## INDICAR O INICIO/REINICIO DO FIREWALL
case $1 in
start|restart)
echo "Firewall - "
## VARIAVEIS DAS PLACAS DE REDE
NET=eth0
RLOCAL=eth1
REDE="172.18.0.0/24"
VPN='10.0.0.0/24'
## CARREGAR MODULOS
modprobe ip_tables
modprobe iptable_nat
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe ipt_MASQUERADE
modprobe ipt_LOG
## LIMPAR REGRAS ANTERIORES
iptables -F
iptables -t nat -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
# DEFINIR POLITICA PADRAO (NEGAR TUDO)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
## COMPARTILHAR CONEXAO DE INTERNET
## IP DINAMICO
iptables -t nat -A POSTROUTING -o $NET -j MASQUERADE
## ATIVAR ROTEAMENTO
echo "1" > /proc/sys/net/ipv4/ip_forward
## LIBERAR A PROPRIA MAQUINA LOOPBACK PARA ACESSO A INTERNET
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
### Aceita entrada DNS ###
iptables -A OUTPUT -o $NET -p UDP --dport 53 -j ACCEPT
## LIBERAR/BLOQUEAR A REDE LOCAL
iptables -A INPUT -s 172.18.0.0/24 -j ACCEPT
####################Protege contra pacotes danificados
#Portscanners, Ping of Death, ataques DoS, Syb-flood e Etc
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
### VPN
iptables -A INPUT -i $NET -p UDP --dport 5200 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
#IP 200.241.32.197
iptables -t nat -I PREROUTING -p tcp --dport 443 -s $REDE -d 200.241.32.197 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 200.241.32.197 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.241.32.197 -j ACCEPT
#IP 201.49.164.105
iptables -t nat -I PREROUTING -p tcp --dport 443 -s $REDE -d 201.49.164.105 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 201.49.164.105 -j ACCEPT
iptables -A FORWARD -p tcp -d 201.49.164.105 -j ACCEPT
## Download 8081
iptables -A OUTPUT -o $NET -p TCP --dport 8081 -j ACCEPT
iptables -A OUTPUT -o $NET -p TCP --dport 8084 -j ACCEPT
iptables -A OUTPUT -o $NET -p TCP --dport 8090 -j ACCEPT
### Libera trafego ping rede externa ###
iptables -A INPUT -i $NET -p icmp -j ACCEPT
iptables -A OUTPUT -o $NET -p icmp -j ACCEPT
iptables -A FORWARD -o $NET -p icmp -j ACCEPT
### Libera trafego ping rede interna ###
iptables -A INPUT -i $RLOCAL -p icmp -j ACCEPT
iptables -A OUTPUT -o $RLOCAL -p icmp -j ACCEPT
iptables -A FORWARD -o $RLOCAL -p icmp -j ACCEPT
## Servidor de E-mail SMTP (25) POP3 (110)##
iptables -A FORWARD -o $NET -p TCP --dport 25 -j ACCEPT
iptables -A FORWARD -o $NET -p TCP --dport 110 -j ACCEPT
## Servidor TS
iptables -A FORWARD -o $NET -p TCP --dport 3389 -j ACCEPT
iptables -A FORWARD -o $RLOCAL -p TCP --dport 3389 -j LOG
iptables -A FORWARD -o $RLOCAL -p TCP --dport 3389 -j ACCEPT
##Porta 8080
iptables -A FORWARD -o $RLOCAL -p TCP --dport 8080 -j ACCEPT
## Servidor SSH 22
iptables -A FORWARD -o $NET -p TCP --dport 22 -j ACCEPT
iptables -A FORWARD -o $RLOCAL -p TCP --dport 22 -j ACCEPT
## Servidor VPN 5200
iptables -A FORWARD -o $NET -p UDP --dport 5200 -j ACCEPT
iptables -A FORWARD -o $RLOCAL -p UDP --dport 5200 -j ACCEPT
### Entrada Rede Interna ###
## Protocolo UDP entrada ##
iptables -A INPUT -i $RLOCAL -p UDP -s $REDE -d $REDE -j ACCEPT
## Protocolo TCP entrada ##
iptables -A INPUT -i $RLOCAL -p TCP -s $REDE -d $REDE -j ACCEPT
## Protocolo UDP saida ##
iptables -A OUTPUT -o $RLOCAL -p UDP -s $REDE -d $REDE -j ACCEPT
## Protocolo TCP saida ##
iptables -A OUTPUT -o $RLOCAL -p TCP -s $REDE -d $REDE -j ACCEPT
# LIBERAR A PORTA 3128
iptables -t nat -A PREROUTING -i $RLOCAL -p tcp --dport 80 -j REDIRECT --to-port 3128
## Estabilizar conexoes
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#Se nao entrar em nenhuma regra acima rejeita tudo!
iptables -A INPUT -i $NET -p tcp --syn -j DROP
#Fechar todas as portas abaixo de 32000
iptables -A INPUT -i $NET -p tcp --dport :32000 -j DROP
;;
stop)
echo "CUIDADO SUA MAQUINA ESTA SEM FIREWALL - ATENCAO!!!..."
;;
*)
echo "Digite start, restart ou stop para ativar/reativar/desativar"
exit 1
;;
esac