firewall_BR

#!/bin/bash
## FIREWALL ##
#Range de IP’s Brasil:
# http://www.ipaddresslocation.org/ip_ranges/get_ranges.php
DIR="/opt/firewall"
ALLOW_IPRANGE_FILE=${DIR}/allow_range.txt
ALLOW_IP_FILE=${DIR}/allow_ip.txt
ALLOW_PORT_FILE=${DIR}/allow_port.txt
BLOCK_IP_FILE=${DIR}/block_ip.txt
BLOCK_RANGE_FILE=${DIR}/block_range.txt

### Bloquear ataque DDos
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

### Limpar regras
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

## Definicoes das politicas padrao
iptables -P INPUT DROP
iptables -P OUTPUT DROP

## Politicas ACCEPT por range de IP's
while read ALLOWIPRANGE
do
        while read ALLOWPORT
        do
                iptables -A INPUT -p tcp -m iprange --src-range ${ALLOWIPRANGE} --dport ${ALLOWPORT} -j ACCEPT
        done < ${ALLOW_PORT_FILE}
done < ${ALLOW_IPRANGE_FILE}

## Politicas ACCEPT por IP's
while read ALLOWIP
do
        while read ALLOWPORT
        do
                iptables -A INPUT -p tcp -s ${ALLOWIP} --dport ${ALLOWPORT} -j ACCEPT
        done < ${ALLOW_PORT_FILE}
done < ${ALLOW_IP_FILE}


## Politicas DROP por range de IP's
while read BLOCKIPRANGE
do
iptables -I INPUT -p tcp -m iprange --src-range ${BLOCKIPRANGE} -j DROP
done < ${BLOCK_RANGE_FILE}

## Politicas DROP por IP's
while read BLOCKIP
do
iptables -I INPUT -s ${BLOCKIP} -j DROP
done < ${BLOCK_IP_FILE}

### Aceita requisicoes em loopback
iptables -A INPUT -i lo -j ACCEPT

### Protecao contra port scanners ocultos
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

### Bloqueando tracertroute
iptables -A INPUT -p udp -s 0/0 -i eth0 --dport 33435:33525 -j DROP

### Aceita passagem de pacotes de conexoes ja estabelecidas ou secundarias
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

###OUTPUT
iptables -P OUTPUT ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
###FIM