#Variaveis
IFACE=ppp0
LAN=192.168.0.0/24
#Ativar modulos
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_nat_ftp
#Limpar regras
iptables -t nat -F
iptables -t filter -F
iptables -t mangle -F
#Alterar policiamento
iptables -P INPUT DROP
iptables -P FORWARD DROP
#Protecao contra syn floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Compartilhar a conexao
iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
#-----------------------
# Redirecionamentos #
#-----------------------
#Proxy transparente
iptables -t nat -A PREROUTING -i eth1 -s $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -s $LAN -p tcp --dport 443 -j REDIRECT --to-port 3128
#Manutenção
iptables -t nat -A PREROUTING -i $IFACE -s ip_de_onde_trabalho -p tcp --dport 3389 -j DNAT --to-dest 192.168.0.130:3389
iptables -A FORWARD -i $IFACE -d 192.168.0.130 -p tcp --dport 3389 -j ACCEPT
#---------------------
# Regras de INPUT #
#---------------------
#Entrar somente o necessario
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#SSH interno
iptables -A INPUT -i eth1 -s $LAN -p tcp --syn --dport 22 -j ACCEPT
#SSH externo
iptables -A INPUT -i $IFACE -s ip_de_onde_trabalho -p tcp --syn --dport 22 -j ACCEPT
#Web
iptables -A INPUT -i eth1 -s $LAN -p tcp --dport 80 -j ACCEPT
#Webmin
iptables -A INPUT -i eth1 -s $LAN -p tcp --dport 10000 -j ACCEPT
#Squid
iptables -A INPUT -i eth1 -s $LAN -p tcp --dport 3128 -j ACCEPT
#PING
iptables -A INPUT -i eth1 -s $LAN -p icmp -j ACCEPT
#-----------------------
# Regras de FORWARD #
#-----------------------
#Passar somente o ncessario
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#DNS
iptables -A FORWARD -o $IFACE -s $LAN -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -o $IFACE -s $LAN -p udp --dport 53 -j ACCEPT
#Web
iptables -A FORWARD -o $IFACE -s $LAN -p tcp --dport 80 -j ACCEPT
#SSH
iptables -A FORWARD -o $IFACE -s $LAN -p tcp --syn --dport 22 -j ACCEPT
#HTTPS
iptables -A FORWARD -o $IFACE -s $LAN -p tcp --dport 443 -j ACCEPT
#FTP
iptables -A FORWARD -o $IFACE -s $LAN -p tcp --dport 21 -j ACCEPT
#POP3 e SMTP
iptables -A FORWARD -o $IFACE -s $LAN -p tcp -m multiport --dport 110,25 -j ACCEPT
#Terminal Server
iptables -A FORWARD -o $IFACE -s $LAN -p tcp --dport 3389 -j ACCEPT
#PING
iptables -A FORWARD -o $IFACE -s $LAN -p icmp -j ACCEPT
echo "-- !! Regras aplicadas com sucesso !! --"