# Firewall Linux
######## Variaveis
LAN=eth0
WAN=eth2
LW=eth+
REDE=192.168.0.0/24
######## Apaga registros e limpa
iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X &&
######## Carregando os modulos
modprobe ip_nat_ftp
modprobe iptable_nat
modprobe ip_nat_pptp
modprobe ip_gre
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
######## Politicas padrao
#iptables -P INPUT DROP
#iptables -P FORWARD DROP
#iptalbes -P OUTPUT DROP
######## Criando as regras de entrada, filtragem e redirecionamento
######## Permite entrada de pacotes pela rede local
iptables -A INPUT -p tcp -s $REDE -j ACCEPT iptables -A FORWARD -p tcp -s $REDE -j ACCEPT
######## Permite acesso via SSH
iptables -A INPUT -p tcp --dport 2530 -j ACCEPT
iptables -A FORWARD -p tcp --dport 2530 -j ACCEPT
######## Libera porta do Registro do Software Contas ERP
######## e a redireciona para o Servidor
iptables -A INPUT -p tcp --dport 211 -j ACCEPT
iptables -A FORWARD -p tcp --dport 211 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 211 -j DNAT 192.168.0.100:211
######## Libera Webmin para acesso externo
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
iptables -A FORWARD -p tcp --dport 10000 -j ACCEPT
######## Libera Windows Terminal Service
######## e redireciona para o Servidor
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 3389 -j DNAT 192.168.0.100:3389
######## Libera porta 3050 para Ema GED
######## e redireciona para o Servidor
iptables -A INPUT -p tcp --dport 3050 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3050 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 3050 -j DNAT 192.168.0.100:3050
######## Libera portas para o OpenFire (Jabber)
######## e redireciona para o Servidor
iptables -A INPUT -m multiport -p tcp --dport 5222,5269 -j ACCEPT
iptables -A FORWARD -m multiport -p tcp --dport 5222,5269 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 5222 -j DNAT 192.168.0.100:5222
iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 5269 -j DNAT 192.168.0.100:5269
######## Libera OpenVPN
######## e redireciona para o Servidor
iptables -A INPUT -p udp --dport 5000 -j ACCEPT
iptables -A FORWARD -p udp --dport 5000 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 5000 -j DNAT 192.168.0.100:5000
######## Permite acesso ao Filezilla Sever (FTP)
######## e redireciona para o Servidor
iptables -A INPUT -p tcp --dport 2121 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 2121 -j DNAT 192.168.0.100:21
######## Outras portas
iptables -A FORWARD -p tcp --dport 995 -j ACCEPT
#Porta POP
iptables -A FORWARD -p tcp --dport 465 -j ACCEPT
#Porta SMTP
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
#Porta HTTP
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
#Porta HTTPS
######## Compartilha a conexao
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s $REDE -j MASQUERADE
#Proxy
iptables -t nat -A PREROUTING -p tcp -s $REDE --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p tcp -s $REDE --dport 443 -j REDIRECT --to-port 3128
#Libera VPN
iptables -A INPUT -p 47 -j ACCEPT
iptables -A FORWARD -p 47 -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1723 -j ACCEPT
iptables -A INPUT -p udp --dport 1723 -j ACCEPT
iptables -A OUTPUT -p udp --sport 1723 -j ACCEPT
iptables -A FORWARD -p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -p udp --sport 1723 -j ACCEPT
# Abre a interface de loopback
iptables -A INPUT -i lo -j ACCEPT
# Ignora pings
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# Protege contra spoofing
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
# Descarta pacotes malformados, protegendo contra ataques diversos
iptables -A INPUT -m state --state INVALID -j DROP
# Protege contra ping da morte
#iptables -A FORWARD -p icmp --icmp-type
echo-request -m limit 1/s -j ACCEPT
#Protege contra por scanners ocultos
#iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Bloqueando tracert
iptables -A INPUT -p udp -s 0/0 -i eth2 --dport 33435:33525 -j DROP
echo 'Firewall iniciado!'