# LIBERANDO ENTRADA
echo -n "LIBERANDO ENTRADA.............................."
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Aceita pacotes local
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.1 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.1 -d 192.168.0.0/24 --sport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.1 --dport 2910 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.1 -d 192.168.0.0/24 --sport 2910 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 2910 -j ACCEPT
iptables -A FORWARD -p tcp -o eth0 --dport 2910 -j ACCEPT
#liberar porta 2095
iptables -A INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.1 --dport 2095 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.1 --sport 2095 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 2095 -j ACCEPT
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3389 -j ACCEPT
# Ftp PASSIVO
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
# Libera squid para rede interna
iptables -A INPUT -p tcp -s 0/0 --dport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 3128 -j ACCEPT
# Libera ftp
iptables -A INPUT -p tcp -s 0/0 --dport 20 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 20 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.1 --dport 20 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.1 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 21 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.1 --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.1 --dport 21 -j ACCEPT
# Libera HTTP
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 8080 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 8080 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 8080 -j ACCEPT
# Libera HTTPS
iptables -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 443 -j ACCEPT
# Liberar ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#Libera Traceroute
iptables -A INPUT -p udp -s 0/0 --dport 33434 -j ACCEPT
iptables -A OUTPUT -p udp -d 0/0 --sport 33434 -j ACCEPT
#DNS
iptables -A INPUT -p udp -s 0/0 --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -d 0/0 --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -d 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --sport 53 -j ACCEPT
# Samba so pra rede interna
iptables -A INPUT -p tcp -i eth1 --dport 139 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --dport 139 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 138 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --dport 138 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 139 -j DROP
iptables -A INPUT -p udp -s 0/0 --dport 139 -j DROP
iptables -A INPUT -p udp -s 0/0 --dport 138 -j DROP
iptables -A INPUT -p udp -s 0/0 --dport 137 -j DROP
# VNC
iptables -A INPUT -p tcp -s 192.168.0.0/24 -d 0/0 --dport 5900 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 -s 192.168.0.0/24 --sport 5900 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/24 -d 0/0 --dport 5800 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 -s 192.168.0.0/24 --sport 5800 -j ACCEPT
# E-MAIL ENVIAR E RECEBER
iptables -A INPUT -p tcp -s 0/0 --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 25 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 110 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 110 -j ACCEPT
#########BLOQUEANDO REDES P2P#############################
iptables -A FORWARD -m layer7 --l7proto edonkey -j DROP
iptables -A FORWARD -m layer7 --l7proto fasttrack -j DROP
iptables -A FORWARD -m layer7 --l7proto bittorrent -j DROP
iptables -A FORWARD -m layer7 --l7proto gnutella -j DROP
iptables -A FORWARD -m layer7 --l7proto napster -j DROP
iptables -A FORWARD -m layer7 --17proto emule -j DROP
iptables -A FORWARD -m layer7 --17proto limewire -j DROP
#iptables -A FORWARD -m layer7 --l7proto ares -j DROP
#Kazaa
iptables -A FORWARD -d 213.248.112.0/24 -j REJECT
iptables -A FORWARD -p TCP --dport 1214 -j REJECT
#Yahoo Messenger
iptables -A FORWARD -d cs.yahoo.com -j REJECT
iptables -A FORWARD -d scsa.yahoo.com -j REJECT
#BITTORRENT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6881.6889 -j DNAT --to dest 192.168.0.2 -j REJECT
iptables -A FORWARD -p tcp -i eth0 --dport 6881:6889 -d 192.168.0.2 -j REJECT
# MSNP
iptables -A INPUT -p tcp -s 0/0 --dport 1863 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 1863 -j ACCEPT
iptables -A FORWARD -s LAN -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s LAN -d loginnet.passport.com -j REJECT
#BLOQUEANDO WEBMESSENGER
iptables -A FORWARD -s LAN -d webmesssenger.msn.com -j REJECT
#Bloqueando Orkut
iptables -A FORWARD -d [URL="http://www.orkut.com"]www.orkut.com[/URL] -p tcp --dport 443 -j DROP
iptables -A INPUT -d [URL="http://www.orkut.com"]www.orkut.com[/URL] -p tcp --dport 443 -j DROP
iptables -A FORWARD -d orkut.com -p tcp --dport 443 -j DROP
iptables -A INPUT -d orkut.com -p tcp --dport 443 -j DROP
echo "[OK]"
# LIBERANDO SAIDA
echo -n "SAIDA DOS SERVIçOS EXT.........................."
# Pacotes externo
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
# Aceita pacote para lo
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -j ACCEPT
echo "[OK]"
# NAT REDE INTERNA
echo -n "NAT REDE INTERNA..............................."
# VNC IDA NA 5900
iptables -A FORWARD -p tcp -s 192.168.0.250 -d 0/0 --dport 5900 -j ACCEPT
iptables -A FORWARD -p tcp -d 0/0 -s 192.168.0.250 --sport 5900 -j ACCEPT
iptables -t nat -A PREROUTING -d 192.168.0.250 -p tcp --dport 22 -j DNAT --to-destination 10.1.1.5
iptables -A FORWARD -i ppp0 -o eth1 -p tcp --dport 5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp0 -p tcp --dport 5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 0/0 --dport 5900 -j DNAT --to 192.168.0.250:5900
# VNC VOLTA NA 5900
iptables -A FORWARD -i ppp0 -o eth1 -p tcp --sport 5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp0 -p tcp --sport 5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 0/0 --sport 5900 -j DNAT --to 192.168.0.250:5900
# VNC IDA NA PORTA 5800
iptables -A FORWARD -p tcp -s 192.168.0.250 --dport 5800 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.250 --sport 5800 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth1 -p tcp --dport 5800 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp0 -p tcp --dport 5800 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 0/0 --dport 5800 -j DNAT --to 192.168.0.250:5800
# VNC VOLTA
iptables -A FORWARD -i ppp0 -o eth1 -p tcp --sport 5800 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp0 -p tcp --sport 5800 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 0/0 --sport 5800 -j DNAT --to 192.168.0.250:5800
iptables -t nat -A PREROUTING -p tcp -s 0/0 --sport 5800 -j DNAT --to 192.168.0.250:5800
#nat via vnc##############################
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5800 -j DNAT --to-destination 192.168.0.250:5800
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5900 -j DNAT --to-destination 192.168.0.250:5900
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 5900 -j DNAT --to-destination 192.168.0.250:5800
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 5800 -j DNAT --to-destination 192.168.0.250:5900
iptables -A FORWARD -p tcp -i eth0 -j ACCEPT
iptables -A FORWARD -p tcp -o eth0 -j ACCEPT
#nat terminal service#########################################################################
iptables -A FORWARD -p tcp -i eth0 --dport 3389 -j ACCEPT
iptables -A FORWARD -p tcp -o eth0 --sport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3389 -j DNAT --to-destination 192.168.0.250:3389
############nat para ssh #########
iptables -A FORWARD -p tcp -i eth0 --dport 2910 -j ACCEPT
iptables -A FORWARD -p tcp -o eth0 --sport 2910 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 2910 -j DNAT --to-destination 192.168.0.1:2209
###############nat servidor web##################
iptables -A FORWARD -p tcp -i eth0 --dport 8080 -j ACCEPT
iptables -A FORWARD -p tcp -o eth0 --sport 8080 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8080 -j DNAT --to-destination 192.168.0.1:8080
############### REDIRECIONAMENTO DO SQUID ####################
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 443 -j REDIRECT --to-port 3128
echo "[OK]"
# LIBERANDO INTERNET
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE