topz
(usa Ubuntu)
Enviado em 03/11/2011 - 13:46h
#!/bin/bash
### VARIAVEIS GLOBAIS
ipt="/sbin/iptables"
mod="/sbin/modprobe"
### VARIAVEIS DO SISTEMA
LO_IF="lo"
LAN_IF="eth1"
LAN_IP="172.16.16.x"
LAN_NET="172.16.0.0/16"
WAN_IF="eth0"
DNS="x.x.x.x"
### PORTAS DE SAIDA
FW_TCPOUT="443,1049,1364,2500,3007,3456,5017,5024,7080,8017"
### HABILITA ROTEAMENTO DE PACOTES
echo 1 > /proc/sys/net/ipv4/ip_forward
### DESABILITA RESPOSTA DE PING DE BROADCAST
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
### DESABILITA TCP SYNCOOKIES
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
## PROTECAO CONTRA IP SPOOFING
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
## IMPEDIR QUE ATAQUES REDIRECIONEM ROTAS
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
## IMPEDIR QUE ATAQUES DETERMINEM O CAMINHO DA ROTA
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
## PROTECAO CONTRA RESPONSES BOGUS
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
### CARREGANDO MODULOS
$mod ip_tables
$mod ipt_conntrack
$mod iptable_filter
$mod iptable_mangle
$mod iptable_nat
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod ipt_MASQUERADE
$mod ip_nat_ftp
$mod ip_conntrack_ftp
### APAGANDO AS REGRAS
$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X
### SETANDO AS POLITICAS
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT
### TABELAS ADICIONAIS
$ipt -N PORT_SCANNER
### CONFIGURA AS TABELAS
$ipt -A PORT_SCANNER -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
$ipt -A PORT_SCANNER -j LOG --log-prefix "[IPTables PortScan] : " --log-level info
#########################################################################################
#################### TABELA NAT
#########################################################################################
## SQUID3 / PROXY TRANSPARENTE
$ipt -t nat -A PREROUTING -s $LAN_NET -p tcp --dport 80 -j REDIRECT --to-port 3128
## ROTEAMENTO TS MICROS DA REDE
$ipt -t nat -A PREROUTING -i $WAN_IF -p tcp --dport 3310 -j DNAT --to-destination 172.16.16.x:xxxx
$ipt -t nat -A PREROUTING -i $WAN_IF -p tcp --dport 3311 -j DNAT --to-destination 172.16.16.x:xxxx
$ipt -t nat -A PREROUTING -i $WAN_IF -p tcp --dport 3312 -j DNAT --to-destination 172.16.16.x:xxxx
$ipt -t nat -A PREROUTING -i $WAN_IF -p tcp -m tcp --dport 443 -j REDIRECT --to-port 22
$ipt -t nat -A PREROUTING -i $WAN_IF -p tcp -m tcp --dport 7443 -j DNAT --to-destination 172.16.16.x:xxxx
$ipt -t nat -A PREROUTING -i $WAN_IF -p udp -m udp --dport 7443 -j DNAT --to-destination 172.16.16.x:xxxx
## MASCARANDO CONEXAO DO COMPARTILHAMENTO DE INTERNET
$ipt -t nat -F POSTROUTING
$ipt -A POSTROUTING -t nat -s $LAN_NET -o $WAN_IF -j MASQUERADE
## PERMITE CONEXOES JA ESTABELECIDAS
$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -m state --state ESABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -m state --state ESABLISHED,RELATED -j ACCEPT
#########################################################################################
##################### TABELA OUTPUT
#########################################################################################
## ORIGENS / DESTINOS NAO CONFIAVEIS
$ipt -A OUTPUT -s 192.168.0.0/16 -j DROP
$ipt -A OUTPUT -s 224.0.0.0/4 -j DROP
$ipt -A OUTPUT -s 240.0.0.0/5 -j DROP
$ipt -A OUTPUT -s 0.0.0.0/8 -j DROP
$ipt -A OUTPUT -d 255.255.255.255 -j DROP
$ipt -A OUTPUT -d 224.0.0.0/4 -j DROP
#########################################################################################
###################### TABELA INPUT
#########################################################################################
## SSH
$ipt -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
## ORIGENS CONFIAVEIS
$ipt -A INPUT -i $LO_IF -j ACCEPT
$ipt -A FORWARD -i $LO_IF -j ACCEPT
$ipt -A INPUT -i $LAN_NET -j ACCEPT
$ipt -A INPUT -s 172.16.50.0/24 -j ACCEPT
$ipt -A INPUT -d 172.16.50.0/24 -j ACCEPT
$ipt -A FORWARD -d 172.16.50.0/24 -j ACCEPT
$ipt -A OUTPUT -d 172.16.50.0/24 -j ACCEPT
## LIBERANDO MENSAGENS ICMP
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
## PROXY
$ipt -A INPUT -p tcp --dport 3128 -s $LAN_NET -j ACCEPT
#############################################################################################
######################### TABELA FORWARD
#############################################################################################
$ipt -A FORWARD -i $WAN_IF -j ACCEPT
## PORTA 3128 ACEITA PELA REDE INTERNA
$ipt -A FORWARD -i $LAN_NET -p tcp --dport 3128 -j ACCEPT
## LIBERA CONEXOES HTTPS
$ipt -A FORWARD -p tcp --dport 443 -j ACCEPT
## PERMITIR PING PARTINDO DA REDE LOCAL
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d 0/0 -p icmp -j ACCEPT
## PERMITIR FTP
$ipt -A FORWARD -p tcp --dport 21 -j ACCEPT
$ipt -A FORWARD -p tcp --dport 20 -j ACCEPT
$ipt -A FORWARD -p tcp --dport 9443 -j ACCEPT
## JAVA
$ipt -A FORWARD -p tcp -s $LAN_NET -d 172.16.50.x --dport 4848 -j ACCEPT
$ipt -A FORWARD -p tcp -s $LAN_NET -d 172.16.50.x --dport 8080 -j ACCEPT
$ipt -A FORWARD -p tcp -s $LAN_NET -d 172.16.50.x --dport 8181 -j ACCEPT
$ipt -A FORWARD -p tcp -s $LAN_NET -d 172.16.16.x --dport 8686 -j ACCEPT
$ipt -A FORWARD -p tcp -s $LAN_NET -d 172.16.50.x --dport 8686 -j ACCEPT
## PERMITIR CLIENTES POP
$ipt -A FORWARD -p udp -s $LAN_NET -d $DNS --dport 53 -j ACCEPT
$ipt -A FORWARD -p udp -s $DNS --sport 53 -d $LAN_NET -j ACCEPT
$ipt -A FORWARD -p tcp --dport 25 -j ACCEPT # SMTP
$ipt -A FORWARD -p tcp --dport 587 -j ACCEPT # SMTP
$ipt -A FORWARD -p tcp --dport 110 -j ACCEPT # POP3
$ipt -A FORWARD -p tcp --dport 143 -j ACCEPT # POP3
$ipt -A FORWARD -p tcp --dport 465 -j ACCEPT # POP3
