suportetiv
(usa Ubuntu)
Enviado em 14/04/2010 - 21:53h
#!/bin/bash
firewall_start(){
## >> Abre a faixa de endereco da rede local << ################################
iptables -A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT
#
## >> Ativando o compartilhamento da internet << ###############################
echo 1 > /proc/sys/net/ipv4/ip_forward
#
## >> Mascarando a placa de rede eth0 Rede externa << ##########################
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#
## >> Ativando o proxy transparente << #########################################
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
#
## >> Bloqueando acesso ao MSN << ##############################################
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 192.168.1.0/24 -d loginnet.passport.com -j REJECT
#
## >> Abrindo a porta do servidor ssh (52591) << ###############################
iptables -A INPUT -p tcp --dport 52591 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 52591 -j ACCEPT
#
## >> Redirecionando Windows Terminal Service << ###############################
# iptables -I FORWARD -p tcp -i eth1 --dport 3389 -j ACCEPT
# iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.1.189:3389
#
## >> Redirecionando Prosoft pra micro Server << ###############################
iptables -I FORWARD -p tcp -i eth1 --dport 1434 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 1434 -j DNAT --to-destination 192.168.1.189:1434
#
## >> Redirecionando VNC para Note Mary Elze << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54001 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54001 -j DNAT --to-destination 192.168.1.1:54001
#
## >> Redirecionando VNC para Diretoria2 << #####################################
iptables -I FORWARD -p tcp -i eth1 --dport 54002 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54002 -j DNAT --to-destination 192.168.1.2:54002
#
## >> Redirecionando VNC para Diretoria3 << #####################################
iptables -I FORWARD -p tcp -i eth1 --dport 54003 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54003 -j DNAT --to-destination 192.168.1.3:54003
#
## >> Redirecionando VNC para Secretaria << #####################################
iptables -I FORWARD -p tcp -i eth1 --dport 54005 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54005 -j DNAT --to-destination 192.168.1.5:54005
#
## >> Redirecionando VNC para Financeiro1 << ####################################
iptables -I FORWARD -p tcp -i eth1 --dport 54006 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54006 -j DNAT --to-destination 192.168.1.6:54006
#
## >> Redirecionando VNC para Financeiro2 << ######################################
iptables -I FORWARD -p tcp -i eth1 --dport 54007 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54007 -j DNAT --to-destination 192.168.1.7:54007
#
## >> Redirecionando VNC para Financeiro3 << ####################################
iptables -I FORWARD -p tcp -i eth1 --dport 54008 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54008 -j DNAT --to-destination 192.168.1.8:54008
#
## >> Redirecionando VNC para Contabilidade1 << ##################################
iptables -I FORWARD -p tcp -i eth1 --dport 54009 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54009 -j DNAT --to-destination 192.168.1.9:54009
#
## >> Redirecionando VNC para Contabilidade2 << #################################
iptables -I FORWARD -p tcp -i eth1 --dport 54010 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54010 -j DNAT --to-destination 192.168.1.10:54010
#
## >> Redirecionando VNC para Recursos Humanos << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54012 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54012 -j DNAT --to-destination 192.168.1.12:54012
#
## >> Redirecionando VNC para Expedicao1 << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54016 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54016 -j DNAT --to-destination 192.168.1.16:54016
#
## >> Redirecionando VNC para Expedicao2 << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54017 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54017 -j DNAT --to-destination 192.168.1.17:54017
iptables -I FORWARD -p tcp -i eth1 --dport 54019 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54019 -j DNAT --to-destination 192.168.1.19:54019
#
## >> Redirecionando VNC para Beneficiamento << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54020 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54020 -j DNAT --to-destination 192.168.1.20:54020
#
## >> Redirecionando VNC para PCP Confeccao << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54022 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54022 -j DNAT --to-destination 192.168.1.22:54022
#
## >> Redirecionando VNC para Camera1 << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54181 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54181 -j DNAT --to-destination 192.168.1.181:54181
#
## >> Redirecionando VNC para Servidor << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54188 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54188 -j DNAT --to-destination 192.168.1.188:54188
#
## >> Redirecionando VNC para Server << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54000 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54000 -j DNAT --to-destination 192.168.1.189:54000
#
## REdirecionando Terminal para porta 54189 do SERVER
iptables -I FORWARD -p tcp -i eth1 --dport 54189 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54189 -j DNAT --to-destination 192.168.1.189:54189
## >> Liberando ip's da caixa economica (cmt.gov.br) << ########################
iptables -t nat -I PREROUTING -d 200.223.17.180/255.255.0.0 -j ACCEPT
iptables -t nat -I PREROUTING -d 200.201.173.168/255.255.0.0 -j ACCEPT
#
## >> Ignora pings << ###########################################################
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
#
## >> Proteç contra IP spoofing << #############################################
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
#
## >> Proteç contra IP spoofing << #############################################
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
#
## >> Protege contra synflood << ###############################################
echo "1"> /proc/sys/net/ipv4/tcp_syncookies
#
## >> Protecao contra ICMP Broadcasting << #####################################
echo "1"> /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
## >> Bloqueia traceroute << ###################################################
iptables -A INPUT -p udp --dport 33435:33525 -j DROP
#
## >> Proteçs diversas contra portscanners,ping of death,ataques DoS, etc << ###
iptables -A INPUT -m state --state INVALID -j DROP
#
## >> Regra para o KDE e outros programas grácos funcionarem adequadamente << ##
iptables -A INPUT -i lo -j ACCEPT
#
## >> Fecha as portas udp de 1 a 1024 << #######################################
iptables -A INPUT -p udp --dport 1:1024 -j ACCEPT
iptables -A INPUT -p udp --dport 59229 -j DROP
#
## >> Regra final,bloqueia qualquer conexao q n tenha sido permitida acima << ##
iptables -A INPUT -p tcp --syn -j DROP
#
echo "* O Firewall esta sendo carregado..."
sleep 1
echo "* Tudo pronto!"
sleep 1
}
firewall_stop(){
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}
case "$1" in
"start")
firewall_start
;;
"stop")
firewall_stop
echo "O Firewall esta sendo desativado"
sleep 2
echo "ok."
;;
"restart")
echo "O Firewall esta sendo desativado"
sleep 1
echo "ok."
firewall_stop; firewall_start
;;
*)
iptables -L -n
esac