#! /bin/bash echo "Script Firewall" ###################### # Carregando Modulos # ###################### echo "Carregando Modulos" modprobe ip_tables modprobe ip_conntrack modprobe iptable_filter modprobe iptable_mangle modprobe iptable_nat modprobe ipt_LOG modprobe ipt_limit modprobe ipt_state modprobe ipt_REDIRECT modprobe ipt_owner modprobe ipt_REJECT modprobe ipt_MASQUERADE modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ip_gre ######################## # Configurações Locais # ######################## echo "Definindo Configurações Locais" SYSCTL="/etc/sysctl -w" ######################## # Localização IPTables # ######################## IPT="/usr/sbin/iptables" IPTS="/usr/sbin/iptables-save" IPTR="/usr/sbin/iptables-restore" ###################### # Internet Interface # ###################### INET_IFACE="eth0" ################### # Local Interface # ################### LOCAL_IFACE="eth1" #Rede Local LOCAL_IP="192.168.0.1" #IP Servidor LOCAL_NET="192.168.0.0/24" #Faixa IP Local LOCAL_BCAST="192.168.0.255" #Broadcast Local ####################### # Localhost Interface # ####################### LO_IFACE="lo" LO_IP="127.0.0.1" case "$1" in start) ############### # TITULO ABRE # ############### echo "Iniciando a Configuração do Firewall" ######################## # Zera todas as Regras # ######################## echo "Regras Zeradas" iptables -F iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -t mangle -F iptables -t nat -F iptables -X ######################################## # Bloqueia tudo, nada entra e nada sai # ######################################## echo "Fechando todas as Portas" iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP ############################################################################ # Impede ataques DoS a maquina limitando a quantidade de respostas do ping # ############################################################################ echo "Previne ataques DoS" iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT ################################################## # bloqueando os pacotes ICMP do tipo echo-request# ################################################## echo "bloqueando os pacotes ICMP do tipo echo-request" iptables -A INPUT -p icmp --icmp-type echo-request -j DROP ########################## # Bloqueio total do ICMP # ########################## #echo "Bloqueio do Ping" #iptables -A INPUT -p icmp -j DROP ########################## # Politicas de segurança # ########################## echo "Implementação de politicas de segurança" echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Impede falsear pacote echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Perigo de descobrimento de rotas de roteamento (desativar em roteador) echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Risco de DoS echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Ignorar Mensagens Falsas de icmp_error_responses echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Só inicia a conexão quando recebe a confirmação, diminuindo a banda gasta echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter # Faz o firewall responder apenas a placa de rede que recebeu o pacote iptables -A INPUT -m state --state INVALID -j DROP # Elimina os pacotes invalidos for i in /proc/sys/net/ipv4/conf/*; do # Não Redirecionar Mensagens ICMP echo 0 > $i/accept_redirects # Proteção a Ataques IP Spoofing echo 0 > $i/accept_source_route # O kernel decide se envia resposta pelo mesmo endereço ou não. echo 1 > $i/arp_filter # Permitir que Pacotes Forjados sejam logados pelo próprio kernel echo 1 > $i/log_martians # Verificar Endereço de Origem do Pacote (Proteção a Ataques IP Spoofing) echo 1 > $i/rp_filter done ################################# # Libera conexoes estabelecidas # ################################# echo "Liberando conexões estabelecidas" iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT iptables -A INPUT -i lo -j ACCEPT ####################################################################################### # Libera o acesso via SSH e Limita o número de tentativas de acesso a 4 a cada minuto # ####################################################################################### echo "Liberando o SSH" iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p udp --dport 22 -j ACCEPT ############################################ # Liberando acesso Email Portas TCP 25/110 # ############################################ #echo "Portas Email TCP 25/110 Sendo Liberadas" #iptables -A FORWARD -p udp -s 192.168.10.0/24 -d 200.204.0.10 --dport 53 -j ACCEPT #iptables -A FORWARD -p udp -s 192.168.10.0/24 -d 200.204.0.138 --dport 53 -j ACCEPT #iptables -A FORWARD -p udp -s 200.204.0.10 --sport 53 -d 192.168.10.0/24 -j ACCEPT #iptables -A FORWARD -p udp -s 200.204.0.138 --sport 53 -d 192.168.10.0/24 -j ACCEPT #iptables -A FORWARD -p tcp -s 192.168.10.0/24 --dport 25 -j ACCEPT #iptables -A FORWARD -p tcp -s 192.168.10.0/24 --dport 110 -j ACCEPT #iptables -A FORWARD -m state --state NEW -p tcp --dport 25 -j ACCEPT #iptables -A FORWARD -m state --state NEW -p tcp --dport 110 -j ACCEPT #iptables -A FORWARD -p tcp --sport 25 -j ACCEPT #iptables -A FORWARD -p tcp --sport 110 -j ACCEPT #iptables -A FORWARD -p tcp --dport 25 -j ACCEPT #iptables -A FORWARD -p tcp --dport 110 -j ACCEPT ########################################################### # Liberando a Rede Interna para acesso total internamente # ########################################################### #echo "Aceitando todas Solicitacoes vindas das placas Internas" #iptables -A INPUT -p ALL -s 127.0.0.1 -i lo -j ACCEPT #iptables -A INPUT -p ALL -s 192.168.10.0/24 -i -lo -j ACCEPT #iptables -A INPUT -i lo -j ACCEPT ################## # Abrindo portas # ################## echo "Liberando a portas" iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p udp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --dport 20 -j ACCEPT iptables -A INPUT -p udp --dport 20 -j ACCEPT ############################### # Redirecionamentos Portas IP # ############################### echo "Redirecionando Portas" iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 192.168.0.1 #acesso ao meu micro ################ # TITULO FECHA # ################ echo "Configuração do Firewall Concluida." ;; stop) echo "Finalizando o Firewall" rm -rf /var/lock/subsys/firewall # ----------------------------------------------------------------- # Remove todas as regras existentes # ----------------------------------------------------------------- iptables -F iptables -X iptables -t mangle -F # ----------------------------------------------------------------- # Reseta as politicas padrões, aceitar tudo # ----------------------------------------------------------------- iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT ;; restart|reload) $0 stop $0 start ;; *) echo "Selecione uma opção valida {start|stop|status|restart|reload}" exit 1 esac exit 0