#!/bin/bash
#
# Modelo Firewall By Thiago Laurito
#
# Site <http://slackdummies.blogspot.com>
# Email <thiago.laurito@gmail.com>
# Data 27/01/2011 01:33 :)
#
# Carregando Módulos para funcoes especificas do Iptables.
modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe ipt_multiport
modprobe iptable_mangle
modprobe ipt_tos
modprobe ipt_limit
modprobe ipt_mark
modprobe ipt_MARK
# Alteracoes de protecao no Kernel
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Habilitando ip_forward para roteamento na rede através do Firewall.
echo "1" > /proc/sys/net/ipv4/ip_forward
# Habilitando broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disabilitando Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Habilitando TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disabilitando ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Nao Envia Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disabilitando ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Dropando Spoofed Packets.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Log packets com enderecos impossiveis.
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# Limpando as regras default Chain.
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t mangle -F
iptables -t nat -F
iptables -X
iptables -X -t nat
iptables -X -t mangle
# Zera os Contadores
iptables -Z
# Aplicando Police nas Chains INPUT/FORWARD/OUTPUT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Liberacao interna entre os processos do FIrewall
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -m state --state RELATED -j ACCEPT
iptables -I INPUT -p icmp -j ACCEPT
# Bloqueio Shealt Scan.
iptables -A FORWARD -m comment --comment "Bloqueio Shealt Scan" -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT
# Bloqueio Contra SYN-FLOODS
iptables -A FORWARD -m comment --comment "Bloqueio SYN-FLOODS" -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Bloqueio Ping da Morte
iptables -A FORWARD -m comment --comment "Bloqueio Ping da Morte" -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Liberando tráfego IPV6
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -p icmpv6 -i eth1 -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -j DROP
# Liberando SNMP
iptables -A INPUT -m comment --comment "Liberacao SNMP" -p udp --dport 161 -j ACCEPT
iptables -A FORWARD -m comment --comment "Liberacao SNMP" -p udp --dport 161 -j ACCEPT
# Liberando acesso da rede interna (Trocar para o IP Rede.)
iptables -A INPUT -p tcp --syn -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -p tcp --syn -s 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -p tcp --syn -s 192.168.1.0/24 -j ACCEPT