#!/bin/bash # # Shell Script - Firewall # ======================= # Autor:- CESAR AUGUSTUS SILVA # Email:- cesaraugustussilva@linuxmail.

org # # IP da Rede # Interface da Rede Local - LAN #ILAN=eth0 ILAN=vboxnet1 # Interface da Rede Externa - Internet #INET=ppp0 #INET=eth1 INET=wlan0 IPT=/sbin/iptables /sbin/modprobe iptable_filter /sbin/modprobe iptable_nat /sbin/modprobe iptable_mangle /sbin/modprobe ipt_LOG /sbin/modprobe ipt_REDIRECT /sbin/modprobe ipt_MASQUERADE INTERNET () { # Mascaramento $IPT -t nat -A POSTROUTING -o $INET -j MASQUERADE # Ativando o redirecionamento de pacotes echo 1 > /proc/sys/net/ipv4/ip_forward } LIMPAR () { # Removendo regras $IPT -F $IPT -t nat -F $IPT -t mangle -F # Apagando chains $IPT -X $IPT -t nat -X $IPT -t mangle -X # Zerando contadores $IPT -Z $IPT -t nat -Z $IPT -t mangle -Z } PARAR () { # Limpando regras LIMPAR

# Poltica Padro $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT # Compartilhando a Internet INTERNET } INICIAR () { # Limpando regras LIMPAR # Poltica Padro #$IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT #$IPT -P FORWARD DROP # Compartilhando a Internet INTERNET ########################## ATRIBUINDO SEGURANA ########################## # Proteo para SYN Flood echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Rejeitar requisio de ICMP Echo destinado a Broadcasts e Multicasts echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Ignorar Mensagens Falsas de icmp_error_responses echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses for i in /proc/sys/net/ipv4/conf/*; do # No Redirecionar Mensagens ICMP echo 0 > $i/accept_redirects # Proteo a Ataques IP Spoofing echo 0 > $i/accept_source_route # Permitir que Pacotes Forjados sejam logados pelo prprio kernel echo 1 > $i/log_martians # Verificar Endereo de Origem do Pacote (Proteo a Ataques IP Spoofing) echo 1 > $i/rp_filter done #################### ADICIONANDO REGRAS P/ SERVIDORES #################### # Apache - Servidor Web $IPT -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT # Apache TomCat - Servidor Web #$IPT -A INPUT -p tcp --dport 8080 -j ACCEPT

# Bind9 - Servidor DNS $IPT -A INPUT -p udp --dport 53 -j ACCEPT $IPT -A INPUT -p tcp --dport 53 -j ACCEPT # DanGuardian - Servidor Proxy #$IPT -A INPUT -i $ILAN -p tcp --dport 8080 -j ACCEPT # DHCP - Servidor DHCP #$IPT -A INPUT -i $ILAN -p udp --sport 68 --dport 67 -j ACCEPT # IPP - Protocolo de Impresso na Internet #$IPT -A INPUT -i $ILAN -p tcp --dport 631 -j ACCEPT #$IPT -A INPUT -i $ILAN -p udp -m multiport --dports 138,631 -j ACCEPT # NFS - Servidor NFS #$IPT -A INPUT -p tcp -m multiport --dports 111,2049,51049 -j ACCEPT #$IPT -A INPUT -p udp -m multiport --dports 111,49176 -j ACCEPT # ProFTP - Servidor FTP #$IPT -A INPUT -i $ILAN -p tcp --dport 21 -j ACCEPT #$IPT -A INPUT -i $ILAN -p tcp -m multiport --dports 49152:49162 -j ACCEPT # Postfix - Servidor de E-mail #$IPT -A INPUT -i $ILAN -p tcp -m multiport --dports 25,110 -j ACCEPT #$IPT -A INPUT -i $ILAN -p tcp -m multiport --dports 465,995 -j ACCEPT # PostgreSQL - Servidor Postgresql #$IPT -A INPUT -i $ILAN -p tcp --dport 5432 -j ACCEPT # Samba - Servios de Diretrio da Microsoft #$IPT -A INPUT -i $ILAN -p tcp -m multiport --dports 445,139 -j ACCEPT #$IPT -A INPUT -i $ILAN -p udp -m multiport --dports 137,138 -j ACCEPT # Squid - Servidor Proxy #$IPT -A INPUT -i $ILAN -p tcp --dport 3128 -j ACCEPT # Squid - Servidor Proxy transparente $IPT -A INPUT -i $ILAN -p tcp --dport 3128 -j ACCEPT $IPT -t nat -A PREROUTING -i $ILAN -p tcp --dport 80 -j REDIRECT --to-port 3128 # SSH - Servidor SSH $IPT -A INPUT -i $ILAN -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 10 -j DROP $IPT -A INPUT -i $ILAN -p tcp --dport 22 -m state --state NEW -m recent --set $IPT -A INPUT -i $ILAN -p tcp --dport 22 -j ACCEPT # VNC - Servidor de Acesso Remoto #$IPT -A INPUT -p tcp --dport 5900 -j ACCEPT # Webmin - Gerenciador Web de Servidor #$IPT -A INPUT -i $ILAN -p tcp --dport 10000 -j ACCEPT ##################### ADICIONANDO REGRAS P/ SERVIOS ##################### # DNS - Servio de Nomes de Dominios

$IPT -A FORWARD -o $INET -p udp -m multiport --dports 53,5353 -j ACCEPT $IPT -A FORWARD -o $INET -p tcp -m multiport --dports 53,5353 -j ACCEPT # FTP - Protocolo de Transferncia de Arquivo $IPT -A FORWARD -o $INET -p tcp --dport 21 -j ACCEPT # HTTP - Protocolo de Transferncia de Hypertext $IPT -A FORWARD -o $INET -p tcp -m multiport --dports 80,8080 -j ACCEPT # HTTPS - Protocolo de Transferncia de Hypertext Seguro $IPT -A FORWARD -o $INET -p tcp --dport 443 -j ACCEPT # MSNMS - Servio de Mensageiro de Rede da Microsoft #$IPT -A FORWARD -o $INET -p tcp -m multiport --dports 1863,7001 -j ACCEPT #$IPT -A FORWARD -o $INET -p udp --dport 7001 -j ACCEPT # NTP - Protocolo para sincronizao dos relgios $IPT -A FORWARD -o $INET -p udp --dport 123 -j ACCEPT # Ping #$IPT -A INPUT -i $ILAN -p icmp --icmp-type 8 -j ACCEPT #$IPT -A FORWARD -o $INET -p icmp --icmp-type 8 -j ACCEPT # POP3 - Protocolo de Correio $IPT -A FORWARD -o $INET -p tcp --dport 110 -j ACCEPT # POP3S - Protocolo de Correio Seguro $IPT -A FORWARD -o $INET -p tcp --dport 995 -j ACCEPT # IMAP - Protocolo de Correio imap $IPT -A INPUT -i $ILAN -p tcp --dport 143 -j ACCEPT $IPT -A INPUT -i $ILAN -p udp --dport 143 -j ACCEPT $IPT -A FORWARD -o $INET -p tcp --dport 143 -j ACCEPT $IPT -A FORWARD -o $INET -p udp --dport 143 -j ACCEPT # IMAP3 - Protocolo de Correio imap $IPT -A FORWARD -o $INET -p tcp --dport 220 -j ACCEPT $IPT -A FORWARD -o $INET -p udp --dport 220 -j ACCEPT $IPT -A INPUT -i $ILAN -p tcp --dport 220 -j ACCEPT $IPT -A INPUT -i $ILAN -p udp --dport 220 -j ACCEPT # IMAP4 - Protocolo de Correio Seguro imap4 $IPT -A FORWARD -o $INET -p tcp -m multiport --dport 585,993 -j ACCEPT $IPT -A FORWARD -o $INET -p udp -m multiport --dport 585,993 -j ACCEPT $IPT -A INPUT -i $ILAN -p tcp -m multiport --dport 585,993 -j ACCEPT $IPT -A INPUT -i $ILAN -p udp -m multiport --dport 585,993 -j ACCEPT # PPTP - Protocolo de Encapsulamento Ponto a Ponto #$IPT -A FORWARD -o $INET -p tcp --dport 1723 -j ACCEPT # RDP - Protocolo de rea de Trabalho Remota #$IPT -A FORWARD -o $INET -p tcp --dport 3389 -j ACCEPT # SSDP - Protocolo para Descoberta de Servios Simples #$IPT -A INPUT -i $ILAN -p udp --dport 1900 -j ACCEPT

# SSH - Shell Seguro $IPT -A FORWARD -o $INET -p tcp --dport 22 -j ACCEPT # SMTP - Protocolo Simples para Transferncia de Correio $IPT -A FORWARD -o $INET -p tcp --dport 25 -j ACCEPT # SSMTP - Protocolo Simples para Transferncia de Correio Seguro $IPT -A FORWARD -o $INET -p tcp --dport 465 -j ACCEPT # TELNET #$IPT -A FORWARD -o $ILAN -p tcp --dport 23 -j ACCEPT # VNC - Computao em Rede Virtual #$IPT -A FORWARD -o $ILAN -p tcp --dport 5900 -j ACCEPT # XMPP - Protocolo de Presena e Mensagens Extensiva #$IPT -A FORWARD -o $INET -p tcp --dport 5222 -j ACCEPT # Manter Conexes Estabelecidas $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Liberando o Trfego na Interface loopback $IPT -A INPUT -i lo -j ACCEPT ################################## LOG ################################### iptables duas redes $IPT -A INPUT -p tcp -m multiport ! --dports 0:1056 -j DROP $IPT -A INPUT -p udp -j DROP $IPT -A INPUT -p icmp -j DROP $IPT -A INPUT -m limit --limit 3/m --limit-burst 3 -j LOG --log-prefix "LOG-FW: " } case "$1" in start) echo " * Starting Firewall iptables" INICIAR ;; stop) echo " * Stopping Firewall iptables" PARAR ;; restart|reload) echo " * Reloading Firewall iptables" INICIAR ;; *) echo " * Usage: $0 {start|stop|restart|reload}" exit 1 esac exit 0