#!/bin/bash
WORKING = $PWD
. $WORKING/variaveis
clear
echo '############################################################################################################################'
echo '# #'
echo '# #'
echo '# Script IPTABLES #'
echo '# by White_Tiger - [email][email protected][/email] #'
echo '# #'
echo '# #'
#
echo '############################################################################################################################'
echo ''
echo ''
# Deleta todas as regras do firewall
printf "Limpando as Regras."
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
printf " \033[40;32m [OK] \033[m\n"
# Desabilitando o trafego IP Entre as Placas de Rede
printf "Desabilitando o tráfego entre as placas de rede."
echo "0" > /proc/sys/net/ipv4/ip_forward
printf " \033[40;32m [OK] \033[m\n"
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Configurando a Protecao anti-spoofing
printf "Configurando a proteção anti-spoofing."
for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $spoofing
done
printf " \033[40;32m [OK] \033[m\n"
# Remove modulos do ipchains para evitar conflitos
#printf "Removendo módulos do ipchains."
#rmmod ipchains
#printf " \033[40;32m [OK] \033[m\n"
# Inseri modulos iptables
printf "Inserindo modulos iptables."
$MOD ip_tables
$MOD ip_nat_ftp
$MOD ip_conntrack_ftp
$MOD ipt_MASQUERADE
$MOD iptable_nat
$MOD ip_conntrack
$MOD iptable_filter
printf " \033[40;32m [OK] \033[m\n"
# Barra a porta Wincrash e cria log da tentativa de acesso
printf "Barrando Wincrash."
iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Serviço: Wincrash"
iptables -A INPUT -p tcp --dport 5042 -j DROP
printf " \033[40;32m [OK] \033[m\n"
# Barra a porta NetBus e cria log da tentativa de acesso
printf "Barrando NetBus."
iptables -A INPUT -p tcp --dport 12345 -j LOG --log-prefix "Serviço: NetBus"
iptables -A INPUT -p tcp --dport 12345 -j DROP
printf " \033[40;32m [OK] \033[m\n"
#Protecao quanto a ataques DoS
#printf "Protegendo contra ataque DoS."
#iptables -A FORWARD -m unclean -j DROP
#printf " \033[40;32m [OK] \033[m\n"
#nat da rede
printf "Fazendo Nat na rede."
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
printf " \033[40;32m [OK] \033[m\n"
#Bloqueando conexão via SSh
case $SSH in
'S'|'s')
printf "Bloqueando Acesso por SSH."
iptables -A INPUT -p tcp --destination-port 22 -j DROP
printf " \033[40;32m [OK] \033[m\n"
esac
#Habilitando o squid
case $SQUID in
'S'|'s')
printf "Redirecionando a porta 80 para server squid na porta 3128."
iptables -t nat -A PREROUTING -i $INT_REDE -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
itables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 3128 -j ACCEPT
printf " \033[40;32m [OK] \033[m\n"
esac
#Habilitando o Terminal Service do RWindows
case $TS in
S|s)
printf "Redirecionando porta 3389 para Terminal Service.";
iptables -A PREROUTING -t nat -p tcp --dport 3389 -j DNAT --to $TERM_IP;
printf " \033[40;32m [OK] \033[m\n";;
esac
#Bloqueando o Yahoo messenger
case $YAHOO in
S|s)
printf "Bloqueando o Yahoo Messenger.";
iptables -A FORWARD -d cs.yahoo.com -j REJECT;
iptables -A FORWARD -d scsa.yahoo.com -j REJECT;
printf " \033[40;32m [OK] \033[m\n";;
esac
#Bloqueando o Msn messenger
case $MSN in
S|s)
printf "Bloqueando o MSN Messenger.";
iptables -A FORWARD -p TCP --dport 1863 -j REJECT;
iptables -A FORWARD -d 64.4.13.0/24 -j REJECT;
printf " \033[40;32m [OK] \033[m\n";;
esac
#Bloqueando o ICQ
case $ICQ in
S|s)
printf "Bloqueando o ICQ.";
iptables -A FORWARD -p TCP --dport 5190 -j REJECT;
iptables -A FORWARD -d login.icq.com -j REJECT;
printf " \033[40;32m [OK] \033[m\n";;
esac
#Bloqueando o AIM
case $AIM in
S|s)
printf "Bloqueando o AIM";
iptables -A FORWARD -d login.oscar.aol.com -j REJECT;
printf " \033[40;32m [OK] \033[m\n";;
esac
#Bloqueando P2P
case $P2P in
S|s)
printf "Bloqueando P2Ps.";
#iMesh
iptables -A FORWARD -d 216.35.208.0/24 -j REJECT;
#BearShare
iptables -A FORWARD -p TCP --dport 6346 -j REJECT;
#ToadNode
iptables -A FORWARD -p TCP --dport 6346 -j REJECT;
#WinMX
iptables -A FORWARD -d 209.61.186.0/24 -j REJECT;
iptables -A FORWARD -d 64.49.201.0/24 -j REJECT;
#Napigator
iptables -A FORWARD -d 209.25.178.0/24 -j REJECT;
#Morpheus
iptables -A FORWARD -d 206.142.53.0/24 -j REJECT;
iptables -A FORWARD -p TCP --dport 1214 -j REJECT;
#KaZaA
iptables -A FORWARD -d 213.248.112.0/24 -j REJECT;
iptables -A FORWARD -p TCP --dport 1214 -j REJECT;
for IP in `cat $WORKING/bloqueios/ip-kazaa-10.txt`
do
iptables -A FORWARD -i $OUT_IFACE -d $IP -j DROP
done;
#Limewire
iptables -A FORWARD -p TCP --dport 6346 -j REJECT;
#Audiogalaxy
iptables -A FORWARD -d 64.245.58.0/23 -j REJECT;
#GNUTella
iptables -A FORWARD -p tcp --dport 6346 -j REJECT;
#eDonkey
iptables -A FORWARD -p tcp --dport 4661:4662 -j REJECT;
iptables -A FORWARD -p udp --dport 4665 -j REJECT;
#Napster
iptables -A FORWARD -d 64.124.41.0/24 -j REJECT;
#Bearshare
iptables -A FORWARD -p TCP --dport 6346 -j REJECT;
#ToadNode
iptables -A FORWARD -p TCP --dport 6346 -j REJECT;
printf " \033[40;32m [OK] \033[m\n";;
esac
#Bloqueando Spyware
case $SPY in
S|s)
printf "Bloqueando SPYWARES.";
CONT=0;
for SPYW in `cat $WORKING/bloqueios/spyware cut -d : -f1`
do
iptables -A INPUT -s $SPYW -j DROP
CONT=`expr $CONT + 1`
if [ $CONT -eq 110 ]
then
echo -n "."
CONT=0
fi
done;
printf " \033[40;32m [OK] \033[m\n";;
esac
# Habilitando o trafego Ip, entre as Interfaces de rede
printf "Habilitanto o tráfego entre as redes."
echo "1" > /proc/sys/net/ipv4/ip_forward
printf " \033[40;32m [OK] \033[m\n"
printf "\n\n"
printf "Instalação do Firewall completa. \033[40;32m [OK] \033[m\n"