-
Notifications
You must be signed in to change notification settings - Fork 0
/
firewall.sh
executable file
·173 lines (141 loc) · 5.14 KB
/
firewall.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
#!/bin/bash
# Apaga todas as regras definidas anteriormente
MOD="/sbin/modprobe"
IPT6="/sbin/ip6tables"
IPT="/sbin/iptables"
stop(){
# Limpar Regras
$IPT -F -t filter
$IPT -F -t nat
$IPT -F -t mangle
# Apagar cadeias definidas por usuarios
$IPT -X -t filter
$IPT -X -t nat
$IPT -X -t mangle
# Definir politica default para ACCEPT
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT6 -P INPUT ACCEPT
$IPT6 -P OUTPUT ACCEPT
$IPT6 -P FORWARD ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
}
start(){
stop
$MOD nf_nat_ftp
$MOD ip6_tables
iptables -F
#Bloqueia todo o trafego antes de finalizar a configuração
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
# Seta as politicas padrao
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Regras especificas para interface lo (localhost)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Regras bloqueio wifi
iptables -A INPUT -i wlan0 -j DROP
iptables -A OUTPUT -o wlan0 -j DROP
# Regras de input especificas para o protocolo ICMP [eth0]
iptables -A INPUT -p icmp -s 10.0.1.81/32 -i eth0 -j ACCEPT
iptables -A INPUT -p icmp -i eth0 -j DROP
# Tratamento FTP
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
# Regras gerais de input [eth0]
# Recusa pacotes de localhost, broadcast e multicast
iptables -A INPUT -s 127.0.0.0/8 -i eth0 -j DROP
iptables -A INPUT -s 255.0.0.0/8 -i eth0 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -i eth0 -j DROP
# Aceita pacotes para a porta 22 - SSH
iptables -A INPUT -p tcp --dport 22 -s 200.195.168.2/32 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 10.0.1.81/32 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 10.0.1.95/32 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 10.0.1.133/32 -i eth0 -j ACCEPT
# Acessa o RSYNC *.megamidia.com.br
iptables -A OUTPUT -p tcp --dport 873 -d 10.0.1.226/32 -o eth0 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 873 -d 200.195.168.2/32 -o eth0 -j ACCEPT
# Recusa pacotes para a porta 80 - http
iptables -A OUTPUT -p tcp --dport 80 -d 64.251.30.49 -o eth0 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -d 10.0.1.133 -o eth0 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -d 64.251.30.49 -o eth0 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -o eth0 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -o eth0 -j DROP
# Aceita pacotes de conexoes ja estabelecidas e/ou relacionados indiretamente a uma conexao
iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT
# Remove as primeiras regras (regras de bloqueio)
iptables -D INPUT 1
iptables -D OUTPUT 1
iptables -D FORWARD 1
}
case "$1" in
start)
echo -n "INICIANDO FIREWALL... "
start
echo "ok"
;;
stop)
echo -n "PARANDO FIREWALL... "
stop
echo "ok"
;;
status)
echo "*************** KERNEL CONFS ***************"
echo -n "IP FORWARD = "
cat /proc/sys/net/ipv4/ip_forward
echo -n "IP DYNADDR = "
cat /proc/sys/net/ipv4/ip_dynaddr
echo "ACCEPT REDIRECTS = "
cat /proc/sys/net/ipv4/conf/*/accept_redirects
echo "SEND REDIRECTS = "
cat /proc/sys/net/ipv4/conf/*/accept_redirects
echo "*************** TABELA FILTER ***************"
$IPT -L
echo "*************** TABELA NAT ***************"
$IPT -t nat -L
echo "*************** TABELA MANGLE ***************"
$IPT -t mangle -L
;;
status-no-name)
echo "*************** KERNEL CONFS ***************"
echo -n "IP FORWARD = "
cat /proc/sys/net/ipv4/ip_forward
echo -n "IP DYNADDR = "
cat /proc/sys/net/ipv4/ip_dynaddr
echo "ACCEPT REDIRECTS = "
cat /proc/sys/net/ipv4/conf/*/accept_redirects
echo "SEND REDIRECTS = "
cat /proc/sys/net/ipv4/conf/*/accept_redirects
echo "*************** TABELA FILTER ***************"
$IPT -L -n
echo "*************** TABELA NAT ***************"
$IPT -t nat -L -n
echo "*************** TABELA MANGLE ***************"
$IPT -t mangle -L -n
;;
restart)
echo -n "REINICIALIZANDO FIREWALL... "
stop
start
echo "OK"
;;
*)
echo $"USE: $0 {start|stop|restart|status|status-no-name}"
exit 1
esac
exit 0