Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- #### Definicoes de variaveis #######
- #### Interface externa - Conexao com a internet ####
- IFEXT="eth1"
- #### Interface interna - Conexao com a rede local ####
- IFLCL="eth0"
- #### Definindo o caminho do iptables ####
- IPT=`which iptables`
- #### Rede interna ####
- NTW="10.0.0.0/24"
- #### IP Interno ####
- IPINT="10.0.0.1"
- #### IP E-mail ####
- IPZIM="10.0.0.6"
- #### IP SMTP ####
- IPSMT="10.0.0.2"
- #### IP SAPL ####
- IPSAP="10.0.0.5"
- #### IP Externo ####
- IPEXT="177.54.11.146"
- #### Mostrando a versao ####
- $IPT -V
- echo ""
- iptables_up(){
- #### Modulos de mascaramento ####
- modprobe iptable_nat
- modprobe ip_nat_ftp
- modprobe ip_conntrack
- modprobe ip_conntrack_ftp
- #### Ativa o roteamento de pacotes ####
- echo 1 > /proc/sys/net/ipv4/ip_forward
- echo 1 > /proc/sys/net/ipv4/tcp_syncookies
- echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
- #### Limpando regras ####
- echo -n "Cleaning current rules... "
- $IPT -F
- $IPT -F -t nat
- $IPT -F -t mangle
- $IPT -X
- $IPT -X -t nat
- $IPT -X -t mangle
- $IPT -Z
- $IPT -Z -t nat
- $IPT -Z -t mangle
- echo "Ok"
- #### Politicas padrao ####
- echo -n "Setting default policies (DROP)... "
- $IPT -P INPUT DROP
- $IPT -P FORWARD DROP
- $IPT -P OUTPUT ACCEPT
- echo "Ok"
- #### Proxy transparente ####
- echo -n "Setting transparent proxy... "
- $IPT -t nat -A PREROUTING -i $IFLCL -p tcp --dport 80 -j REDIRECT --to-port 8787
- $IPT -t nat -A PREROUTING -i $IFLCL -p udp --dport 80 -j REDIRECT --to-port 8787
- #### Conectividade Social ####
- $IPT -t nat -A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
- #### Tráfego para servidor de E-mail (vai sair depois)####
- $IPT -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to $IPSMT:25
- #$IPT -t nat -A PREROUTING -i $IFEXT -p tcp --dport 80 -j DNAT --to 10.0.0.1:80
- #$IPT -t nat -A PREROUTING -i $IFEXT -p udp --dport 80 -j DNAT --to 10.0.0.1:80
- echo "Ok"
- #### NAT de saida ####
- echo -n "Setting source nat... "
- #### IP's sem limite ####
- for IP in `cat /etc/init.d/ips`; do
- $IPT -A POSTROUTING -t nat -o $IFEXT -s $IP/32 -j SNAT --to $IPEXT
- done
- ### Portas liberadas ####
- for PORT in `cat /etc/init.d/ports`; do
- $IPT -A POSTROUTING -t nat -o $IFEXT -s $NTW -p tcp --dport $PORT -j SNAT --to $IPEXT
- $IPT -A POSTROUTING -t nat -o $IFEXT -s $NTW -p udp --dport $PORT -j SNAT --to $IPEXT
- done
- echo "Ok"
- #### Politicas de INPUT ####
- echo -n "Setting INPUT policies... "
- #### Liberando acesso loopback ####
- $IPT -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
- #### Limitando ping a 5/s ####
- $IPT -A INPUT -p icmp -m limit --limit 5/s -j ACCEPT
- #### Liberando APACHE local ####
- $IPT -A INPUT -p tcp --dport 80 -j ACCEPT
- $IPT -A INPUT -p tcp --sport 80 -j ACCEPT
- #### Acesso dns ####
- $IPT -A INPUT -p tcp -s $NTW --dport 53 -j ACCEPT
- $IPT -A INPUT -p udp -s $NTW --dport 53 -j ACCEPT
- #### Bloqueando IP Spoofing
- $IPT -A INPUT -i $IFEXT -s 10.0.0.0/8 -m limit --limit 3/m -j LOG --log-prefix "FW: 10. Spoofing -- "
- $IPT -A INPUT -i $IFEXT -s 10.0.0.0/8 -j DROP
- $IPT -A INPUT -i $IFEXT -s 172.16.0.0/16 -m limit --limit 3/m -j LOG --log-prefix "FW: 172. Spoofing -- "
- $IPT -A INPUT -i $IFEXT -s 172.16.0.0/16 -j DROP
- $IPT -A INPUT -i $IFEXT -s 192.168.0.0/16 -m limit --limit 3/m -j LOG --log-prefix "FW: 192. Spoofing -- "
- $IPT -A INPUT -i $IFEXT -s 192.168.0.0/16 -j DROP
- ### Trafego para o squid ###
- $IPT -A INPUT -i $IFLCL -p tcp -s $NTW --dport 8787 -j ACCEPT
- $IPT -A INPUT -i $IFLCL -p udp -s $NTW --dport 8787 -j ACCEPT
- ### Trafego SSH ###
- $IPT -A INPUT -p tcp -s $NTW --dport 22 -j ACCEPT
- $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPT -A INPUT -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: INPUT --"
- echo "Ok"
- #### Politicas de FORWARD ####
- echo -n "Setting FORWARD policies... "
- #### Liberando acesso loopback ####
- $IPT -A FORWARD -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
- #### Acesso DNS ####
- $IPT -A FORWARD -p udp -s $NTW --dport 53 -j ACCEPT
- $IPT -A FORWARD -p tcp -s $NTW --dport 53 -j ACCEPT
- #### Libera navegacao web ####
- for PORT in `cat /etc/init.d/ports`; do
- $IPT -A FORWARD -s $NTW -p tcp --dport $PORT -j ACCEPT
- $IPT -A FORWARD -s $NTW -p udp --dport $PORT -j ACCEPT
- done
- #### Chatice do Google ####
- $IPT -A FORWARD -i $IFLCL -o IFEXT -d google.com -j ACCEPT
- #### Conectividade Social ####
- $IPT -A FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT
- $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPT -A FORWARD -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: FORWARD -- "
- echo "Ok"
- echo -n ""
- echo "Iptables starded sucessfuly"
- echo -n ""
- }
- iptables_down(){
- echo -n "Stopping Iptables firewall... "
- echo -n ""
- echo -n "Cleaning rules... "
- $IPT -F
- $IPT -F -t nat
- $IPT -F -t mangle
- $IPT -X
- $IPT -X -t nat
- $IPT -X -t mangle
- $IPT -Z
- $IPT -Z -t nat
- $IPT -Z -t mangle
- echo "Ok"
- echo -n "Setting default ACCEPT policy... "
- $IPT -P FORWARD ACCEPT
- $IPT -P INPUT ACCEPT
- $IPT -P OUTPUT ACCEPT
- echo "Ok"
- echo -n ""
- echo -n "Iptables stopped sucessfuly"
- echo -n ""
- }
- iptables_restart(){
- iptables_down
- echo ""
- sleep 1
- iptables_up
- }
- iptables_status(){
- echo "========== NAT Status Policies =========="
- echo ""
- $IPT -t nat -nL
- echo ""
- echo "========== Mangle Status Policies =========="
- echo ""
- $IPT -t mangle -nL
- echo ""
- echo "========== Filter Status Policies =========="
- echo ""
- $IPT -nL
- echo ""
- }
- case "$1" in
- "start")
- iptables_up
- ;;
- "stop")
- iptables_down
- ;;
- "restart")
- iptables_restart
- ;;
- "status")
- iptables_status
- ;;
- * ) echo "Use: [start] [stop] [restart] [status]"
- esac
Advertisement
Add Comment
Please, Sign In to add comment
