#!/bin/bash
# chkconfig: 345 98 110
# description: Inicializaçao do firewall
IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"
function status()
{
${IPTABLES} -L
}
function carrega_modulos()
{
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE iptable_nat
$MODPROBE ip_nat_ftp
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
}
function stop()
{
${IPTABLES} --flush
${IPTABLES} -t mangle --flush
${IPTABLES} -t nat --flush
${IPTABLES} -F
${IPTABLES} -F INPUT
${IPTABLES} -F OUTPUT
${IPTABLES} -F FORWARD
${IPTABLES} -F -t mangle
${IPTABLES} -t mangle -X
${IPTABLES} -t nat -X
${IPTABLES} -X
${IPTABLES} -t nat -F PREROUTING
${IPTABLES} -t nat -F OUTPUT
${IPTABLES} -t nat -F POSTROUTING
${IPTABLES} -t mangle -F PREROUTING
${IPTABLES} -t mangle -F OUTPUT
}
function start()
{
stop
carrega_modulos
ETHInternet=eth0
IPInternet= o ip do meu speedy
echo "IP Internet: " $IPInternet
ETHLocal=eth1
IPLocal=192.168.0.0/24
echo "IP Local: " $IPLocal
LOG_FLOOD="2/s"
SYN_FLOOD="4/s"
PING_FLOOD="2/s"
LOG_LEVEL="debug"
echo 1 > /proc/sys/net/ipv4/ip_forward
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 >$i
done
######################### Aceita ##########################
${IPTABLES} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
##### Tráfego do loopback e indo pro loopback
${IPTABLES} -A INPUT -i lo -j ACCEPT
##### Tráfego da rede interna ******
${IPTABLES} -A INPUT -i 192.168.0.3 -j REJECT
${IPTABLES} -A INPUT -i $ETHLocal -j ACCEPT
${IPTABLES} -A INPUT -p tcp -s 200.0.0.0/8 --dport ssh -j ACCEPT
##### Aceita HTTP
#${IPTABLES} -A INPUT -p tcp -s 0/0 -m multiport --dport http,https -j ACCEPT
##### Aceita SMTP
#${IPTABLES} -A INPUT -p tcp -m multiport --dport smtp -j ACCEPT
#${IPTABLES} -A INPUT -p tcp -m multiport --dport pop3 -j ACCEPT
#### caixa
${IPTABLES} -A FORWARD -p tcp -s 192.168.0.0/24 -d 200.201.174.0/24 -j ACCEPT
#### Barra o MSN ####
${IPTABLES} -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j REJECT
${IPTABLES} -A FORWARD -s 192.168.0.0/24 -d loginnet.passport.com -j REJECT
${IPTABLES} -A FORWARD -s 192.168.0.0/24 -d webmessenger.msn.com -j REJECT
###################################### CRIA LOG
##### PING
#${IPTABLES} -A INPUT -p icmp --icmp-type echo-request -j LOG --log-level "warning" --log-prefix "Firewall - Ping "
##### SSH,TELNET,FTP
#${IPTABLES} -A INPUT -p tcp --dport ssh -j LOG --log-level "warning" --log-prefix "Firewall - sshDENIED "
#${IPTABLES} -A INPUT -p tcp --dport telnet -j LOG --log-level "warning" --log-prefix "Firewall - telnetDENIED "
#${IPTABLES} -A INPUT -p tcp --dport ftp -j LOG --log-level "warning" --log-prefix "Firewall - ftpDENIED"
######################################## DROP
##### Nega todo acesso restante
${IPTABLES} -A INPUT -j DROP
####################################### FORWARD
# Drop de passagem de ping
#${IPTABLES} -A FORWARD -s 192.168.0.100 -j REJECT
${IPTABLES} -A FORWARD -j ACCEPT
################################### Regras auxiliares
##### Melhora ssh
${IPTABLES} -t nat -A PREROUTING -t mangle -p tcp --dport ssh -j TOS --set-tos Minimize-Delay
##### Não deixa smtp sair com prioridade pra não matar o link
${IPTABLES} -A PREROUTING -t mangle -p tcp --dport smtp -j TOS --set-tos Normal-Service
################################### REDIRECIONAMENTO
##### Proxy
${IPTABLES} -t nat -A PREROUTING -p tcp -i $ETHLocal --dport 80 -j REDIRECT --to-port 3128
########################################## NAT
##### NAT da rede interna
${IPTABLES} -t nat -N INTERNET
${IPTABLES} -t nat -A INTERNET -s $IPLocal -j SNAT --to $IPInternet
${IPTABLES} -t nat -A POSTROUTING -j INTERNET
########################################## FIM
echo "Firewall iniciado .............."
}
# End
function reload()
{
echo "Parando Firewall."
stop
echo "Iniciando Firewall."
start
}
case "$1" in
status)
status
;;
start)
start
;;
stop)
stop
;;
restart)
reload
;;
reload)
reload
;;
*)
echo "Utilize firewall {start|stop|status|restart|reload}"
exit 1
esac