Firewall com proxy transparente completo

Publicado por Leonardo Berbert Gomes 21/11/2006

[ Hits: 13.652 ]

Homepage: https://www.linkedin.com/in/leoberbert

Download firewall




Bem pessoal, este foi o script de firewall mais eficaz que já fiz até hoje. Basta adaptá-lo com as suas placas de rede e ser feliz. Recomendo a todos.

  



Esconder código-fonte

#!/bin/bash
#
#########################################################################
#                                                                       #
# Função do Script: FIREWALL                                            #
# Versão: 1.0                                                           #
#                                                                       #
# By Leonardo B.G. - 2006 - leoberbert@gmail.com.br                     #
# Copyright (C) 2006 G.B., Leonardo                                     #
#                                                                       #
#########################################################################
#
EXTERNAL=eth0
INTERNAL=eth1
IP=10.11.110.0/24
WIN=10.11.110.18
#TS=IP_DO_SERVIDOR_TS

#--- Set TOS 16
TOS_SERV="80 443"

flush_rules()
{
 iptables -F
 iptables -t nat -F
 iptables -t mangle -F
 iptables -X
 iptables -Z
}

add_rules()
{
 ######################Habilitando o roteamento e bloqueando alguns de pacotes
 echo 1 > /proc/sys/net/ipv4/ip_forward
 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all 

 ######################CARREGANDO MODULOS
 /sbin/modprobe iptable_nat
 /sbin/modprobe ip_tables 
 /sbin/modprobe ipt_state 
 /sbin/modprobe ip_conntrack
 /sbin/modprobe ip_conntrack_ftp
 /sbin/modprobe ipt_multiport
 /sbin/modprobe ip_nat_ftp
 /sbin/modprobe iptable_mangle
 /sbin/modprobe ipt_tos
 /sbin/modprobe ipt_limit

 ######################Liberacao do Loopback 
 iptables -A INPUT -i lo -j ACCEPT
 
 ######################Priorizar o trafego http/https da rede:
 for PORT in $TOS_SERV
 do
   iptables -t mangle -A OUTPUT -o $EXTERNAL -p tcp --dport $PORT -j TOS --set-tos 16
 done
 
 ######################REDIRECIONANDO PROXY TRANSPARENTE
 iptables -t nat -I PREROUTING -i $INTERNAL -p tcp -d ! 200.201.174.0/24 \
  --dport 80 -j REDIRECT --to-port 3128

 ######################Mascaramento
 #iptables -t nat -A POSTROUTING -s $IP -d 0/0 -j MASQUERADE
 #iptables -t nat -A POSTROUTING -s $IP -o $EXTERNAL -j MASQUERADE

 ######################LIBERANDO SSH
 #iptables -A INPUT -s 10.11.110.18 -p tcp --dport 22 -j ACCEPT
 #iptables -A INPUT -s 200.195.1.114 -p tcp --dport 22 -j ACCEPT
 #iptables -A INPUT -p tcp --dport 22 -j DROP

 ######################OUTLOOK
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 25 -o $EXTERNAL
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 110 -o $EXTERNAL
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p udp --dport 53 -o $EXTERNAL

 ######################Fecha fecha conexao squid  por interface de rede
 iptables -A INPUT -i $EXTERNAL -p tcp --dport 3128 -j DROP

 ######################PORTAS LIBERADAS
 #FTP
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 21 -o $EXTERNAL
 #
 #HTTPS
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 443 -o $EXTERNAL
 #
 #SIG/PROAF
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 6969 -o $EXTERNAL
 #
 #DCTF CMPF
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 8017 -o $EXTERNAL
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 3456 -o $EXTERNAL
 #
 #SSH
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 22 -o $EXTERNAL
 #
 #BANCO CENTRAL
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 5024 -o $EXTERNAL
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 1024 -o $EXTERNAL
 #
 #VNC
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 5900 -o $EXTERNAL
 #
 #PcAnyWhere
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 5631 -o $EXTERNAL
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p udp --dport 5632 -o $EXTERNAL
 #
 #Intranets porta 8080
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 8080 -o $EXTERNAL
 #
 #Download Direto Suporte
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 8527 -o $EXTERNAL
 #
 #Painel IDMG
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 19638 -o $EXTERNAL
 #
 #Terminal Server
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 3389 -o $EXTERNAL
 #
 #CONECTIVIDADE CAIXA ECONOMICA
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp -d 200.201.174.207 --dport 80 -o $EXTERNAL
 #
 #CPANEL
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 2082 -o $EXTERNAL

 ######################REDIRECIONAMENTOS
 #VNC
 iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 5900 -j DNAT --to $WIN
 #
 #PcAnyWhere
 iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 5631 -j DNAT --to $WIN
 iptables -t nat -A PREROUTING -i $EXTERNAL -p udp --dport 5632 -j DNAT --to $WIN
 #
 #TS
 #iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 3389 -j DNAT --to $TS

 ######################Log a portas proibidas e alguns backdoors
 #Porta FTP
 iptables -A INPUT -p tcp --dport 21 -j LOG --log-prefix "Servico: FTP"
 #
 #Porta Wincrash
 iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Servico: Wincrash"
 #
 #Portas BackOrifice
 iptables -A INPUT -p tcp --dport 31337 -j LOG --log-prefix "Servico: BackOrifice"
 iptables -A INPUT -p tcp --dport 31338 -j LOG --log-prefix "Servico: BackOrifice"
 #
 #Bloqueando tracertroute 
 iptables -A INPUT -p udp -s 0/0 -i $EXTERNAL --dport 33435:33525 -j DROP 
 #
 #Precaucao contra BUG's na traducao de enderecos de rede (NAT)
 iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
 #
 #Bloqueia Pings vindo de fora
 iptables -A INPUT -i $EXTERNAL -m state --state NEW -p icmp -j ACCEPT
 
 ######################Protege contra pacotes danificados
 #Portscanners, Ping of Death, ataques DoS, Syb-flood e Etc
 iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
 iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
 iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
 iptables -A FORWARD -m unclean -j DROP
 #
 #Allow all connections OUT and only related ones IN
 iptables -A FORWARD -i $EXTERNAL -o $INTERNAL -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -i $INTERNAL -o $EXTERNAL -j ACCEPT
}

case $1 in
 start)
  echo -n Starting Firewall...
  add_rules
  echo "Done"
 ;;
 stop)
  echo -n Stoping Firewall...
  flush_rules
  echo "Done"
 ;;
 restart)
  echo -n Restarting Firewall...
  flush_rules
  add_rules
  echo "Done"
 ;;
 status)
  echo "============================ Firewall rules:"
  iptables -L -n
  echo "============================ Masquerade tables:"
  iptables -t nat -L -n
  echo "============================ Mangle table:"
  iptables -t mangle -L -n
  ;;
 *)
  echo Usar: "$0 { status | start | stop | restart }"
  ;;
esac

Scripts recomendados

Troca de link em caso de queda de Internet (FAILOVER)

Script que identifica na rede a existência de duplicidades de IPs e MACs que utilizam mais de um IP

IPtables

Administração de Usuários

estrutura para menu


  

Comentários

Nenhum comentário foi encontrado.


Contribuir com comentário




Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts