#! /bin/bash
# Habilitar ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward
#Iniciando Módulos do IpTables
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe xt_layer7
# Zerar regras
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -Z
# Regras Gerais
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#AUMENTA A PRIORIDADE PARA O SSH
iptables -t mangle -A OUTPUT -p tcp -m multiport --dports 22,2222 -j TOS --set-tos 16
iptables -t mangle -A INPUT -p tcp -m multiport --dports 22,2222 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -p tcp -m multiport --dports 25 -j TOS --set-tos 16
iptables -t mangle -A INPUT -p tcp -m multiport --dports 25 -j TOS --set-tos 16
#LIBERANDO COMPUTADORES DO FIREWALL
iptables -I FORWARD -s 10.86.0.53 -j ACCEPT
iptables -I INPUT -s 10.86.0.53 -j ACCEPT
iptables -I FORWARD -s 10.86.0.66 -j ACCEPT
iptables -I INPUT -s 10.86.0.66 -j ACCEPT
# Redirecionamento - WEB SERVER
iptables -t nat -A PREROUTING -p tcp --dport 80 -d 200.xxx.xxx.xx3/32 -j DNAT --to 10.86.0.21
#Redirecionamento
iptables -A INPUT -p tcp --dport 9000 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 9000 -j ACCEPT
iptables -A INPUT -p udp --dport 9000 -j ACCEPT
iptables -A OUTPUT -p udp --dport 9000 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 9000 -d 200.xxx.xxx.xx2/32 -j DNAT --to 10.86.0.21
iptables -t nat -A PREROUTING -p udp --dport 9000 -d 200.xxx.xxx.xx2/32 -j DNAT --to 10.86.0.21
#Porta SSH
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 2222 -j ACCEPT
iptables -A INPUT -p tcp --dport 10051 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 10051 -j ACCEPT
#IP Acesso ao
iptables -t nat -A PREROUTING -p tcp -s 200.171.178.168 --dport 22 -d 200.xxx.xxx.xx2/32 -j DNAT --to 10.86.0.8:22 # acesso ssh
iptables -A FORWARD -p tcp --dport 10051 -j ACCEPT
iptables -A FORWARD -p tcp --dport 8088 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s 200.171.178.168 --dport 10051 -d 200.xxx.xxx.xx2/32 -j DNAT --to 10.86.0.8:10051
#Redirecionamento para o Servidor
iptables -A INPUT -p tcp --dport 8090 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 8090 -j ACCEPT
iptables -A INPUT -p udp --dport 8090 -j ACCEPT
iptables -A OUTPUT -p udp --dport 8090 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7550 -d 200.xxx.xxx.xx3/32 -j DNAT --to 10.86.0.217
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8090 -d 200.xxx.xxx.xx3/32 -j DNAT --to 10.86.0.217
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7700 -d 200.xxx.xxx.xx3/32 -j DNAT --to 10.86.0.217
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7701 -d 200.xxx.xxx.xx3/32 -j DNAT --to 10.86.0.217
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7702 -d 200.xxx.xxx.xx3/32 -j DNAT --to 10.86.0.217
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7703 -d 200.xxx.xxx.xx3/32 -j DNAT --to 10.86.0.217
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7704 -d 200.xxx.xxx.xx3/32 -j DNAT --to 10.86.0.217
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7710:7730 -d 200.xxx.xxx.xx3/32 -j DNAT --to 10.86.0.217
#Redirecionamento FTP
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -d 200.xxx.xxx.xx3/32 -j DNAT --to 10.86.0.21
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 20 -d 200.xxx.xxx.xx3/32 -j DNAT --to 10.86.0.21
#REDIRECIONAMENTO SERVIDORES DE E-MAIL
iptables -t nat -A PREROUTING -i eth1 -p tcp -m multiport --dports 53,80,110,143 -d 200.xxx.xxx.xx3/32 -j DNAT --to 10.86.0.17
iptables -t nat -A PREROUTING -i eth1 -p udp -m multiport --dports 53 -d 200.xxx.xxx.xx3/32 -j DNAT --to 10.86.0.17
# DNS Primario
#iptables -t nat -A PREROUTING -p tcp --dport 53 -d 200.xxx.xxx.xx0/32 -j DNAT --to 10.86.0.128
#iptables -t nat -A PREROUTING -p udp --dport 53 -d 200.xxx.xxx.xx0/32 -j DNAT --to 10.86.0.128
# DNS Secundario
iptables -t nat -A PREROUTING -p tcp --dport 53 -d 200.xxx.xxx.xx1/32 -j DNAT --to 10.86.0.17
iptables -t nat -A PREROUTING -p udp --dport 53 -d 200.xxx.xxx.xx1/32 -j DNAT --to 10.86.0.17
# Redirecionamento para o servidor TS
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4899 -d 200.xxx.xxx.xx1/32 -j DNAT --to 10.86.0.215
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3389 -d 200.xxx.xxx.xx1/32 -j DNAT --to 10.86.0.215
# Redirecionamento via TS
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3389 -d 200.xxx.xxx.xx2/32 -j DNAT --to 10.86.0.179
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4899 -d 200.xxx.xxx.xx2/32 -j DNAT --to 10.86.0.179
# Redirecionamento - E-mails e acesso externo ao Webmail
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -d 200.xxx.xxx.xx1/32 -j DNAT --to 10.86.0.17
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 110 -d 200.xxx.xxx.xx1/32 -j DNAT --to 10.86.0.17
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 143 -d 200.xxx.xxx.xx1/32 -j DNAT --to 10.86.0.17
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -d 200.xxx.xxx.xx1/32 -j DNAT --to 10.86.0.17
# Regra de mascaramento - Acesso a internet
[B]#--- Firewall - bloqueio de acesso a redes internas
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/32 -j SNAT --to 200.xxx.xxx.xx4
iptables -A FORWARD -s 192.168.1.0/24 -d 10.86.1.0/16 -j DROP
iptables -A FORWARD -s 10.86.0.0/16 -d 192.168.0.0/24 -j DROP
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE[/B]
#--- DNS - E-mail
iptables -t nat -A POSTROUTING -o eth1 -s 10.86.0.17/16 -p tcp --dport 25 -j SNAT --to 200.xxx.xxx.xx1
iptables -t nat -A POSTROUTING -o eth1 -s 10.86.0.17/16 -p tcp --sport 25 -j SNAT --to 200.xxx.xxx.xx1
#--- Rede
iptables -t nat -A POSTROUTING -o eth1 -s 10.86.0.0/16 -j SNAT --to 200.xxx.xxx.xx0
#---Bloqueio de Ataques no DNS
iptables -A INPUT -p udp -i eth1 -m state --state NEW --dport 53 -m recent --update --seconds 10 --hitcount 3 -j DROP
iptables -A INPUT -p udp -i eth1 -m state --state NEW --dport 53 -m recent --set -j ACCEPT
# Regras de forward - Repasse de pacotes
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
# File Transfer (FTP)
iptables -A FORWARD -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -p udp --dport 20:21 -j ACCEPT
# Acesso SSH
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
# Send E-mail (SMTP)
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
# Name Service (DNS)
iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
# TFTP
iptables -A FORWARD -p udp --dport 69 -j ACCEPT
# HTTP Management
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
# Retrieve E-mail (POP3)
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 143 -j ACCEPT
#HTTPS Management
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
# Porta solicitada pelo Marcelo Honorato (Fiscal)
iptables -A FORWARD -p tcp --dport 8017 -j ACCEPT #sintegra
iptables -A FORWARD -p tcp --dport 1533 -j ACCEPT #sintegra
iptables -A FORWARD -p tcp --dport 1536 -j ACCEPT #sintegra
iptables -A FORWARD -p tcp --dport 1540 -j ACCEPT #sintegra
iptables -A FORWARD -p tcp --dport 1580 -j ACCEPT #sintegra
# Portas Altas - BIND
iptables -A FORWARD -p tcp --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -p udp --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp --dport 1024:65535 -j ACCEPT
# Regras de input
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 161 -j ACCEPT