Untitled

#!/bin/sh

#### Definicoes de variaveis #######
#### Interface externa - Conexao com a internet ####
IFEXT="eth1"

#### Interface interna - Conexao com a rede local ####
IFLCL="eth0"

#### Definindo o caminho do iptables ####
IPT=`which iptables`

#### Rede interna ####
NTW="10.0.0.0/24"

#### IP Interno ####
IPINT="10.0.0.2"

#### IP Externo ####
IPEXT="xxx.xxx.xxx.xxx"

#### Mostrando a versao ####
$IPT -V
echo  ""

iptables_up(){

        #### Modulos de mascaramento ####

        modprobe iptable_nat
        modprobe ip_nat_ftp
        modprobe ip_conntrack
        modprobe ip_conntrack_ftp


        #### Ativa o roteamento de pacotes ####

        echo 1 > /proc/sys/net/ipv4/ip_forward
        echo 1 > /proc/sys/net/ipv4/tcp_syncookies
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
        echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses


        #### Limpando regras ####

        echo -n "Cleaning current rules... "
        $IPT -F
        $IPT -F -t nat
        $IPT -F -t mangle
        $IPT -X
        $IPT -X -t nat
        $IPT -X -t mangle
        $IPT -Z
        $IPT -Z -t nat
        $IPT -Z -t mangle
        echo "Ok"


        #### Politicas padrao ####

        echo -n "Setting default policies (DROP)... "
        $IPT -P INPUT DROP
        $IPT -P FORWARD DROP
        $IPT -P OUTPUT DROP
        echo "Ok"

        #### Proxy transparente ####
        echo -n "Setting transparent proxy... "
        $IPT -t nat -A PREROUTING -i $IFLCL -p tcp --dport 80 -j REDIRECT --to-port 8787
        $IPT -t nat -A PREROUTING -i $IFLCL -p udp --dport 80 -j REDIRECT --to-port 8787
        echo "Ok"

        #### NAT de saida ####

        echo -n "Setting source nat... "
        #### IP's sem limite ####
        #$IPT -A POSTROUTING -t nat -o $IFEXT -j SNAT --to $IPEXT
        $IPT -A POSTROUTING -t nat -o $IFEXT -s 10.0.0.20/32 -j SNAT --to $IPEXT
        $IPT -A POSTROUTING -t nat -o $IFEXT -s 10.0.0.37/32 -j SNAT --to $IPEXT
        $IPT -A POSTROUTING -t nat -o $IFEXT -s 10.0.0.215/32 -j SNAT --to $IPEXT
        $IPT -A POSTROUTING -t nat -o $IFEXT -s 10.0.0.225/32 -j SNAT --to $IPEXT
        $IPT -A POSTROUTING -t nat -o $IFEXT -s 10.0.0.226/32 -j SNAT --to $IPEXT
        $IPT -A POSTROUTING -t nat -o $IFEXT -s 10.0.0.227/32 -j SNAT --to $IPEXT
        $IPT -A POSTROUTING -t nat -o $IFEXT -s 10.0.0.228/32 -j SNAT --to $IPEXT
        $IPT -A POSTROUTING -t nat -o $IFEXT -s 10.0.0.231/32 -j SNAT --to $IPEXT
        ### Portas liberadas ####
        for PORT in `cat /etc/init.d/ports`; do
                $IPT -A POSTROUTING -t nat -o $IFEXT -s $NTW -p tcp --dport $PORT -j SNAT --to $IPEXT
                $IPT -A POSTROUTING -t nat -o $IFEXT -s $NTW -p udp --dport $PORT -j SNAT --to $IPEXT
        done
        echo "Ok"


        #### Politicas de OUTPUT ####

        echo -n "Setting OUTPUT policies... "
        #### Liberando acesso loopback ####
        $IPT -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
        #### Limitando o ping a 5/s ####
        $IPT -A OUTPUT -p icmp -m limit --limit 5/s -j ACCEPT
        #### Acesso DNS externo ####
        $IPT -A OUTPUT -p udp --dport 53 -j ACCEPT
        ### Libera navegacao web ####
        for PORT in `cat /etc/init.d/ports`; do
                $IPT -A OUTPUT -s $NTW -p tcp --dport $PORT -j ACCEPT
                $IPT -A OUTPUT -s $NTW -p udp --dport $PORT -j ACCEPT
        done

        $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
        $IPT -A OUTPUT -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: OUTPUT -- "
        echo "Ok"


        #### Politicas de INPUT ####

        echo -n "Setting INPUT policies... "
        #### Liberando acesso loopback ####
        $IPT -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
        #### Limitando ping a 5/s ####
        $IPT -A INPUT -p icmp -m limit --limit 5/s -j ACCEPT
        $IPT -A INPUT -p icmp -m limit --limit 5/s -j ACCEPT
        #### Liberando APACHE local ####
        $IPT -A INPUT -p tcp -i $IFEXT --dport 80 -j ACCEPT
        #### Bloqueando IP Spoofing
        $IPT -A INPUT -i $IFEXT -s 10.0.0.0/8 -m limit --limit 3/m -j LOG --log-prefix "FW: 10. Spoofing -- "
        $IPT -A INPUT -i $IFEXT -s 10.0.0.0/8 -j DROP
        $IPT -A INPUT -i $IFEXT -s 172.16.0.0/16 -m limit --limit 3/m -j LOG --log-prefix "FW: 172. Spoofing -- "
        $IPT -A INPUT -i $IFEXT -s 172.16.0.0/16 -j DROP
        $IPT -A INPUT -i $IFEXT -s 192.168.0.0/16 -m limit --limit 3/m -j LOG --log-prefix "FW: 192. Spoofing -- "
        $IPT -A INPUT -i $IFEXT -s 192.168.0.0/16 -j DROP

        ### Trafego para o squid ###
        $IPT -A INPUT -i $IFLCL -p tcp -s $NTW --dport 8787 -j ACCEPT
        $IPT -A INPUT -i $IFLCL -p udp -s $NTW --dport 8787 -j ACCEPT

        $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
        $IPT -A INPUT -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: INPUT --"
        echo "Ok"


        #### Politicas de FORWARD ####

        echo -n "Setting FORWARD policies... "
        #### Liberando acesso loopback ####
        $IPT -A FORWARD -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
        #### Acesso DNS ####
        $IPT -A FORWARD -p udp -s $NTW --dport 53 -j ACCEPT
        ### Libera navegacao web ####
        for PORT in `cat /etc/init.d/ports`; do
                $IPT -A FORWARD -s $NTW -p tcp --dport $PORT -j ACCEPT
                $IPT -A FORWARD -s $NTW -p udp --dport $PORT -j ACCEPT
        done

        $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
        $IPT -A FORWARD -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: FORWARD -- "
        echo "Ok"

        echo -n ""
        echo "Iptables starded sucessfuly"
        echo -n ""

}

iptables_down(){

        echo -n "Stopping Iptables firewall... "
        echo -n ""

        echo -n "Cleaning rules... "
        $IPT -F
        $IPT -F -t nat
        $IPT -F -t mangle
        $IPT -X
        $IPT -X -t nat
        $IPT -X -t mangle
        $IPT -Z
        $IPT -Z -t nat
        $IPT -Z -t mangle
        echo "Ok"

        echo -n "Setting default ACCEPT policy... "
        $IPT -P FORWARD ACCEPT
        $IPT -P INPUT ACCEPT
        $IPT -P OUTPUT ACCEPT
        echo "Ok"

        echo -n ""
        echo -n "Iptables stopped sucessfuly"
        echo -n ""

}

iptables_restart(){
        iptables_down
        echo ""
        sleep 1
        iptables_up
}

iptables_status(){
        echo "==========   NAT Status Policies   =========="
        echo ""
        $IPT -t nat -nL
        echo ""
        echo "==========   Mangle Status Policies   =========="
        echo ""
        $IPT -t mangle -nL
        echo ""
        echo "==========   Filter Status Policies   =========="
        echo ""
        $IPT -nL
        echo ""
}

case "$1" in
        "start")
                iptables_up
        ;;
        "stop")
                iptables_down
        ;;
        "restart")
                iptables_restart
        ;;
        "status")
                iptables_status
        ;;
        * ) echo "Use: [start] [stop] [restart] [status]"
esac