#!/bin/bash

iniciar(){

#carregando modulo no kernel
modprobe iptable_nat

#compartilhando a conexao
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#echo "compartilhamento de rede ativo"

#proxy transparente
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#echo "proxy transparente ativo"

#permitindo as conexoes na interfce de rede local e na porta 22, 21 e 80 deste computador
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT

# Protege contra synflood
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Protecao contra ICMP Broadcasting 
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Protecao diversas contra portscanners, ping of death, ataques DoS, pacotes danificados e etc.
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptables -A FORWARD -m unclean -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -N VALID_CHECK
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP

#Esta regra e a + importante deste firewall,
#bloqueia tudo que nao tenha sido liberado acima
iptables -A INPUT -p tcp --syn -j DROP

echo "####################################"
echo "#Compartilhamento de Internet e Firewall Carregados#"
echo "#                Firewall Ativo e Verificando !                  #"
echo "#------------------------------------------------------------#"
echo "#                 Tássio Ferenzini M. Sirqueira                #"
echo "#                        tassio@tassio.eti.br                      #"
echo "###################################"

}

parar(){
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
echo 0 > /proc/sys/net/ipv4/ip_forward
echo " "
echo "#################################"
echo "#Compartilhamento de Internet e Firewall Parados#"
echo "#                     Firewall Desativado                      #"
echo "#--------------------------------------------------------#"
echo "#               Tássio Ferenzini M. Sirqueira              #"
echo "#                      tassio@tassio.eti.br                    #"
echo "#################################"
}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar ;;
*) echo "Use os parametros start, stop ou restart"
esac