firewall [Linha de comando]

1. # !/bin/bash
2.  
3. ###################
4. ##### Funcoes #####
5. ###################
6.  
7. Configuracoes()
8. {
9.     # Analisar
10.     clear
11.     echo ""
12.     echo -e "\033[01;36m --------------- DATA --------------- \033[01;37m"
13.     echo -e "\033[01;31m * Num: $(date +%d)           \033[01;37m"
14.     echo -e "\033[01;32m * Dia: $(date +%a)           \033[01;37m"
15.     echo -e "\033[01;33m * Mes: $(date +%b)           \033[01;37m"
16.     echo -e "\033[01;34m * Ano: $(date +%Y)           \033[01;37m"
17.     echo -e "\033[01;36m ------------------------------------ \033[01;37m"
18.     echo ""
19.    
20.     # Rede
21.     ip=172.16.1.150
22.     ip_rede=172.16.1.150/24
23.  
24.     # Portas & Outros
25.     interface=enp0s3
26.     portas_altas=1024:65535
27.     porta_redirecionada=2200
28. }
29.  
30. Ativar()
31. {  
32.     # Apresentacao
33.     clear
34.     echo ""
35.     echo -e "\033[01;37m ----------------------------- \033[01;37m"
36.     echo -e "\033[01;36m * Firewall Ativado            \033[01;37m"
37.     echo -e "\033[01;36m * Politicas padroes [DROP]    \033[01;37m"
38.     echo -e "\033[01;37m ----------------------------- \033[01;37m"
39.     echo ""
40.  
41.     # Mensagem [Ativando Firewall (limpando regras)]
42.     echo -e "\n\033[01;35m - Apagando regras existentes \033[01;37m"
43.     iptables -t filter -P INPUT DROP
44.     iptables -t filter -P OUTPUT DROP
45.     iptables -t filter -P FORWARD DROP
46.     iptables -t filter -F
47.     iptables -t nat -F
48.  
49.     # Mensagem: Interface de rede [enp0s3]
50.     echo -e "\033[01;34m - Internet Compartilhada em interface enp0s3... \033[01;37m"
51.    
52.     echo 1 > /proc/sys/net/ipv4/ip_forward
53.     iptables -t nat -A POSTROUTING -o $interface -j MASQUERADE
54.  
55.     # Mensagem [redirecionamento de portas]
56.     echo -e "\033[01;33m - Redirecionamento da porta 22 ativa... \033[01;37m"
57.     iptables -t nat -A PREROUTING -d $ip -p TCP --dport $porta_redirecionada -j DNAT --to $ip:22
58.  
59.     # Mensagem [loopback]
60.     echo -e "\033[01;32m - Permitir LoopBack \033[01;37m"
61.     iptables -t filter -A INPUT -i lo -j ACCEPT
62.     iptables -t filter -A OUTPUT -o lo -j ACCEPT
63.    
64.     # Mensagem [StateFull]
65.     echo -e "\033[01;31m - Regras StateFull Genericas ativada \033[01;37m"
66.     iptables -t filter  -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
67.     iptables -t filter -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
68.     iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
69.  
70.     echo -e "\n\033[01;37m *** Cliente \033[01;37m"
71.     echo -e "\033[01;36m - Permitir DNS [cliente] \033[01;37m"
72.     iptables -t filter -A OUTPUT -p UDP --sport $portas_altas --dport 53 -m state --state NEW -j ACCEPT
73.  
74.     echo -e "\033[01;36m - Permitir HTTP [cliente] \033[01;37m"
75.     iptables -t filter -A OUTPUT -p TCP --sport $portas_altas --dport 80 -m state --state NEW -j ACCEPT
76.  
77.     echo -e "\033[01;36m - Permitir HTTPS [cliente] \033[01;37m"
78.     iptables -t filter -A OUTPUT -p TCP --sport $portas_altas --dport 443 -m state --state NEW -j ACCEPT
79.  
80.     echo -e "\033[01;36m - Permitir SSH [cliente] \033[01;37m"
81.     iptables -t filter -A OUTPUT -p TCP --sport $portas_altas --dport 22 -m state --state NEW -j ACCEPT
82.  
83.     echo -e "\033[01;36m - Bloquear SSH de redes diferentes da LAN \033[01;37m"
84.     iptables -t filter -A INPUT -p TCP ! -s $ip_rede --dport 22 -m state --state NEW -j ACCEPT
85.    
86.     echo -e "\n\033[01;37m *** Servidor \033[01;37m"
87.     echo -e "\033[01;36m - Permitir SSH [servidor] \033[01;37m"
88.     iptables -t filter -A INPUT -p TCP --sport $portas_altas --dport 22 -m state --state NEW -j ACCEPT
89.  
90.     echo -e "\033[01;36m - Permitir FTP [servidor] \033[01;37m"
91.     iptables -t filter -A INPUT -p TCP --sport $portas_altas --dport 21 -m state --state NEW -j ACCEPT
92.    
93.     echo -e "\033[01;36m - Permitir MYSQL [servidor] \033[01;37m"
94.     iptables -t filter -A INPUT -p TCP --sport $portas_altas --dport 3306 -m state --state NEW -j ACCEPT
95. }
96.  
97. Desativar()
98. {
99.     # Tabela
100.     iptables -t filter -P INPUT ACCEPT
101.     iptables -t filter -P OUTPUT ACCEPT
102.     iptables -t filter -P FORWARD ACCEPT
103.  
104.     # Tabela: Filter e Nat
105.     iptables -t filter -F
106.     iptables -t filter -X
107.    
108.     iptables -t nat -F
109.     iptables -t nat -X
110.    
111.     echo -e "\n\033[01;36m - Firewall desativado \033[01;37m"
112.     echo ""
113. }
114.  
115. Reiniciar()
116. {
117.     $0 stop
118.     $0 start
119. }
120.  
121. Regras()
122. {
123.     echo "
124.     # Tabela Filter
125.     --------------------------------------------------------------------------------
126.     $(iptables -t filter -nL)
127.    
128.     # Tabela Nat
129.     --------------------------------------------------------------------------------
130.     $(iptables -t nat -nL )
131.  
132.     # Tabela Mangle
133.     --------------------------------------------------------------------------------
134.     $(iptables -t mangle -nL)" > table.txt
135.  
136.     cat table.txt | less
137.     rm -rf table.txt
138. }
139.  
140. Aviso()
141. {
142.     # Comando: Erro de comando
143.     echo -e "\033[01;35m - Erro $0 (start | stop | restart | table) \033[01;37m"
144. }
145.  
146. ####################
147. ##### PROGRAMA #####
148. ####################
149.  
150. # Configuracoes de rede
151. Configuracoes
152.  
153. # Estrutura em escolha
154. case $1 in
155.    
156. start)
157.     Ativar;;
158.  
159. stop)
160.     Desativar;;
161.  
162. table)
163.     Regras;;
164.  
165. restart)
166.     Reiniciar;;
167. *)
168.     Aviso;;
169. esac
170. echo ""