#!/bin/bash
#
# Modelo Firewall By Thiago Laurito
#
# Site <http://slackdummies.blogspot.com>
# Email <thiago.laurito@gmail.com>
# Data 27/01/2011 01:33 :)
#

# Carregando Módulos para funcoes especificas do Iptables.
modprobe    ip_tables
modprobe    iptable_nat
modprobe    ip_conntrack
modprobe    ip_conntrack_ftp
modprobe    ip_nat_ftp
modprobe    ipt_LOG
modprobe    ipt_REJECT
modprobe    ipt_MASQUERADE
modprobe    ipt_state
modprobe    ipt_multiport
modprobe    iptable_mangle
modprobe    ipt_tos
modprobe    ipt_limit
modprobe    ipt_mark
modprobe    ipt_MARK

# Alteracoes de protecao no Kernel
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Habilitando ip_forward para roteamento na rede através do Firewall.
echo "1" > /proc/sys/net/ipv4/ip_forward

# Habilitando broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disabilitando Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $f
done

# Habilitando TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disabilitando ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
done

# Nao Envia Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $f
done

# Disabilitando ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
done

# Dropando Spoofed Packets.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
done

# Log packets com enderecos impossiveis.
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $f
done

# Limpando as regras default Chain.
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t mangle -F
iptables -t nat -F
iptables -X
iptables -X -t nat
iptables -X -t mangle

# Zera os Contadores
iptables -Z

# Aplicando Police nas Chains INPUT/FORWARD/OUTPUT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Liberacao interna entre os processos do FIrewall
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -m state --state RELATED -j ACCEPT
iptables -I INPUT -p icmp -j ACCEPT

# Bloqueio Shealt Scan.
iptables -A FORWARD -m comment --comment "Bloqueio Shealt Scan" -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT

# Bloqueio Contra SYN-FLOODS
iptables -A FORWARD -m comment --comment "Bloqueio SYN-FLOODS" -p tcp --syn -m limit --limit 1/s -j ACCEPT

# Bloqueio Ping da Morte
iptables -A FORWARD -m comment --comment "Bloqueio Ping da Morte" -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Liberando tráfego IPV6
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -p icmpv6 -i eth1 -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -j DROP

# Liberando SNMP
iptables -A INPUT -m comment --comment "Liberacao SNMP" -p udp --dport 161 -j ACCEPT
iptables -A FORWARD -m comment --comment "Liberacao SNMP" -p udp --dport 161 -j ACCEPT

# Liberando acesso da rede interna (Trocar para o IP Rede.)
iptables -A INPUT -p tcp --syn -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -p tcp --syn -s 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -p tcp --syn -s 192.168.1.0/24 -j ACCEPT