#!/bin/bash
# Compartilhando a Internet
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Compartilhando Internet...........................................[ OK ]"
# Variáveis
# ---------------------------------------------------------------------------------------
iptables=/sbin/iptables
IF_EXTERNA=eth0 # conexao com internet
IF_INTERNA=eth1 # conexao local
REDE_LOCAL=192.168.1.0/24 # rede Interna
IP_ADM=192.168.1.198 # maquina para administrar servidor.
IP_ADM_1=192.168.1.195 # maquina para administrar servidor.
IP_ADM_2=192.168.1.196 # maquina para administrar servidor.
echo "Inicializando variável............................................[ OK ]"
# Módulos #
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_queue
/sbin/modprobe ip_tables
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MARK
/sbin/modprobe ipt_MASQUERADE
# /sbin/modprobe ipt_MIRROR
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_TCPMSS
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_state
/sbin/modprobe ipt_tcpmss
/sbin/modprobe ipt_tos
# /sbin/modprobe ipt_unclean
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
###############################################################################
######################## Função START #########################################
###############################################################################
firewall_start() {
echo "Iniciando o Firewall..............................................[ OK ]"
# Limpa as regras #
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
echo "Apagando as regras atuais.........................................[ OK ]"
# Politicas padrao #
iptables -t filter -P INPUT DROP # Impede a passagem de pacotes direcionadas para a maquina firewall.
iptables -t filter -P OUTPUT ACCEPT # Permite pacote saindo da maquina firewall
iptables -t filter -P FORWARD DROP # Impede a passagem de pacotes
iptables -t nat -P PREROUTING ACCEPT # Aceitam os pacotes para NAT
iptables -t nat -P OUTPUT ACCEPT # Aceitam pacotes do firewall para NAT
iptables -t nat -P POSTROUTING ACCEPT # Aceitam pacotes que sofreram NAT
iptables -t mangle -P PREROUTING ACCEPT # Aceitam pacotes para MANGLE
iptables -t mangle -P OUTPUT ACCEPT # Aceitam pacotes que sofreram MANGLE
echo "Definindo politicas padrao........................................[ OK ]"
# Manter conexoes jah estabelecidas para nao parar
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Mantendo conexao estavel..........................................[ OK ]"
# Aceita todo o trafego vindo do loopback e indo pro loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
echo "loopback..........................................................[ OK ]"
# iptables -t nat -A POSTROUTING -o $IF_INTERNET ACCEPT
# iptables -t nat -A PRETROUTING -o $IF_INTERNET ACCEPT
# iptables -A INPUT -i $IF_INTERNA -s $REDE_LOCAL -j ACCEPT
# iptables -A INPUT -i eth2 -s 172.16.0.0/24 -j ACCEPT
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 -j ACCEPT
###############################################################################
# Proteções #
###############################################################################
# Protege contra os "Ping of Death"
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 20/m -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 20/m -j ACCEPT
# Protege contra port scanners avançados (Ex.: nmap)
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Bloqueando tracertroute
iptables -A INPUT -p udp -s 0/0 -i $IF_EXTERNA --dport 33435:33525 -j DROP
# Protecoes contra ataques
iptables -A INPUT -m state --state INVALID -j DROP
#Proteção contra Syn-floods
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#Proteção contra ping da morte
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#Anulando as respostas a ICMP 8 (echo reply)
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "Protecoes.........................................................[ OK ]"
###############################################################################
# TABELA Input - Destino final a maquina firewall
###############################################################################
iptables -A INPUT -p tcp --dport 80 --syn -j ACCEPT
iptables -A INPUT -p tcp --dport 3128 --syn -j ACCEPT
###############################################################################
# TABELA NAT #
###############################################################################
# PROXY TRANPARENTE
iptables -t nat -A PREROUTING -s $REDE_LOCAL -p tcp --dport 80 -i $IF_INTERNA -j REDIRECT --to-port 3128
echo "Deixando proxy transparente.......................................[ OK ]"
# Mascaramento de rede para acesso externo #
iptables -t nat -A POSTROUTING -s $REDE_LOCAL -o $IF_EXTERNA -j MASQUERADE
echo "Ativando o Mascaramento...........................................[ OK ]"
#Bloqueia todo o resto
iptables -A INPUT -p tcp --syn -j REJECT
iptables -A INPUT -p tcp -j REJECT
iptables -A INPUT -p udp -j REJECT
echo "Bloqueando todo o resto...........................................[ OK ]"
}
###############################################################################
### Função STOP ##
###############################################################################
firewall_stop() {
echo "Parando firewall e funcionando apenas com mascaramento............[ OK ]"
# Limpa as regras #
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
echo "Apagando as regras atuais.........................................[ OK ]"
# Politicas padrao #
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
echo "Definindo politicas padrao........................................[ OK ]"
# Manter conexoes jah estabelecidas para nao parar
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Mantendo conexao estavel..........................................[ OK ]"
# Aceita todo o trafego vindo do loopback e indo pro loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
echo "loopback..........................................................[ OK ]"
###############################################################################
######### TABELA NAT #########
###############################################################################
# Mascaramento de rede para acesso externo #
iptables -t nat -A POSTROUTING -s $REDE_LOCAL -o IF_EXTERNA -j MASQUERADE
echo "Ativando o Mascaramento...........................................[ OK ]"
# Efetivando o PROXY TRANPARENTE
iptables -t nat -A PREROUTING -s $REDE_LOCAL -p tcp --dport 80 -i $IF_INTERNA -j REDIRECT --to-port 3128
echo "Deixando proxy transparente.......................................[ OK ]"
echo "Firewall desabilitado..............[ << ATENÇÂO >> FIREWALL DESATIVADO ]"
}