Advertisement
Guest User

Untitled

a guest
Oct 9th, 2013
129
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 5.68 KB | None | 0 0
  1. #!/bin/sh
  2.  
  3. # Variaveis
  4. # conexao com a internet
  5. IFEXT="eth1"
  6. IPEXT="ip externo"
  7.  
  8. # conexao com a rede local
  9. IFINT="eth0"
  10. IPINT="ip interno"
  11. # zimbra
  12. IPZIM="ip servidor zimbra"
  13. # sapl
  14. IPSAP="ip servidor sistema"
  15. # mascara de rede
  16. NTW="10.0.0.0/24"
  17. # loopback
  18. LOO="127.0.0.1"
  19.  
  20. IPT=`which iptables`
  21.  
  22. echo ""
  23. $IPT -V
  24. echo ""
  25.  
  26. firewall_start(){
  27.     # ativando modulos de mascaramento
  28.         modprobe ip_tables
  29.         modprobe ip_conntrack
  30.         modprobe iptable_filter
  31.         modprobe iptable_nat
  32.         modprobe ipt_LOG
  33.         modprobe ipt_limit
  34.         modprobe ipt_state
  35.         modprobe ipt_MASQUERADE
  36.         modprobe ip_nat_ftp
  37.         modprobe ip_nat_irc
  38.         modprobe ip_conntrack_ftp
  39.         modprobe ip_conntrack_irc
  40.  
  41.     # ativando roteamento de pacotes e protecoes
  42.     echo 1 > /proc/sys/net/ipv4/ip_forward
  43.     echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  44.     echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  45.     echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  46.  
  47.     # politicas padrao
  48.     echo -n "Setting default policies (DROP)... "
  49.     $IPT -P INPUT DROP
  50.     $IPT -P FORWARD DROP
  51.     $IPT -P OUTPUT ACCEPT
  52.     echo "Ok"
  53.  
  54.     # acesso na loopback
  55.     echo -n "Setting loopback access..."
  56.     $IPT -A INPUT -s $LOO -d $LOO -j ACCEPT
  57.     $IPT -A FORWARD -s $LOO -d $LOO -j ACCEPT
  58.     echo "Ok"
  59.  
  60.     # acesso DNS
  61.     echo -n "Setting DNS access..."
  62.     $IPT -A INPUT -p tcp -s $NTW --dport 53 -j ACCEPT
  63.     $IPT -A INPUT -p udp -s $NTW --dport 53 -j ACCEPT
  64.     $IPT -A FORWARD -p tcp -s $NTW --dport 53 -j ACCEPT
  65.     $IPT -A FORWARD -p udp -s $NTW --dport 53 -j ACCEPT
  66.     echo "Ok"
  67.  
  68.     # acesso SSH
  69.     echo -n "Setting SSH access..."
  70.     $IPT -A INPUT -p tcp -s $NTW --dport 22 -j ACCEPT
  71.     $IPT -A INPUT -p udp -s $NTW --dport 22 -j ACCEPT
  72.     echo "Ok"
  73.  
  74.         # medidas de segurança contra spoofing, ping of death...
  75.     echo -n "Setting ip spoofing protection..."
  76.     $IPT -A INPUT -i $IFEXT -s 10.0.0.0/8 -m limit --limit 3/s -j LOG --log-level info --log-prefix "FIREWALL: Spoofing - 10. --"
  77.     $IPT -A INPUT -i $IFEXT -s 10.0.0.0/8 -j DROP
  78.     $IPT -A INPUT -i $IFEXT -s 172.16.0.0/16 -m limit --limit 3/s -j LOG --log-level info --log-prefix "FIREWALL: Spoofing - 172.16. --"
  79.     $IPT -A INPUT -i $IFEXT -s 172.16.0.0/16 -j DROP
  80.     $IPT -A INPUT -i $IFEXT -s 192.168.0.0/16 -m limit --limit 3/s -j LOG --log-level info --log-prefix "FIREWALL: Spoofing - 192.168. --"
  81.     $IPT -A INPUT -i $IFEXT -s 192.168.0.0/16 -j DROP
  82.     # protecao contra synflood
  83.     $IPT -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
  84.     # protecao contra ping da morte
  85.     $IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
  86.     echo "Ok"
  87.  
  88.     # trafego do apache
  89.     $IPT -A INPUT -p tcp --dport 80 -j ACCEPT
  90.  
  91.     # trafego do zimbra
  92.     for ZIMPORT in `cat /etc/init.d/zimbra_ports`; do
  93.         $IPT -t nat -A PREROUTING -d $IPEXT -p tcp --dport $ZIMPORT -j DNAT --to-destination $IPZIM:$ZIMPORT
  94.     done
  95.     $IPT -t nat -A PREROUTING -d $IPEXT -p udp --dport 25 -j DNAT --to-destination $IPZIM:25
  96.     $IPT -t nat -A PREROUTING -d $IPEXT -p udp --dport 26 -j DNAT --to-destination $IPZIM:26
  97.  
  98.     # proxy transparente
  99.     echo -n "Setting transparent proxy... "
  100.     $IPT -A INPUT -p tcp -s $NTW --dport 8787 -j ACCEPT
  101.     $IPT -A INPUT -p udp -s $NTW --dport 8787 -j ACCEPT
  102.     $IPT -t nat -A PREROUTING -s $NTW -p tcp --dport 80 -j REDIRECT --to-port 8787
  103.     $IPT -t nat -A PREROUTING -s $NTW -p udp --dport 80 -j REDIRECT --to-port 8787
  104.     echo "Ok"
  105.  
  106.     # liberando trafego para ips
  107.     for IP in `cat /etc/init.d/ips`; do
  108.         $IPT -t nat -A POSTROUTING -s $IP/32 -j MASQUERADE
  109.     done
  110.  
  111.     # mascarando trafego em geral
  112.     for PORT in `cat /etc/init.d/ports`; do
  113.         $IPT -t nat -A POSTROUTING -p tcp -s $NTW --dport $PORT -j MASQUERADE
  114.         $IPT -t nat -A POSTROUTING -p udp -s $NTW --dport $PORT -j MASQUERADE
  115.     done
  116.  
  117.     $IPT -t nat -A POSTROUTING -p icmp -s $NTW -j MASQUERADE
  118.  
  119.     $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  120.     $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  121.     $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  122.  
  123.     #### Tarefas de log ####
  124.     echo -n "Setting log actions..."
  125.     $IPT -A INPUT -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: INPUT --"
  126.     $IPT -A OUTPUT -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: OUTPUT --"
  127.     $IPT -A FORWARD -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: FORWARD --"
  128.     echo "Ok"
  129.  
  130.     echo ""
  131.     echo "Iptables started sucessfully"
  132.     echo -n ""
  133.  
  134. }
  135.  
  136. firewall_stop(){
  137.         echo -n "Stopping Iptables firewall... "
  138.         echo -n ""
  139.  
  140.         echo -n "Cleaning rules... "
  141.         $IPT -F
  142.         $IPT -F -t nat
  143.         $IPT -F -t mangle
  144.         $IPT -X
  145.         $IPT -X -t nat
  146.         $IPT -X -t mangle
  147.         $IPT -Z
  148.         $IPT -Z -t nat
  149.         $IPT -Z -t mangle
  150.         echo "Ok"
  151.  
  152.         echo -n "Setting default ACCEPT policy... "
  153.         $IPT -P FORWARD ACCEPT
  154.         $IPT -P INPUT ACCEPT
  155.         $IPT -P OUTPUT ACCEPT
  156.         echo "Ok"
  157.  
  158.     echo -n ""
  159.         echo -n "Iptables stopped sucessfuly"
  160.         echo -n ""
  161. }
  162.  
  163. firewall_status(){
  164.         echo "==========   NAT Status Policies   =========="
  165.         echo ""
  166.         $IPT -t nat -nL
  167.         echo ""
  168.  
  169.     echo "==========   Mangle Status Policies   =========="
  170.     echo ""
  171.     $IPT -t mangle -nL
  172.     echo ""
  173.    
  174.     echo "==========   Filter Status Policies   =========="
  175.     echo ""
  176.     $IPT -nL
  177.     echo ""
  178. }
  179.  
  180. case "$1" in
  181.         "start")
  182.             firewall_start
  183.         ;;
  184.     "stop")
  185.         firewall_stop
  186.         ;;
  187.     "restart")
  188.         firewall_stop
  189.         echo ""
  190.         sleep 1
  191.         firewall_start
  192.             ;;
  193.     "status")
  194.         firewall_status
  195.         ;;
  196.      * ) echo "Use: firewall [start] [stop] [restart] [status]"
  197. esac
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement