#!/bin/sh
#######################
## Setando Variaveis ##
#######################
IPT='/sbin/iptables' #IPTables
IF_INT='eth1' #Interface Interna
IF_EXT='eth2' #Interface Externa
IF_AP='eth0' #Interface do Access Point
NET_INT='172.16.0.0/12' #Rede Interna
NET_EXT='0.0.0.0/0' #Rede Externa
NET_AP='192.168.0.0/16' #Rede do Access Point
ADDR_INT='172.16.0.1' #IP Interface Interna
ADDR_EXT='xxx.xxx.xxx.xxx' #IP Interface Externa
ADDR_EXT='192.168.0.1' #IP Interface Access Point
echo "Limpando regras..."
$IPT -t filter -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
echo "Carregando modulos..."
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ip_tables
/sbin/modprobe ipt_state
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_limit
/sbin/modprobe ip_conntrack_pptp
/sbin/modprobe ip_nat_pptp
/sbin/modprobe ip_gre
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "Definindo politicas padroes..."
$IPT -t filter -P INPUT DROP
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t filter -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT #DROP dá erro (!?!?!?!?)
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
echo "Liberando entrada (input)..."
$IPT -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A FORWARD -i lo -j ACCEPT
$IPT -t filter -A INPUT -i $IF_INT -p tcp --dport 22 -j ACCEPT #SSH
$IPT -t filter -A INPUT -i $IF_INT -p tcp --dport 3128 -j ACCEPT #Proxy
echo "Definindo regras de mascaramento..."
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -i $IF_EXT -o $IF_INT -j ACCEPT
$IPT -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_INT -o $IF_EXT -j ACCEPT
echo "Definindo redirecionamentos..."
$IPT -t nat -A PREROUTING -i $IF_INT -p udp --dport 1863 -j REDIRECT --to-port 1863 #MSN-proxy
$IPT -t nat -A PREROUTING -i $IF_INT -p tcp --dport 1863 -j REDIRECT --to-port 1863 #MSN-proxy
$IPT -t nat -A POSTROUTING -s $NET_INT -o $IF_EXT -p tcp --dport 53 -j MASQUERADE #DNS
$IPT -t nat -A POSTROUTING -s $NET_INT -o $IF_EXT -p udp --dport 53 -j MASQUERADE #DNS
$IPT -t nat -A POSTROUTING -s $NET_INT -o $IF_EXT -p tcp -d smtp.xxxx.com.br --dport 25 -j MASQUERADE #SMTP
$IPT -t nat -A POSTROUTING -s $NET_INT -o $IF_EXT -p tcp -d pop.xxxx.com.br --dport 110 -j MASQUERADE #POP3
echo "Habilitando regras da VPN..."
$IPT -A INPUT -i $IF_AP -p tcp --dport 1723 -j ACCEPT
$IPT -A INPUT -i $IF_AP -p udp --dport 1723 -j ACCEPT
$IPT -A INPUT -i $IF_AP -p 47 -j ACCEPT
echo "Habilitando protecao contra ataques..."
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT #Ping of Death
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT #Stealth Scan
$IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT #Syn-flood DoS
$IPT -A INPUT -i $IF_EXT -s $NET_INT -j DROP #Regras contra Spoofing