Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- ## FIREWALL ##
- #Range de IP’s Brasil:
- # http://www.ipaddresslocation.org/ip_ranges/get_ranges.php
- DIR="/opt/firewall"
- ALLOW_IPRANGE_FILE=${DIR}/allow_range.txt
- ALLOW_IP_FILE=${DIR}/allow_ip.txt
- ALLOW_PORT_FILE=${DIR}/allow_port.txt
- BLOCK_IP_FILE=${DIR}/block_ip.txt
- BLOCK_RANGE_FILE=${DIR}/block_range.txt
- ### Bloquear ataque DDos
- echo 1 > /proc/sys/net/ipv4/tcp_syncookies
- ### Limpar regras
- iptables -F
- iptables -X
- iptables -t nat -F
- iptables -t nat -X
- iptables -t mangle -F
- iptables -t mangle -X
- ## Definicoes das politicas padrao
- iptables -P INPUT DROP
- iptables -P OUTPUT DROP
- ## Politicas ACCEPT por range de IP's
- while read ALLOWIPRANGE
- do
- while read ALLOWPORT
- do
- iptables -A INPUT -p tcp -m iprange --src-range ${ALLOWIPRANGE} --dport ${ALLOWPORT} -j ACCEPT
- done < ${ALLOW_PORT_FILE}
- done < ${ALLOW_IPRANGE_FILE}
- ## Politicas ACCEPT por IP's
- while read ALLOWIP
- do
- while read ALLOWPORT
- do
- iptables -A INPUT -p tcp -s ${ALLOWIP} --dport ${ALLOWPORT} -j ACCEPT
- done < ${ALLOW_PORT_FILE}
- done < ${ALLOW_IP_FILE}
- ## Politicas DROP por range de IP's
- while read BLOCKIPRANGE
- do
- iptables -I INPUT -p tcp -m iprange --src-range ${BLOCKIPRANGE} -j DROP
- done < ${BLOCK_RANGE_FILE}
- ## Politicas DROP por IP's
- while read BLOCKIP
- do
- iptables -I INPUT -s ${BLOCKIP} -j DROP
- done < ${BLOCK_IP_FILE}
- ### Aceita requisicoes em loopback
- iptables -A INPUT -i lo -j ACCEPT
- ### Protecao contra port scanners ocultos
- iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
- ### Bloqueando tracertroute
- iptables -A INPUT -p udp -s 0/0 -i eth0 --dport 33435:33525 -j DROP
- ### Aceita passagem de pacotes de conexoes ja estabelecidas ou secundarias
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- ###OUTPUT
- iptables -P OUTPUT ACCEPT
- iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- ###FIM
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement