cabralwms
(usa Debian)
Enviado em 20/05/2013 - 09:13h
#firewall
#!/bin/sh
## Firewall criado por Wellington Maciel de Souza em 11/11/2005
#
### BEGIN INIT INFO
# Provides: firewall.sh
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start firewall.sh at boot time
# Description: Enable service provided by firewall.sh.
### END INIT INFO
#
#firewall_start(){
##Inicia compartilhamento da net
echo "1" >/proc/sys/net/ipv4/ip_forward
EXT="eth0"
INT="eth1"
IP=192.168.0.0/24
REDE_INTERNA=192.168.0.0/24
RECEITA1=200.233.3.103/32
RECEITA2=200.233.3.104/32
#
flush_rules()
{
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -Z
}
## Carrega os módulos necessários
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_nat_snmp_basic
/sbin/modprobe ip_queue
/sbin/modprobe ipt-conntrack
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MARK
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_TCPMSS
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_state
/sbin/modprobe ipt_tcpmss
/sbin/modprobe ipt_tos
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
##
iptables -F
iptables -t nat -F
iptables -t mangle -F
#
iptables -t nat -A PREROUTING -p tcp -d 201.55.62.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -d 201.55.62.0/24 --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --dport 22 -j sshguard
iptables -t nat -I PREROUTING -i eth0 -m tcp -p tcp -d 200.221.0.0/16 --dport 80 -j ACCEPT # aqui estou pondo o ip da UOL para não passar pelo proxy
#iptables -t nat -I PREROUTING -i eth0-m tcp -p tcp -d 200.169.96.0/24 --dport 80 -j ACCEPT # IP Dual Tec para Passar direto
iptables -t nat -I PREROUTING -i eth0 -m tcp -p tcp -d 201.77.211.0/32 --dport 80 -j ACCEPT # Boxnet
iptables -t nat -I PREROUTING -i eth0 -m tcp -p tcp -d 212.96.161.241 --dport 80 -j ACCEPT # AVG7
iptables -t nat -I PREROUTING -i eth0 -m tcp -p tcp -d 212.96.161.243 --dport 80 -j ACCEPT # AVG8
iptables -t nat -I PREROUTING -i eth0 -m tcp -p tcp -d 200.136.36.6 --dport 80 -j ACCEPT # AVG8
#liberar Caixa
iptables -t nat -A PREROUTING -i eth0 -m tcp -p tcp -d 200.201.174.0/16 --dport 80 -j REDIRECT --to-port 3128
iptables -A INPUT -p tcp -s 200.152.32.174 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 200.152.32.174 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -s 200.152.32.174 --dport 21 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.152.32.174 --dport 20 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.152.32.174 --dport 21 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth0 -p tcp --dport 443 -j ACCEPT
#
#200.189.113.226
iptables -t nat -I PREROUTING -i eth0 -m tcp -p tcp -d 200.189.113.0/24 --dport 80 -j ACCEPT # receita direto sem proxy
iptables -t nat -I FORWARD -s 192.168.0.0/24 -d 200.189.113.86 -p tcp --dport 8017 -j ACCEPT
iptables -t nat -I FORWARD -d 192.168.0.0/24 -s 200.189.113.86 -p tcp --dport 8017 -j ACCEPT
# Sistema Siosbra e Sisobranet
iptables -t nat -A PREROUTING -p tcp -d 200.152.0.0/16 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.152.0.0/16 -j ACCEPT
#
# Abre uam porta para a receita ( inclusive para a internet)
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
#Policentro - Caixa
iptables -A FORWARD -p TCP --dport 20 -j ACCEPT
iptables -A FORWARD -p TCP --dport 7878 -j ACCEPT
#irpf receitanet
iptables -A FORWARD -p TCP --dport 3456 -j ACCEPT
# Abre uma porta para a receita ( inclusive para a internet)
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#iptables -A FORWARD -p tcp --dport 21 -j ACCEPT
# Abre uma porta para a receita (inclusive para a internet)
iptables -A INPUT -p tcp --dport 24 -j ACCEPT
#
#Suporte AdmNet Sisnet
iptables -A FORWARD -p TCP --dport 5350:5359 -j ACCEPT
iptables -A FORWARD -p TCP --sport 5350:5359 -j ACCEPT
#
#gmail
iptables -A FORWARD -p TCP --dport 465 -j ACCEPT
iptables -A FORWARD -p TCP --dport 587 -j ACCEPT
iptables -A FORWARD -p TCP --dport 995 -j ACCEPT
#
iptables -A FORWARD -p TCP -m multiport --source-port 20,21,22,24 -j ACCEPT
iptables -A FORWARD -p TCP -m multiport --source-port 25,110,587,143,563,2095,3306,10060,10061 -j ACCEPT
##
## tentando enviar arquivo para openfire
iptables -A FORWARD -p tcp --dport 7777 -j ACCEPT
#Bloquear Nimbuzz
iptables -A FORWARD -s 195.211.48.26 -j DROP # nimbuzz
iptables -A FORWARD -s 65.54.49.124/24 -j DROP # msn
iptables -I INPUT -s 195.211.49.6/24 -j DROP # nimbuzz
iptables -A FORWARD -s 195.211.0.0/24 -j DROP # Nimbuzz
iptables -A FORWARD -s 195.211.48.0/24 -j DROP # Nimbuzz
#iptables -t filter -A OUTPUT -d 195.211.0.0/16 -p tcp --dport 5222 -j DROP # nimbuzz
#iptables -t nat -I PREROUTING -i eth0 -m tcp -p tcp -d 72.246.64.65 --dport 80 -j DROP # Nimbuzz
#iptables -t nat -I PREROUTING -i eth0 -m tcp -p tcp -d 212.227.96.110 --dport 80 -j REJECT #
#Redirecionamento para a porta do Postgresql máquina interna
#
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5432 -j DNAT --to 192.168.0.245:5432
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5433 -j DNAT --to 192.168.0.245:5433
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5223 -j DNAT --to 192.168.0.5:5223
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9091 -j DNAT --to 192.168.0.5:9091
iptables -t nat -A PREROUNTIG -i eth0 -p tcp --dport 27015 -j DNAT --to 192.168.0.14:27015
iptables -t nat -A PREROUNTIG -i eth0 -p tcp --dport 7777 -j DNAT --to 192.168.0.5:7777
iptables -t nat -A PREROUNTIG -i eth0 -p tcp --dport 5900 -j DNAT --to 192.168.0.10:5900
iptables -A FORWARD -p tcp --dport 3389 -d 189.100.154.49 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 192.168.0.151
iptables -A FORWARD -p tcp --dport 3389 -d 189.100.154.49 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5900 -j DNAT --to 192.168.0.151
#iptables -t nat -A PREROUTING -s 0/0 -m tcp -p tcp -i eth1 --dport 3389 -j DNAT --to-destination 192.168.0.151:3389
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 27015 -j DNAT --to 192.168.0.151:27015
#
# Tentando bloquear Facebook
for IP_FACE in `cat /etc/squid/conf/ip_face`
do
ip_usuario=`echo $IP_FACE | cut -d'-' -f1`
nome_usuario=`echo $IP_FACE | cut -d'-' -f2`
iptables -t filter -I FORWARD ! -d $ip_usuario -p tcp --dport 443 -m string --algo bm --string "facebook.com" -m time --timestart 12:00 --timestop 13:30 -j REJECT
iptables -t filter -I FORWARD ! -s $ip_usuario -p tcp --sport 443 -m string --algo bm --string "facebook.com" -m time --timestart 12:00 --timestop 13:30 -j REJECT
iptables -t filter -I OUTPUT ! -d $ip_usuario -p tcp --dport 443 -m string --algo bm --string "facebook.com" -m time --timestart 12:00 --timestop 13:30 -j REJECT
iptables -t filter -I OUTPUT ! -s $ip_usuario -p tcp --sport 443 -m string --algo bm --string "facebook.com" -m time --timestart 12:00 --timestop 13:30 -j REJECT
done
#
#
#Tentativa de acesso
#iptables -I FORWARD -s 192.168.0.26 -p tcp --dport 443 -j DROP
iptables -t filter -A INPUT -d urs.microsoft.com -p tcp --dport 443 -j DROP
iptables -t filter -A OUPUT -d urs.microsoft.com -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d urs.microsoft.com -p tcp --dport 443 -j DROP
#iptables -t filter -A INPUT -d nexus.passport.com -p tcp -dport 443 -j DROP
#
#iptables -I FORWARD -s 192.168.0.11 -p tcp --dport 443 -j DROP
#iptables -I FORWARD -s 192.168.0.17 -p tcp --dport 443 -j DROP
#iptables -I FORWARD -s 192.168.0.24 -p tcp --dport 443 -j DROP
#iptables -I FORWARD -s 192.168.0.16 -p tcp --dport 443 -j DROP
#iptables -I FORWARD -s 192.168.0.245 -p tcp --dport 443 -j DROP
#iptables -I FORWARD -s 192.168.0.210 -p tcp --dport 443 -j DROP
#iptables -I FORWARD -s 192.168.0.27 -p tcp --dport 443 -j DROP
#iptables -I FORWARD -s 192.168.0.211 -p tcp --dport 443 -j DROP
#iptables -I FORWARD -s 192.168.0.55 -p tcp --dport 443 -j DROP
#iptables -I FORWARD -s 192.168.0.100 -p tcp --dport 443 -j DROP
#iptables -I FORWARD -s 192.168.0.199 -p tcp --dport 443 -j DROP
#iptables -I FORWARD -s 192.168.0.33 -p tcp --dport 443 -j DROP
#iptables -I FORWARD -s 192.168.0.53 -p tcp --dport 443 -j DROP
# FTP
#Primeiro vamos liberar a saída da nova conexão para o servidor de FTP na porta 21:
iptables -A FORWARD -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --dport 7777 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Agora vamos liberar a resposta do servidor para o cliente:
iptables -A FORWARD -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
#Para o FTP ATIVO temos que liberar a conexão que o servidor abre para o cliente,
#porém liberar novas conexões de entrada é considerado inseguro,
#então o Connection Tracking consegue identificar que essa conexão
#é relacionada a conexão na porta 21 que já foi feita anteriormente,
#então não precisamos liberar o estado NEW:
iptables -A FORWARD -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
#e a saída de retorno:
iptables -A FORWARD -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
#Para o FTP PASSIVO temos que liberar conexões de uma porta alta para outra porta alta,
#porém com o Connection Tracking também permitiremos que estas conexões sejam estabelecidas
#somente se forem relacionadas a outra conexão feita anteriormente:
iptables -A FORWARD -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
#tentando bloquear nimbuzz
iptables -A FORWARD -d
www.imo.im -p tcp --dport 443 -j DROP
iptables -A INPUT -d
www.imo.im -p tcp --dport 443 -j DROP
iptables -A FORWARD -d imo.im -p tcp --dport 443 -j DROP
iptables -A INPUT -d imo.im -p tcp --dport 443 -j DROP
#iptables -t nat -A OUTPUT -d
www.imo.im -p tcp --dport 443 -j DROP
#iptables -t nat -A OUTPUT -d imo.im -p tcp --dport 443 -j DROP
#
#bloquear portas de acesso a net
#
iptables -A FORWARD -p tcp -i eth1 --dport 9666 -j DROP
iptables -A OUTPUT -p tcp --dport 9666 -j REJECT
iptables -A INPUT -p tcp -m tcp --dport 9666 -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 9666 -j DROP
iptables -A OUTPUT -p tcp -m tcp --dport 9666 -j DROP
#iptables -A OUTPUT -p tcp -s 195.211.48.0/24 -j DROP
#iptables -t nat -A PREROUTING -p tcp -i 192.168.0.0/24 --dport 9666 -j DROP
#iptables -A FORWARD -p tcp --dport 443 -j DROP
#iptables -A INPUT -p tcp --dport 443 -j DROP
#iptables -A OUTPUT -p tcp --dport 443 -j DROP
#
#iptables -A FORWARD -p tcp --dport 7777 -o eth0 -j ACCEPT
#
iptables -A FORWARD -p tcp --dport 3389 -o eth0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 192.168.0.151
#
#Tentando jogar para a máquina Fires
#iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 3389 -o $EXT #TS
#iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination $TS:3389
#
iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp --dport 80 -j REDIRECT --to-port 3128 # fazendo redirecionamento da porta 80 para a porta do Squid 3128
iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -p udp --dport 80 -j REDIRECT --to-port 3128 # Direcionamento UDP
#iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp --dport 443 -j REDIRECT --to-port 3128 # Portas seguras
#iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -p udp --dport 443 -j REDIRECT --to-port 3128 # POrtas Seguras
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #fazendo o mascaramento.
#iptables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
#iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 3389 -o $EXT
#Bloquear MSN
iptables -A FORWARD -s 192.168.0.190 -p tcp --dport 1863 -j ACCEPT #libera para essa maquina
iptables -A FORWARD -s 192.168.0.190 -d loginnet.passport.com -j ACCEPT #libera para essa maquina
iptables -A FORWARD -s 192.168.0.192 -p tcp --dport 1863 -j ACCEPT # Libera para essa maquina
iptables -A FORWARD -s 192.168.0.192 -d loginnet.passport.com -j ACCEPT # Libera para essa maquina
#iptables -A FORWARD -s 192.168.0.250 -p tcp --dport 1863 -j ACCEPT # elton
#iptables -A FORWARD -s 192.168.0.250 -d loginnet.passport.com -j ACCEPT # elton
iptables -A FORWARD -s 192.168.0.5 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.0.5 -d loginnet.passport.com -j ACCEPT
iptables -A FORWARD -s 192.168.0.4 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.0.4 -d loginnet.passport.com -j ACCEPT
#iptables -A FORWARD -s 192.168.0.11 -p tcp --dport 1863 -j ACCEPT
#iptables -A FORWARD -s 192.168.0.11 -d loginnet.passport.com -j ACCEPT
#iptables -A FORWARD -s 192.168.0.24 -p tcp --dport 1863 -j ACCEPT
#iptables -A FORWARD -s 192.168.0.24 -d loginnet.passport.com -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 192.168.0.0/24 -d loginnet.passport.com -j REJECT
## Abre para uma faixa de endereços da rede local
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
#
## Abre as portas 80, 21, 23, 25, 110, 22, 5900, 2222, 554, 3389,5432,5433,5901,27015,27040,
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 23 -j ACCEPT
iptables -A INPUT -p tcp --dport 24 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 5900 -j ACCEPT
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
iptables -A INPUT -p tcp --dport 554 -j ACCEPT
iptables -A INPUT -p tcp --dport 5222 -j ACCEPT
iptables -A INPUT -p tcp --dport 5432 -j ACCEPT
iptables -A INPUT -p tcp --dport 5433 -j ACCEPT
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp --dport 5901 -j ACCEPT
iptables -A INPUT -p tcp --dport 5000:5200 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000:8050 -j ACCEPT
iptables -A INPUT -p tcp --dport 9666 -j REJECT
#iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
#iptables -A INPUT -p tcp --dport 10060 -j ACCEPT
#iptables -A INPUT -p tcp --dport 10061 -j ACCEPT
#iptables -A INPUT -p udp --destination-port 3389 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -p udp --dport 27015 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -p udp --sport 27012 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -p udp --sport 27010 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -p udp --sport 27005 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -p tcp --sport 7002 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -p tcp --sport 5273 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -p tcp --sport 27040 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -p tcp --sport 5432 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -p tcp --sport 5433 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -p tcp --sport 8001 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -p tcp --sport 5222 -j ACCEPT
#iptables -A OUTPUT -s 0.0.0.0/0 -p tcp --sport 10000 -j ACCEPT
#
## Libera a porta 554 e rádio UOL para Windows media player e gxine 0.5.1
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 554 -j ACCEPT
iptables -A FORWARD -d 192.168.0.0/24 -p udp --sport 554 -j ACCEPT
#iptables -t nat -I PREROUTING -d app.radio.musica.uol.com.br -j ACCEPT
#iptables -t nat -I PREROUTING -d radio.musica.uol.com.br -j ACCEPT
#iptables -t nat -I PREROUTING -d firewarrior.serveftp.com -j ACCEPT
#
#Bloqueia resposta do tracert e ping
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
#Protege contra Ping da Morte, Trojan ETC..
#
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptables -A FORWARD -m unclean -j DROP
#}
case $1 in
start)
echo -n Iniciando Firewall...
#add_rules
echo "Pronto"
;;
stop)
echo -n Finalizando Firewall...
flush_rules
echo "Firewall Parado"
;;
restart)
echo -n Reiniciando Firewall...
/etc/init.d/firewall stop
echo "Firewall Parado"
/etc/init.d/firewall start
echo "Firewall Iniciado"
flush_rules
#add_rules
echo "Pronto"
;;
status)
echo "============================ Firewall rules:"
iptables -L -n
echo "============================ Masquerade tables:"
iptables -t nat -L -n
echo "============================ Mangle table:"
iptables -t mangle -L -n
;;
*)
echo Usar: "$0 { status | start | stop | restart }"
;;
esac