Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- # Variaveis
- # conexao com a internet
- IFEXT="eth1"
- IPEXT="ip externo"
- # conexao com a rede local
- IFINT="eth0"
- IPINT="ip interno"
- # zimbra
- IPZIM="ip servidor zimbra"
- # sapl
- IPSAP="ip servidor sistema"
- # mascara de rede
- NTW="10.0.0.0/24"
- # loopback
- LOO="127.0.0.1"
- IPT=`which iptables`
- echo ""
- $IPT -V
- echo ""
- firewall_start(){
- # ativando modulos de mascaramento
- modprobe ip_tables
- modprobe ip_conntrack
- modprobe iptable_filter
- modprobe iptable_nat
- modprobe ipt_LOG
- modprobe ipt_limit
- modprobe ipt_state
- modprobe ipt_MASQUERADE
- modprobe ip_nat_ftp
- modprobe ip_nat_irc
- modprobe ip_conntrack_ftp
- modprobe ip_conntrack_irc
- # ativando roteamento de pacotes e protecoes
- echo 1 > /proc/sys/net/ipv4/ip_forward
- echo 1 > /proc/sys/net/ipv4/tcp_syncookies
- echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
- # politicas padrao
- echo -n "Setting default policies (DROP)... "
- $IPT -P INPUT DROP
- $IPT -P FORWARD DROP
- $IPT -P OUTPUT ACCEPT
- echo "Ok"
- # acesso na loopback
- echo -n "Setting loopback access..."
- $IPT -A INPUT -s $LOO -d $LOO -j ACCEPT
- $IPT -A FORWARD -s $LOO -d $LOO -j ACCEPT
- echo "Ok"
- # acesso DNS
- echo -n "Setting DNS access..."
- $IPT -A INPUT -p tcp -s $NTW --dport 53 -j ACCEPT
- $IPT -A INPUT -p udp -s $NTW --dport 53 -j ACCEPT
- $IPT -A FORWARD -p tcp -s $NTW --dport 53 -j ACCEPT
- $IPT -A FORWARD -p udp -s $NTW --dport 53 -j ACCEPT
- echo "Ok"
- # acesso SSH
- echo -n "Setting SSH access..."
- $IPT -A INPUT -p tcp -s $NTW --dport 22 -j ACCEPT
- $IPT -A INPUT -p udp -s $NTW --dport 22 -j ACCEPT
- echo "Ok"
- # medidas de segurança contra spoofing, ping of death...
- echo -n "Setting ip spoofing protection..."
- $IPT -A INPUT -i $IFEXT -s 10.0.0.0/8 -m limit --limit 3/s -j LOG --log-level info --log-prefix "FIREWALL: Spoofing - 10. --"
- $IPT -A INPUT -i $IFEXT -s 10.0.0.0/8 -j DROP
- $IPT -A INPUT -i $IFEXT -s 172.16.0.0/16 -m limit --limit 3/s -j LOG --log-level info --log-prefix "FIREWALL: Spoofing - 172.16. --"
- $IPT -A INPUT -i $IFEXT -s 172.16.0.0/16 -j DROP
- $IPT -A INPUT -i $IFEXT -s 192.168.0.0/16 -m limit --limit 3/s -j LOG --log-level info --log-prefix "FIREWALL: Spoofing - 192.168. --"
- $IPT -A INPUT -i $IFEXT -s 192.168.0.0/16 -j DROP
- # protecao contra synflood
- $IPT -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
- # protecao contra ping da morte
- $IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
- echo "Ok"
- # trafego do apache
- $IPT -A INPUT -p tcp --dport 80 -j ACCEPT
- # trafego do zimbra
- for ZIMPORT in `cat /etc/init.d/zimbra_ports`; do
- $IPT -t nat -A PREROUTING -d $IPEXT -p tcp --dport $ZIMPORT -j DNAT --to-destination $IPZIM:$ZIMPORT
- done
- $IPT -t nat -A PREROUTING -d $IPEXT -p udp --dport 25 -j DNAT --to-destination $IPZIM:25
- $IPT -t nat -A PREROUTING -d $IPEXT -p udp --dport 26 -j DNAT --to-destination $IPZIM:26
- # proxy transparente
- echo -n "Setting transparent proxy... "
- $IPT -A INPUT -p tcp -s $NTW --dport 8787 -j ACCEPT
- $IPT -A INPUT -p udp -s $NTW --dport 8787 -j ACCEPT
- $IPT -t nat -A PREROUTING -s $NTW -p tcp --dport 80 -j REDIRECT --to-port 8787
- $IPT -t nat -A PREROUTING -s $NTW -p udp --dport 80 -j REDIRECT --to-port 8787
- echo "Ok"
- # liberando trafego para ips
- for IP in `cat /etc/init.d/ips`; do
- $IPT -t nat -A POSTROUTING -s $IP/32 -j MASQUERADE
- done
- # mascarando trafego em geral
- for PORT in `cat /etc/init.d/ports`; do
- $IPT -t nat -A POSTROUTING -p tcp -s $NTW --dport $PORT -j MASQUERADE
- $IPT -t nat -A POSTROUTING -p udp -s $NTW --dport $PORT -j MASQUERADE
- done
- $IPT -t nat -A POSTROUTING -p icmp -s $NTW -j MASQUERADE
- $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- #### Tarefas de log ####
- echo -n "Setting log actions..."
- $IPT -A INPUT -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: INPUT --"
- $IPT -A OUTPUT -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: OUTPUT --"
- $IPT -A FORWARD -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: FORWARD --"
- echo "Ok"
- echo ""
- echo "Iptables started sucessfully"
- echo -n ""
- }
- firewall_stop(){
- echo -n "Stopping Iptables firewall... "
- echo -n ""
- echo -n "Cleaning rules... "
- $IPT -F
- $IPT -F -t nat
- $IPT -F -t mangle
- $IPT -X
- $IPT -X -t nat
- $IPT -X -t mangle
- $IPT -Z
- $IPT -Z -t nat
- $IPT -Z -t mangle
- echo "Ok"
- echo -n "Setting default ACCEPT policy... "
- $IPT -P FORWARD ACCEPT
- $IPT -P INPUT ACCEPT
- $IPT -P OUTPUT ACCEPT
- echo "Ok"
- echo -n ""
- echo -n "Iptables stopped sucessfuly"
- echo -n ""
- }
- firewall_status(){
- echo "========== NAT Status Policies =========="
- echo ""
- $IPT -t nat -nL
- echo ""
- echo "========== Mangle Status Policies =========="
- echo ""
- $IPT -t mangle -nL
- echo ""
- echo "========== Filter Status Policies =========="
- echo ""
- $IPT -nL
- echo ""
- }
- case "$1" in
- "start")
- firewall_start
- ;;
- "stop")
- firewall_stop
- ;;
- "restart")
- firewall_stop
- echo ""
- sleep 1
- firewall_start
- ;;
- "status")
- firewall_status
- ;;
- * ) echo "Use: firewall [start] [stop] [restart] [status]"
- esac
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
