Script - iptables

[andunno]

Pessoal,

Estou postando abaixo o meu script de firewall e gostaria de uma opinião de vocês.

#!/bin/sh

# Definindo as variaveis.
M1=192.168.x.y
M2=192.168.x.y
M3=192.168.x.y
M4=192.168.x.y
M5=192.168.x.y
M6=192.168.x.y
DG=yyy.yyy.yyy.yyy
DNS1=aaa.aaa.aaa.aaa
DNS2=aaa.aaa.aaa.aab
IPT=/sbin/iptables
FW_INT=192.168.x.y
FW_EXT=ccc.ccc.ccc.ccc
INT_INT=eth0
INT_EXT=eth1
LAN=192.168.x.y/24
MUTLEY=192.168.x.y
PABX=192.168.x.y
SIP=ddd.ddd.ddd.ddd
VPN=eee.eee.eee.eee

# Limpando as chains.
"$IPT" -F
"$IPT" -X

for tables in nat mangle filter
do
"$IPT" -t "$tables" -F
"$IPT" -t "$tables" -X
done

# Definindo a politica padrao.
for filter in INPUT OUTPUT FORWARD
do
"$IPT" -P "$filter" DROP
done

# Protecao contra IP spoofing.
"$IPT" -A INPUT -s "$LAN" -i ! "$INT_INT" -j DROP
"$IPT" -A INPUT -s ! "$LAN" -i "$INT_INT" -j DROP

# Stateful.
"$IPT" -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
"$IPT" -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
"$IPT" -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# ==========
# Tabela NAT
# ==========

# Liberando conexao no PABX.
"$IPT" -t nat -A PREROUTING -s "$DG" -d "$FW_EXT" --dport 987 -j DNAT --to "$PABX"
"$IPT" -t nat -A PREROUTING -s "$DG" -d "$FW_EXT" --dport 22 -j DNAT --to "$PABX"

# Compartilhando Internet.
"$IPT" -t nat -A POSTROUTING -s "$LAN" -i "$INT_INT" -j MASQUERADE

# ===========
# Chain INPUT
# ===========

# Liberando trafego na interface de loopback.
"$IPT" -A INPUT -i lo -j ACCEPT

# Liberando ssh.
for micro_ssh in "$M5" "$MUTLEY"
do
"$IPT" -A INPUT -s "$micro_ssh" -i "$INT_INT" -p tcp --dport 22 -j ACCEPT
done

# Liberando icmp.
for icmp_type in echo-reply echo-request
do
"$IPT" -A INPUT -s "$LAN" -i "$INT_INT" -p icmp --icmp-type "$icmp_type" -j ACCEPT
done

# ============
# Chain OUTPUT
# ============

# Liberando trafego na interface de loopback.
"$IPT" -A OUTPUT -o lo -j ACCEPT

# Liberando icmp.
for icmp_type in echo-reply echo-request
do
"$IPT" -A OUTPUT -d "$LAN" -o "$INT_INT" -p icmp --icmp-type "$icmp_type" -j ACCEPT
done

# Liberando dns.
for dns in "$DNS1" "$DNS2"
do
"$IPT" -A OUTPUT -d "$dns" -o "$INT_EXT" -p tcp --dport 53 -j ACCEPT
"$IPT" -A OUTPUT -d "$dns" -o "$INT_EXT" -p udp --dport 53 -j ACCEPT
done

# =============
# Chain FORWARD
# =============

# Liberando comunicacao entre o PABX e o servidor SIP.
"$IPT" -A FORWARD -s "$PABX" -i "$INT_INT" -d "$SIP" -p udp --dport 1024:65535 -j ACCEPT

# Liberando a VPN.
for am in "$M1" "$M2" "$M3" "$M4" "$M5" "$M6"
do
"$IPT" -A FORWARD -s "$am" -i "$INT_INT" -d "$VPN" -p tcp -m multiport --dport 500,4500 -j ACCEPT
"$IPT" -A FORWARD -s "$am" -i "$INT_INT" -d "$VPN" -p udp -m multiport --dport 500,4500 -j ACCEPT
done

# Liberando dns.
for micros in "$M1" "$M2" "$M3" "$M4" "$M5" "$M6" "$MUTLEY"
do
"$IPT" -A FORWARD -s "$micros" -i "$INT_INT" -d "$DNS1" -p tcp --dport 53 -j ACCEPT
"$IPT" -A FORWARD -s "$micros" -i "$INT_INT" -d "$DNS1" -p udp --dport 53 -j ACCEPT
"$IPT" -A FORWARD -s "$micros" -i "$INT_INT" -d "$DNS2" -p tcp --dport 53 -j ACCEPT
"$IPT" -A FORWARD -s "$micros" -i "$INT_INT" -d "$DNS2" -p udp --dport 53 -j ACCEPT
done

# Liberando conexao no PABX.
"$IPT" -A FORWARD -d "$PABX" -p tcp --dport 22 -j ACCEPT
"$IPT" -A FORWARD -d "$PABX" -p tcp --dport 987 -j ACCEPT
"$IPT" -A FORWARD -d "$PABX" -p udp --dport 987 -j ACCEPT

[lucianogf]

opinião com relação a quê??

[andunno]

Se o script que montei está correto.