br-sip-firewall.sh

1. #!/bin/bash
2.  
3. # ########################### ATENCAO! ################################
4. #
5. #       O padrao desse firewall eh bloquear todo acesso internacional
6. #    com  destino ao servidor (UDP/5060).  Hosts  internacionais  com
7. #    permissao para UDP/5060 devem estar setados na variavel ACC_SIP.
8. #
9. #       Hosts nacionais que devem ser negados para UDP/5060 devem ser
10. #    setados na variavel NO_SIP.
11. #
12. #######################################################################
13. #
14. # 09/2011 - Thiago Jose Lucas | [email protected]
15. #
16. ####
17. # CONSTANTES
18. LACNIC_FTP_FILE='ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest'
19. LACNIC_FILE='/tmp/delegated-lacnic-latest'
20. PARSE_SCRIPT='./parse.py' # CAMINHO COMPLETO
21. IPT='/sbin/iptables'
22. CHAIN_NAME='SIP'
23. SIP_PORT='5060'
24. MAIL_CMD='./sendEmail'
25. WGET_TIMEOUT='14'
26. # HOSTS LIBERADOS PARA SIP
27. # (separado por espaco)
28. ACC_SIP='200.192.240.122 200.192.243.50'
29. NO_SIP=''
30.  
31. # COMANDO BASICOS NECESSARIOS
32. basic(){
33.   echo "Erro: Favor instalar o comando $1 antes de executar este script!"
34.   exit 0
35. }
36.  
37. BASIC_CMD="host iptables echo wget hostname ip $MAIL_CMD"
38. for CMD in $BASIC_CMD ;do
39.   which $CMD >/dev/null 2> /dev/null || basic $CMD
40. done
41.  
42. nameTest(){
43.   host ftp.lacnic.net > /dev/null || alert "Problema na resolucao de nomes - (DNS)"
44. }
45.  
46. alert(){
47. OPT=$1
48. IP_ADDRESS=`ip r g 200.192.243.50|head -n1|awk '{print $7}'`
49. MY_HOSTNAME=`hostname`
50. MAIL_FROM='[email protected]'
51. MAIL_TO='[email protected]'
52. MAIL_SUBJECT='SIPFirewall - Problema na Execucao'
53. MAIL_SERVER_SMTP='smtp.devel-it.com.br'
54. MAIL_USER_SMTP='[email protected]'
55. MAIL_PASS_SMTP='E-3zx#3AaO'
56. MAIL_BODY="
57. Erro ao executar $0:
58. $OPT
59.  
60. Hostname: $MY_HOSTNAME
61. IP Address: $IP_ADDRESS
62.  
63. Atenciosamente
64. --
65. NOC Nome da Empresa
66. [email protected]
67. [email protected]
68. 55.14.3333.4444
69. "
70.  
71. $MAIL_CMD -f "$MAIL_FROM" -t "$MAIL_TO" -u "$MAIL_SUBJECT" -s "$MAIL_SERVER_SMTP" -xu "$MAIL_USER_SMTP" -xp "$MAIL_PASS_SMTP" -m "$MAIL_BODY"
72. }
73.  
74. # TESTA A EXISTENCIA E O PERMISSIONAMENTO DE $PARSE_SCRIPT
75. [ -e "$PARSE_SCRIPT" -o -x "$PARSE_SCRIPT" ] || alert "Problema ao chamar $PARSE_SCRIPT"
76.  
77. get(){
78.   wget -q -O $LACNIC_FILE $LACNIC_FTP_FILE -T $WGET_TIMEOUT|| alert "Erro ao baixar o Arquivo - (wget)"
79. }
80.  
81. parse(){
82.   $PARSE_SCRIPT $LACNIC_FILE
83. }
84.  
85. nameTest
86. get
87.  
88. # TRATA A CHAIN A SER UTILIZADA #
89. $IPT -t mangle -D PREROUTING -p UDP --dport $SIP_PORT -j $CHAIN_NAME 2>/dev/null
90. $IPT -t mangle -F $CHAIN_NAME 2>/dev/null
91. $IPT -t mangle -X $CHAIN_NAME 2>/dev/null
92. $IPT -t mangle -N $CHAIN_NAME 2>/dev/null
93.  
94. # DROP P/ TRAFEGO UDP/5060 - $CHAIN_NAME
95. $IPT -t mangle -I $CHAIN_NAME -p UDP --dport $SIP_PORT -j DROP
96.  
97. # ACCEPT P/ REDES DO BRASIL
98. parse|while read NETWORK ;do
99.   $IPT -t mangle -I $CHAIN_NAME -p UDP -s $NETWORK --dport $SIP_PORT -j ACCEPT
100. done
101.  
102. # ACCEPT PARA REDES SETADAS EM ACC_SIP
103. if [ ! -z "$ACC_SIP" ] ;then
104.   for _HOST in $ACC_SIP ;do
105.     $IPT -t mangle -I $CHAIN_NAME -p UDP -s $_HOST --dport $SIP_PORT -j ACCEPT
106.   done
107. fi
108.  
109. # DROP PARA REDES SETADAS EM NO_SIP
110. if [ ! -z "$NO_SIP" ] ;then
111.   for _HOST in $NO_SIP ;do
112.     $IPT -t mangle -I $CHAIN_NAME -p UDP -s $_HOST --dport $SIP_PORT -j DROP
113.   done
114. fi
115.  
116. # REDIR. DE TRAFEGO PARA $CHAIN_NAME
117. $IPT -t mangle -I PREROUTING -p UDP --dport $SIP_PORT -j $CHAIN_NAME
118.  
119.