#!/bin/sh
#
# by Diogo Borsoi
#
IPTABLES=/usr/local/sbin/iptables
INT_IF=eth1
EXT_IF=eth0
LOCAL_NETWORK=10.201.201.0/24
WAN=201.x.x.x
# Limpa regras
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -Z
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t mangle -Z
##### Definição de Policiamento #####
echo 'Loading chains...'
# Tabela filter
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -P FORWARD DROP
# Tabela nat
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING DROP
# Tabela mangle
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
##### Proteção contra IP Spoofing #####
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 >$i
done
##### Proteção contra Syncookies #####
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
##### Ativamos o redirecionamento de pacotes (requerido para NAT) #####
echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max
###############################################################
# Tabela filter #
###############################################################
##### Chain INPUT #####
$IPTABLES -N local-input
$IPTABLES -N eth0-input
$IPTABLES -A INPUT -i lo -j ACCEPT
#$IPTABLES -A INPUT -i $INT_IF -j ACCEPT
$IPTABLES -A INPUT -s $LOCAL_NETWORK -i $INT_IF -j local-input
$IPTABLES -A INPUT -i $EXT_IF -j eth0-input
$IPTABLES -A INPUT -p tcp -i $INT_IF --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -p udp -i $INT_IF --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -j LOG --log-prefix "FIREWALL: INPUT "
$IPTABLES -A INPUT -j DROP
##### Chain FORWARD ####
### Controle de ip por lista
#for i in $(cat /etc/rc.d/clientes.fw);do $IPTABLES -A FORWARD -d $i -i $EXT_IF -o $INT_IF -j ACCEPT;done
#for i in $(cat /etc/rc.d/clientes.fw);do $IPTABLES -A FORWARD -s $i -i $INT_IF -o $EXT_IF -j ACCEPT;done
### Script que atrela IP ao MAC Address ###
/etc/rc.d/clientes.fw
$IPTABLES -A FORWARD -d $LOCAL_NETWORK -i $EXT_IF -o $INT_IF -j ACCEPT
#$IPTABLES -A FORWARD -s $LOCAL_NETWORK -i $INT_IF -o $EXT_IF -j ACCEPT
$IPTABLES -A FORWARD -j LOG --log-prefix "FIREWALL: FORWARD "
$IPTABLES -A FORWARD -j DROP
##### Chain local-input ####
$IPTABLES -A local-input -p icmp -m limit --limit 2/s -j ACCEPT
# www
$IPTABLES -A local-input -p tcp --dport 80 -j ACCEPT
# ssh
$IPTABLES -A local-input -p tcp --dport 22 -j ACCEPT
$IPTABLES -A local-input -p tcp --dport 53 -j ACCEPT
$IPTABLES -A local-input -p udp --dport 53 -j ACCEPT
$IPTABLES -A local-input -m state --state ! ESTABLISHED,RELATED -j LOG --log-prefix "FIREWALL: local-in "
$IPTABLES -A local-input -m state --state ! ESTABLISHED,RELATED -j DROP
$IPTABLES -A local-input -j ACCEPT
##### Chain eth0-input ####
$IPTABLES -A eth0-input -p icmp -m limit --limit 2/s -j ACCEPT
# www
$IPTABLES -A eth0-input -p tcp --dport 80 -j ACCEPT
# ssh
$IPTABLES -A eth0-input -p tcp --dport 22 -j ACCEPT
# ftp
#$IPTABLES -A eth0-input -p tcp --dport 21 -j ACCEPT
# vpn
#$IPTABLES -A eth0-input -p udp --dport 5000 -j ACCEPT
$IPTABLES -A eth0-input -p tcp --dport 21 -j LOG --log-prefix "FIREWALL: ftp "
$IPTABLES -A eth0-input -p tcp --dport 25 -j LOG --log-prefix "FIREWALL: smtp "
$IPTABLES -A eth0-input -p udp --dport 53 -j LOG --log-prefix "FIREWALL: dns "
$IPTABLES -A eth0-input -p tcp --dport 110 -j LOG --log-prefix "FIREWALL: pop3 "
$IPTABLES -A eth0-input -p tcp --dport 113 -j LOG --log-prefix "FIREWALL: identd "
$IPTABLES -A eth0-input -p udp --dport 111 -j LOG --log-prefix "FIREWALL: rpc"
$IPTABLES -A eth0-input -p tcp --dport 111 -j LOG --log-prefix "FIREWALL: rpc"
$IPTABLES -A eth0-input -p tcp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba "
$IPTABLES -A eth0-input -p udp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba "
$IPTABLES -A eth0-input -m state --state ! ESTABLISHED,RELATED -j LOG --log-prefix "FIREWALL: eth0-in "
$IPTABLES -A eth0-input -m state --state ! ESTABLISHED,RELATED -j DROP
$IPTABLES -A eth0-input -j ACCEPT
#######################################################
# Tabela nat #
#######################################################
##### Chain PREROUTING #####
$IPTABLES -t nat -A PREROUTING -p tcp -d $WAN --dport 5900 -j REDIRECT --to 10.201.201.4:5900
$IPTABLES -A FORWARD -p tcp -d 10.201.201.4 --dport 5900 -j ACCEPT
##### Chain POSTROUTING #####
$IPTABLES -t nat -A POSTROUTING -o lo -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_NETWORK -o $INT_IF -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_NETWORK -o $EXT_IF -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -d $LOCAL_NETWORK -j LOG --log-prefix "FIREWALL: SNAT unknown"
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -d $LOCAL_NETWORK -j DROP
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -j LOG --log-prefix "FIREWALL: SNAT "
$IPTABLES -t nat -A POSTROUTING -j DROP
###############################################
# Tabela mangle #
###############################################
##### Chain OUTPUT #####
$IPTABLES -t mangle -A OUTPUT -o $EXT_IF -p tcp --dport 21 -j TOS --set-tos 0x10
$IPTABLES -t mangle -A OUTPUT -o $EXT_IF -p tcp --dport 23 -j TOS --set-tos 0x10
$IPTABLES -t mangle -A OUTPUT -o $EXT_IF -p tcp --dport 6665:6668 -j TOS --set-tos 0x10
$IPTABLES -t mangle -A OUTPUT -o $EXT_IF -p udp --dport 53 -j TOS --set-tos 0x10
echo 'Firewall started!!'