Created
July 24, 2020 22:34
-
-
Save Esl1h/8f74f810f31676864d6c24754e9b4b08 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # ## BEGIN INIT INFO | |
| # Provides: Firewall | |
| # Required-Start: $all | |
| # Required-Stop: | |
| # Should-Start: S | |
| # Should-Stop: | |
| # Default-Start: 2 3 4 5 | |
| # Default-Stop: 0 1 6 | |
| # Short-Description: Firewall - Eslih | |
| # Description: Script para Firewall | |
| # | |
| # ## END INIT INFO | |
| ############################# | |
| # VARIAVEIS # | |
| ############################# | |
| # bond0 --> união da eth1 e eth2 | |
| placa_interna=bond0 | |
| placa_externa=ppp0 | |
| rede_interna=172.22.0.0/24 | |
| rede_externa=0.0.0.0/0.0.0.0 | |
| LOG_FLOOD="1/s" | |
| IPT=$(which iptables) | |
| ROUTE=$(which route) | |
| # A variável abaixo é para saber qual meu IP Externo, | |
| # pois o link ppp0 trata-se de adsl de ip dinâmico | |
| ip_externo=$(ifconfig ppp0 | grep -i "inet end.:" | cut -d : -f 2 | \ | |
| grep -i [^Bcast] > /tmp/ifconfig.txt && cat /tmp/ifconfig.txt | cut -d " " -f 2) | |
| OK="[ \E[01;32mOK\E[m ]" | |
| NO="[ \E[01;31mNO\E[m ]" | |
| start () | |
| { | |
| ######################### | |
| # MODULOS # | |
| ######################### | |
| modprobe ip_conntrack_ftp | |
| modprobe ip_nat_ftp | |
| modprobe ipt_state | |
| modprobe ipt_limit | |
| modprobe ipt_MASQUERADE | |
| modprobe ipt_LOG | |
| modprobe iptable_nat | |
| modprobe iptable_filter | |
| modprobe ip_gre | |
| echo -e "Carregando modulos do kernel \t\t\t\t $OK" | |
| #sleep 1 | |
| ######################### | |
| # NEGAR # | |
| ######################### | |
| $IPT -P INPUT DROP | |
| $IPT -P FORWARD DROP | |
| $IPT -P OUTPUT ACCEPT | |
| $IPT -A INPUT -i lo -j ACCEPT | |
| echo -e "Fechando o Firewall \t\t\t\t\t $OK" | |
| echo -e "DROP em INPUT e FORWARD \t\t\t\t $OK" | |
| #sleep 1 | |
| ######################### | |
| # LIMPAR # | |
| ######################### | |
| $IPT -F | |
| $IPT -X | |
| $IPT -F -t nat | |
| $IPT -X -t nat | |
| $IPT -F -t mangle | |
| $IPT -X -t mangle | |
| $IPT -A INPUT -i lo -j ACCEPT | |
| echo -e "Eliminado regras existentes \t\t\t\t $OK" | |
| echo -e "Limpando Firewall \t\t\t\t\t $OK" | |
| #sleep 1 | |
| ######################### | |
| # PROTEÇAO # | |
| ######################### | |
| #Barrando Time | |
| iptables -A INPUT -p TCP --dport 113 -j DROP | |
| #Barrando Auth | |
| iptables -A INPUT -p TCP --dport 37 -j DROP | |
| #Barrando VNC | |
| iptables -A INPUT -p TCP --dport 5901 -j DROP | |
| iptables -A INPUT -p TCP --dport 5900 -j DROP | |
| #Barrando X11 | |
| iptables -A INPUT -p TCP --dport 6000 -j DROP | |
| iptables -A INPUT -p TCP --dport 6001 -j DROP | |
| #Proteção contra ping da morte | |
| iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT | |
| #Proteções contra syn-floods | |
| iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT | |
| echo 1 > /proc/sys/net/ipv4/tcp_syncookies | |
| echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts | |
| echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses | |
| #Proteção contra port scanners ocultos | |
| iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT | |
| #Proteções contra spoofing | |
| echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter | |
| echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route | |
| echo -e "Inserindo camadas de proteção \t\t\t\t $OK" | |
| #sleep 1 | |
| ######################### | |
| # LOGS # | |
| ######################### | |
| $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| $IPT -N log | |
| $IPT -A log -j LOG --log-prefix [firewall] | |
| $IPT -A INPUT -p tcp --dport 1753 -j LOG --log-prefix=" [ACESSO SSH] " | |
| $IPT -A INPUT -p tcp --dport 22 -j LOG --log-prefix=" [ACESSO SSH] " | |
| $IPT -A INPUT -p tcp --dport 80 -j LOG --log-prefix=" [TENTATIVA ACESSO APACHE] " | |
| $IPT -A INPUT -p tcp --dport 53 -j LOG --log-prefix=" [TENTATIVA ACESSO DNS] " | |
| $IPT -A INPUT -p tcp --dport 3306 -j LOG --log-prefix=" [TENTATIVA ACESSO MYSQL] " | |
| $IPT -A INPUT -p tcp --dport 21 -j LOG --log-prefix=" [TENTATIVA ACESSO FTP] " | |
| $IPT -A INPUT -p tcp --dport 3128 -j LOG --log-prefix=" [ACESSO AO SQUID] " | |
| $IPT -A INPUT -p tcp --dport 25 -j LOG --log-prefix " [ACESSO AO SMTP] " | |
| $IPT -A INPUT -p tcp --dport 143 -j LOG --log-prefix " [ACESSO AO IMAP] " | |
| $IPT -A INPUT -p tcp --dport 110 -j LOG --log-prefix " [ACESSO AO POP] " | |
| $IPT -A INPUT -p icmp -m limit --limit $LOG_FLOOD -j \ | |
| LOG --log-level info --log-prefix " [ICMP Dropped] " | |
| $IPT -A INPUT -p tcp -m limit --limit $LOG_FLOOD -j \ | |
| LOG --log-level info --log-prefix " [TCP Dropped] " | |
| $IPT -A INPUT -p udp -m limit --limit $LOG_FLOOD -j \ | |
| LOG --log-level info --log-prefix " [UDP Dropped] " | |
| $IPT -A INPUT -f -m limit --limit $LOG_FLOOD -j \ | |
| LOG --log-level warning --log-prefix " [FRAGMENT Dropped] " | |
| $IPT -A INPUT -m limit --limit 1/minute --limit-burst 3 \ | |
| -j LOG --log-level DEBUG --log-prefix " [IPT INPUT packet died:] " | |
| $IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 \ | |
| -j LOG --log-level DEBUG --log-prefix " [IPT INPUT packet died:] " | |
| echo -e "Habilitando logs do firewall \t\t\t\t $OK" | |
| #sleep 1 | |
| ######################### | |
| # INPUT # | |
| ######################### | |
| $IPT -A INPUT -i lo -j ACCEPT | |
| $IPT -I INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
| # SQUID: | |
| $IPT -A INPUT -i $placa_interna -p tcp --dport 3128 -j ACCEPT | |
| # MYSQL: | |
| $IPT -A INPUT -p tcp --dport 3306 -j ACCEPT | |
| # DNS: | |
| $IPT -A INPUT -i $placa_interna -p udp --dport 53 -j ACCEPT | |
| # SSH: | |
| $IPT -A INPUT -p tcp --dport 1753 -j ACCEPT | |
| #Openfire - Servidor Jabber XMPP | |
| $IPT -A INPUT -p tcp --dport 8080 -j ACCEPT | |
| $IPT -A INPUT -p tcp --dport 5222 -j ACCEPT | |
| $IPT -A INPUT -i $placa_interna -p tcp --dport 5222 -j ACCEPT | |
| #Acessos web - para redirecionamentos a webservers internos da rede | |
| $IPT -A INPUT -p tcp --dport 8988 -j ACCEPT | |
| $IPT -A INPUT -p tcp --dport 8987 -j ACCEPT | |
| $IPT -A INPUT -p tcp --dport 8986 -j ACCEPT | |
| # VPN | |
| $IPT -A INPUT -p tcp --dport 1723 -j ACCEPT | |
| $IPT -A INPUT -i ppp0 -p tcp --dport 1723 -j ACCEPT | |
| # Webmin | |
| $IPT -A INPUT -s $rede_interna -p tcp --dport 12121 -j ACCEPT | |
| #Acesso externo ao webmin | |
| $IPT -A INPUT -i $placa_externa -p tcp --dport 12121 -j ACCEPT | |
| echo -e "Configurando as opções e conexões de INPUT \t\t $OK" | |
| #sleep 1 | |
| ######################### | |
| # FORWARD # | |
| ######################### | |
| $IPT -I FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
| ### Gerencia - IPs fixados no dhcp server ### | |
| $IPT -A FORWARD -m iprange --src-range 172.22.0.95-172.22.0.99 -j ACCEPT | |
| ### Liberacao de Portas ### | |
| # MYSQL: | |
| $IPT -A FORWARD -p tcp --dport 3306 -j ACCEPT | |
| # ASTERISK - SIP | |
| $IPT -A FORWARD -p udp --dport 5060 -j ACCEPT | |
| # ASTERISK - SIP | |
| $IPT -A FORWARD -p udp --dport 3478 -j ACCEPT | |
| # ASTERISK - SIP | |
| $IPT -A FORWARD -p udp --dport 3479 -j ACCEPT | |
| # ASTERISK - AIX2/IAX | |
| $IPT -A FORWARD -p udp --dport 4569 -j ACCEPT | |
| $IPT -A FORWARD -p udp --dport 5036 -j ACCEPT | |
| # MGCP | |
| $IPT -A FORWARD -p udp --dport 2727 -j ACCEPT | |
| # DNS | |
| $IPT -A FORWARD -p udp --dport 53 -j ACCEPT | |
| # HTTP,HTTPS | |
| $IPT -A FORWARD -p tcp -m multiport --dport 80,443 -j ACCEPT | |
| # e-mail: | |
| $IPT -A FORWARD -p tcp -m multiport --dport 25,110,110,995,587 -j ACCEPT | |
| # SSH: | |
| $IPT -A FORWARD -p tcp -m multiport --dport 1753 -j ACCEPT | |
| # Audio VOIP: | |
| $IPT -A FORWARD -p udp --dport 10001:20000 -j ACCEPT | |
| # FTP: | |
| $IPT -A FORWARD -p tcp -m multiport --dport 20,21 -j ACCEPT | |
| # Paginas webservers | |
| $IPT -A FORWARD -p tcp -m multiport --dport 8989,8988,8987,8986 -j ACCEPT | |
| # ACBr | |
| $IPT -A FORWARD -p tcp -m multiport --dport 3436 -j ACCEPT | |
| # Bradesco obbplus - tcp | |
| $IPT -A FORWARD -p tcp --dport 3000 -j ACCEPT | |
| # Bradesco obbplus - udp | |
| $IPT -A FORWARD -p udp --dport 3000 -j ACCEPT | |
| # Terminal Service | |
| $IPT -A FORWARD -p tcp --dport 3389 -j ACCEPT | |
| # TS - RDP p/ Windows | |
| $IPT -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to 172.22.0.207 | |
| $IPT -A FORWARD -p tcp --dport 3389 -j ACCEPT | |
| #Servidor OpenVZ | |
| $IPT -t nat -A PREROUTING -p tcp --dport 8006 -j DNAT --to 172.22.0.250 | |
| $IPT -A FORWARD -p tcp --dport 8006 -j ACCEPT | |
| #Servidor SVN - OpenVZ VM | |
| $IPT -t nat -A PREROUTING -p tcp --dport 3690 -j DNAT --to 172.22.0.244 | |
| $IPT -A FORWARD -p tcp --dport 3690 -j ACCEPT | |
| #Servidor SVN - OpenVZ VM | |
| $IPT -t nat -A PREROUTING -p tcp --dport 8989 -j DNAT --to 172.22.0.244:80 | |
| $IPT -A FORWARD -p tcp --dport 8989 -j ACCEPT | |
| #Servidor web243 - OpenVZ VM | |
| #$IPT -t nat -A PREROUTING -p tcp --dport 8988 -j DNAT --to 172.22.0.243:80 | |
| #$IPT -A FORWARD -p tcp --dport 8988 -j ACCEPT | |
| #Servidor LAMP - Eslih | |
| $IPT -t nat -A PREROUTING -p tcp --dport 8986 -j DNAT --to 172.22.0.247:80 | |
| $IPT -A FORWARD -p tcp --dport 8986 -j ACCEPT | |
| #Servidor VOIP - SSH | |
| $IPT -t nat -A PREROUTING -p tcp --dport 22100 -j DNAT --to 172.22.0.241:22 | |
| $IPT -A FORWARD -p tcp --dport 22100 -j ACCEPT | |
| #Webchat - Cliente Jabber XMPP | |
| $IPT -A FORWARD -p tcp --dport 8080 -j ACCEPT | |
| $IPT -A FORWARD -p tcp -i ppp0 -s 172.22.0.0/24 --dport 21 -j ACCEPT | |
| $IPT -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| #MySQL | |
| $IPT -A INPUT -p tcp --dport 3306 -j ACCEPT | |
| $IPT -t nat -A POSTROUTING -p tcp --dport 3306 -j MASQUERADE | |
| $IPT -A INPUT -m multiport -p tcp --dport 20,21 -j ACCEPT | |
| $IPT -t nat -A POSTROUTING -m multiport -p tcp --dport 20,21 -j MASQUERADE | |
| $IPT -t nat -A POSTROUTING -o ppp0 -j MASQUERADE | |
| $IPT -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT | |
| $IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| $IPT -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| $IPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT | |
| $IPT -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT | |
| $IPT -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| echo -e "Configurando regras de FORWARD \t\t\t\t $OK" | |
| echo -e "Habilitando portas do firewall \t\t\t\t $OK" | |
| #sleep 2 | |
| ######################### | |
| # NAT # | |
| ######################### | |
| # Masquerade da conexao de internet | |
| echo 1 > /proc/sys/net/ipv4/ip_forward | |
| #$IPT -t nat -A POSTROUTING -o $placa_externa -j MASQUERADE | |
| $IPT -t nat -A POSTROUTING -o $placa_interna -j MASQUERADE | |
| # ACESSO Externo das maquinas em VPN | |
| $IPT -A POSTROUTING -s 172.22.0.0/24 -j MASQUERADE | |
| # Redirecionamento de requisicoes WWW p/ SQUID | |
| $IPT -t nat -A PREROUTING -s $rede_interna -p tcp --dport 80 -j REDIRECT --to-port 3128 | |
| echo -e "Acionando NAT e redirecionamento \t\t\t $OK" | |
| echo -e "Habilitando Internet \t\t\t\t\t $OK" | |
| #sleep 1 | |
| } | |
| case "$1" in | |
| 'start') | |
| start | |
| echo -e "FIREWALL EXECUTADO \t\t\t\t\t $OK" | |
| #sleep 1 | |
| ;; | |
| 'filter') $IPT -nL | more | |
| ;; | |
| 'status') $IPT -L -vn | more | |
| ;; | |
| 'nat') $IPT -t nat -L -nv | more | |
| ;; | |
| 'mangle') $IPT -t mangle -nL | more | |
| ;; | |
| *) echo "erro use "$0" {start|filter|nat|mangle}" | |
| exit 1 | |
| ;; | |
| esac | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment