You are on page 1of 3

#!

/bin/bash # # Script criado por Igor Garcia # Local para o executavel do IPTables IPT=`which iptables`; # Interface da rede INTERNA IF_INTERNA="eth0"; # Interface da rede EXTERNA IF_EXTERNA="eth1"; # Definição da rede interna REDE_INTERNA="192.168.1.0/24" fw_start() { #ativa o roteamento dinamico echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_dynaddr # ================ POLITICAS PADRAO =================== $IPT -t filter -P INPUT DROP $IPT -t filter -P FORWARD DROP $IPT -t filter -P OUTPUT ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P POSTROUTING ACCEPT $IPT -t mangle -P OUTPUT ACCEPT $IPT -t mangle -P INPUT ACCEPT $IPT -t mangle -P FORWARD ACCEPT # Cria chain com $IPT -N BLOCK $IPT -A BLOCK -p $IPT -A BLOCK -p $IPT -A BLOCK -p $IPT -A BLOCK -p CCEPT $IPT -A BLOCK -m $IPT -A BLOCK -m $IPT -A BLOCK -j $IPT -A BLOCK -j regras de segurança icmp --icmp-type echo-request -j DROP icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT tcp -m limit --limit 1/s -j ACCEPT tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 1/s -j A unclean -j DROP state --state ESTABLISHED,RELATED -j ACCEPT LOG --log-prefix "FW_ALERT: " DROP

# Muda a prioridade dos pacotes (Type Of Service) para agilizar as coisas $IPT -t mangle -A OUTPUT -o $IF_EXTERNA -p tcp -m multiport --dports 21,22,80, 6667 -j TOS --set-tos 0x10 # Libera todo o trafego local $IPT -t filter -A INPUT -i lo -j ACCEPT $IPT -t filter -A INPUT -i $IF_INTERNA -j ACCEPT $IPT -t filter -A FORWARD -i $IF_INTERNA -j ACCEPT # Libera só FTP, SSH e WEB $IPT -t filter -A INPUT -i $IF_EXTERNA -p tcp -m multiport --dports 21,22,80,6

168.667 -j ACCEPT # Libera a conexao para a rede interna $IPT -t nat -A POSTROUTING -s $REDE_INTERNA -j MASQUERADE # Cria um NAT para o SSH de uma maquina da rede interna $IPT -t filter -A FORWARD -p tcp -d 0/0 --dport 2222 -j ACCEPT $IPT -t nat -A PREROUTING -p tcp -d 0/0 --dport 2222 -j DNAT --to 192.1 .2:22 # Regras para evitar packet flood $IPT -A INPUT -j BLOCK $IPT -A FORWARD -j BLOCK } fw_stop() { $IPT -t $IPT -t $IPT -t $IPT -t $IPT -t $IPT -t $IPT -t $IPT -t $IPT -t $IPT -t $IPT -t $IPT -t $IPT -t $IPT -t $IPT -t $IPT -t $IPT -t $IPT -t $IPT -t $IPT -t } filter filter filter nat nat nat mangle mangle mangle mangle mangle filter nat mangle filter nat mangle filter nat mangle -P -P -P -P -P -P -P -P -P -P -P -F -F -F -X -X -X -Z -Z -Z INPUT FORWARD OUTPUT PREROUTING POSTROUTING OUTPUT PREROUTING POSTROUTING OUTPUT INPUT FORWARD ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT fw_usage() { echo echo "$0 (start echo echo "start echo "stop echo "restart echo "clear } stop restart clear)" Ativa o firewall" Desativa o firewall" Reativa o firewall" Limpa os contatores" fw_clear() { $IPT -t filter -Z $IPT -t nat -Z $IPT -t mangle -Z } case $1 in start) .

stop) fw_stop. exit. fw_start... . .fw_start. . ... . esac . *) fw_usage.. restart) fw_stop. clear) fw_clear.