opções já que compilamos todos os módulos do iptables
modprobe iptable_nat
modprobe iptable_filter
modprobe ip_tables
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_MASQUERADE
modprobe ipt_LOG
modprobe ipt_layer7
echo "Carregando Modulos ............ [OK]"
#######Redirecionamentos VNC######
iptables -A FORWARD -p tcp -i eth0 --dport 5900 -d 10.0.0.5 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5905 -j DNAT --to-dest 10.0.0.5:5900
echo "Redirecionando Teste ..................................... [OK]"
# Aceita todo o trafego vindo do loopback e indo pro loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
echo "Liberando - LoopBack .......... [OK]"
###### Tabela INPUT ################
echo "############### Tabela INPUT ########"
#Liberando SSH
iptables -A INPUT -i $Wan -p tcp -m tcp --dport 22 -j ACCEPT # Libera SSH na WAN
echo "INPUT - Ssh .................... [OK]"
####################################
######### Tabela Forward ###########
echo "############# Tabela Forward ########"
# Libera computador das regras do firewall
#iptables -A FORWARD -s 192.168.4.13 -p tcp -j ACCEPT
#iptables -A FORWARD -s 192.168.4.13 -p udp -j ACCEPT
# Regras forward para o funcionamento de redirecionamento de portas (NAT)
# Redirecionando porta 5900 (VNC)
iptables -A FORWARD -p tcp --dport 5900 -j ACCEPT
iptables -A FORWARD -p tcp --dport 5800 -j ACCEPT
echo "Forward - VNC ................. [OK]"
#Librando SisObra Net
iptables -A FORWARD -o $INT_1 -p tcp --dport 3050 -j ACCEPT
echo "FORWARD - SISOBRA ............ [OK]"
iptables -A FORWARD -o $INT_1 -i $INT_2 -j DROP
iptables -A FORWARD -o $INT_2 -i $INT_1 -j DROP
echo "INT_2ade!INT_1 ............. [OK]"
###################################################
#### Compartilhando Internet ########
# Crie um arquivo com todos os mac e um nome ao lado, exemplo:
# 00:11:22:33:44:55;computador1
# para bloquear determinado mac... basta trocar os primeiros numeros...de 00 para 11
#
echo "1" > /proc/sys/net/ipv4/ip_forward
MACLIST_LIB="/root/scripts/maclist_lib"
for i in `cat $MACLIST_LIB`; do
MACSOURCE=`echo $i | cut -d ';' -f 1`
iptables -t filter -A FORWARD -d 0/0 -i $INT_2 -m mac --mac-source $MACSOURCE -j ACCEPT
iptables -t filter -A INPUT -i $INT_2 -d 0/0 -m mac --mac-source $MACSOURCE -j ACCEPT
done
iptables -t nat -A POSTROUTING -s 10.0.0/8 -o $Wan -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.1/24 -o $Wan -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "NAT - Internet Hab ............ [OK]"
# Redireciona o trafego http(80) para o squid (3128)
#iptables -t nat -A PREROUTING -i eth1 -p TCP ! -d 200.201.0.0/16 --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i eth1 -p UDP ! -d 200.201.0.0/16 --dport 80 -j REDIRECT --to-port 3128
#echo "Squid ........ [OK]"
### REGRAS DO LAYER 7
echo "########## Layer7 ##################"
# Bloqueio Bit Torrent
iptables -I FORWARD -m layer7 --l7proto bittorrent -j DROP
###MSN
# iptables -I OUTPUT -m layer7 --l7proto msnmessenger -j DROP
# iptables -I INPUT -m layer7 --l7proto msnmessenger -j DROP
iptables -I FORWARD -m layer7 --l7proto ares -j DROP
echo "Layer7 - Ares ................. [OK]"
iptables -I FORWARD -m layer7 --l7proto battlefield1942 -j DROP
iptables -I FORWARD -m layer7 --l7proto battlefield2 -j DROP
echo "Layer7 - Batlefild ............ [OK]"
iptables -I FORWARD -m layer7 --l7proto bittorrent -j DROP
echo "Layer7 - Bitrorent ............ [OK]"
iptables -I FORWARD -m layer7 --l7proto counterstrike-source -j DROP
echo "Layer7 - CounterStrike ........ [OK]"
iptables -I FORWARD -m layer7 --l7proto dayofdefeat-source -j DROP
echo "Layer7 - DayofDefeat .......... [OK]"
iptables -I FORWARD -m layer7 --l7proto doom3 -j DROP
echo "Layer7 - Doom3 ................ [OK]"
iptables -I FORWARD -m layer7 --l7proto edonkey -j DROP
echo "Layer7 - Edonkey .............. [OK]"
iptables -I FORWARD -m layer7 --l7proto fasttrack -j DROP
echo "Layer7 - FastJack ............. [OK]"
iptables -I FORWARD -m layer7 --l7proto gnutella -j DROP
echo "Layer7 - Gnutella ............. [OK]"
iptables -I FORWARD -m layer7 --l7proto halflife2-deathmatch -j DROP
echo "Layer7 - HalfLife ............. [OK]"
iptables -I FORWARD -m layer7 --l7proto imesh -j DROP
echo "Layer7 - Imesh ................ [OK]"
iptables -I FORWARD -m layer7 --l7proto mohaa -j DROP
echo "Layer7 - Mohaa ................ [OK]"
iptables -I FORWARD -m layer7 --l7proto mute -j DROP
echo "Layer7 - Mute ................. [OK]"
iptables -I FORWARD -m layer7 --l7proto napster -j DROP
echo "Layer7 - Naptster ............. [OK]"
iptables -I FORWARD -m layer7 --l7proto netbios -j DROP
echo "Layer7 - Netbios .............. [OK]"
iptables -I FORWARD -m layer7 --l7proto openft -j DROP
echo "Layer7 - Openft ............... [OK]"
iptables -I FORWARD -m layer7 --l7proto quake-halflife -j DROP
echo "Layer7 - QuakeHalf ............ [OK]"
iptables -I FORWARD -m layer7 --l7proto rdp -j DROP
echo "Layer7 - RDP .................. [OK]"
iptables -I FORWARD -m layer7 --l7proto soribada -j DROP
echo "Layer7 - Soriba ............... [OK]"
iptables -I FORWARD -m layer7 --l7proto soulseek -j DROP
echo "Layer7 - SoulSeek ............. [OK]"
iptables -I FORWARD -m layer7 --l7proto thecircle -j DROP
echo "Layer7 - TheCircle ............ [OK]"
iptables -I FORWARD -m layer7 --l7proto whois -j DROP
echo "Layer7 - WHOIS ................ [OK]"
iptables -I FORWARD -m layer7 --l7proto code_red -j DROP
echo "Layer7 - CodRed ............... [OK]"
iptables -I FORWARD -m layer7 --l7proto nimda -j DROP
echo "Layer7 - Nimda ................ [OK]"
echo "Layer7 - REGRAS ... [OK]"