Enviado em 20/02/2017 - 09:56h
Bom dia Pessoal.
#!/bin/bash
### BEGIN INIT INFO
# Provides: firewall.sh
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start firewall.sh at boot time
# Description: Enable service provided by firewall.sh.
### END INIT INFO
IPTABLES=/sbin/iptables
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/tcp_ecn
###### INTERFACE INTERNA
IFI1=eth1
IPI1=192.168.0.1
NMI1=24
NWI1=192.168.0.0
BRDI1=192.168.0.255
###### INTERFACE EXTERNA
IFE1=eth0
IPE1=10.0.0.1
NME1=24
NWE1=10.255.255.255
BRDE1=255.255.255.0
GWE1=10.0.0.1
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -Z
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t mangle -Z
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
/sbin/modprobe ipt_MARK
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_CONNMARK
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ipt_layer7
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_state
/sbin/modprobe iptable_filter
#################################################################################################################
# #
# CHECA QUANTIDADE DE LINKS EXTERNOS APLICA REGRAS PARA CADA LINK EXTERNO #
#
#################################################################################################################
_numlink=`cat $0 | grep ^IFE | wc -l`
if [ $_numlink -gt 1 ]
then
ip rule del table main
ip route flush table $RT_M 2>/dev/null
ip route del default table main 2>/dev/null
ip link set lo up
ip addr add 127.0.0.1/8 brd + dev lo
ip link set $IFI1 up
ip addr add $IPI1/$NMI1 brd + dev $IFI1
ip rule add prio 50 table main
fi
_numlink=`cat $0 | grep ^IFE | wc -l`
if [ $_numlink -gt 1 ]
then
for i in $(seq $_numlink);
do
_IFEX=$(eval echo $`echo IFE$i`)
_IPEX=$(eval echo $`echo IPE$i`)
_NWEX=$(eval echo $`echo NWE$i`)
_NMEX=$(eval echo $`echo NME$i`)
_BRDEX=$(eval echo $`echo BRDE$i`)
_GWEX=$(eval echo $`echo GWE$i`)
_RTEX=$(eval echo $`echo RTE$i`)
#################################################################################################################
# #
# VARIAVEIS PARA TABELAS DE ROTEAMENTO #
# #
#################################################################################################################
RT_M=222
if ! cat /etc/iproute2/rt_tables | grep ^$_RTEX &> /dev/null
then
echo $_RTEX $_RTEX >> /etc/iproute2/rt_tables
fi
if ! cat /etc/iproute2/rt_tables | grep ^$RT_M &> /dev/null
then
echo $RT_M $RT_M >> /etc/iproute2/rt_tables
fi
#################################################################################################
# #
# LIMPANDO REGRAS E REGRAS EM CACHE #
# #
#################################################################################################
ip rule del table $_RTEX
ip route flush table $_RTEX 2>/dev/null
#################################################################################################################
# #
# CRIACAO DE REGRAS DE ROTEAMENTO #
# #
#################################################################################################################
ip link set $_IFEX up
ip addr flush dev $_IFEX
ip addr add $_IPEX/$_NMEX brd $_BRDEX dev $_IFEX
ip rule add prio $_RTEX from $_NWEX/$_NMEX table $_RTEX
ip route add default via $_GWEX dev $_IFEX src $_IPEX proto static table $_RTEX
ip route append prohibit default table $_RTEX metric 1 proto static
done #### FIM LACO FOR ####
ip rule del table $RT_M
ip rule add prio $RT_M table $RT_M
touch /tmp/route.tmp; chmod 777 /tmp/route.tmp
echo "#!/bin/bash" > /tmp/route.tmp
echo "ip route add default table $RT_M proto static \\" >> /tmp/route.tmp
i=$_numlink;
while [ $i -gt 0 ]
do
if [ $i -gt 1 ]
then
echo "nexthop via $(eval echo $`echo GWE$i`) dev $(eval echo $`echo IFE$i`) \\" >> /tmp/route.tmp
else
echo "nexthop via $(eval echo $`echo GWE$i`) dev $(eval echo $`echo IFE$i`)" >> /tmp/route.tmp
fi
i=$(($i-1))
done
sh /tmp/route.tmp
ip route flush cache
fi #### FIM IF ####
# TABELA FILTER
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT ## DROP
$IPTABLES -P OUTPUT ACCEPT
# TABELA NAT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#########################################################################################################################
# #
# ESTADOS DE PACOTES #
# #
# Pacotes com conexao estabeleciada ou em processo de estabelecimento de conexao sao aceitos #
# Pacotes invalidos sao recusados #
# #
#########################################################################################################################
$IPTABLES -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
# ACEITA PACOTES ICMP
$IPTABLES -t nat -A PREROUTING -m limit --limit 10/s -p icmp --icmp-type any -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 10/s -p icmp --icmp-type any -j ACCEPT
# REGRA BRUTE FORCE SSH
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: ' --log-level 7
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset
# SITES QUE NAO ACEITAM PROXY
$IPTABLES -t nat -A PREROUTING -s $NWI1/$NMI1 -p tcp -d 189.56.29.204 -j ACCEPT #NOSSA CAIXA
$IPTABLES -t nat -A PREROUTING -s $NWI1/$NMI1 -p tcp -d 200.201.174.207 -j ACCEPT #CONECTIVIDADE SOCIAL
$IPTABLES -t nat -A PREROUTING -s $NWI1/$NMI1 -p tcp -d 200.201.174.200 -j ACCEPT #CONECTIVIDADE SOCIAL
$IPTABLES -t nat -A PREROUTING -s $NWI1/$NMI1 -p tcp -d 200.201.174.204 -j ACCEPT #CONECTIVIDADE SOCIAL
#################################################################################################################
# #
# I REGRAS APLICADAS EM CADA INTERFACE EXTERNA #
# REDIRECIONAMENTOS (VITUAL SERVER) #
# PREROUTING E POSTROUTING #
# #
#################################################################################################################
for i in $(seq $_numlink);
do
_IFEX=$(eval echo $`echo IFE$i`)
_IPEX=$(eval echo $`echo IPE$i`)
_NWEX=$(eval echo $`echo NWE$i`)
_NMEX=$(eval echo $`echo NME$i`)
_BRDEX=$(eval echo $`echo BRDE$i`)
_GWEX=$(eval echo $`echo GWE$i`)
_RTEX=$(eval echo $`echo RTE$i`)
done
$IPTABLES -t mangle -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -o $_IFEX
$IPTABLES -t nat -A POSTROUTING -o $_IFEX -s $NWI1/$NMI1 -j SNAT --to $_IPEX #ADM
$IPTABLES -t nat -A PREROUTING -s $NWI1/$NMI1 -p tcp --dport 80 -j REDIRECT --to-port 8080 #PROXY TRANSP. #ADM
###### DE DENTRO PARA FORA #######
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 20 -j ACCEPT #FTP ATICO
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 20 -j ACCEPT #FTP ATIVO
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 21 -j ACCEPT #FTP
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 21 -j ACCEPT #FTP
$IPTABLES -I FORWARD -i $IFI1 -p tcp --dport 22 -j ACCEPT #SSH
$IPTABLES -I FORWARD -i $IFI1 -p udp --dport 22 -j ACCEPT #SSH
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 25 -j ACCEPT #SMTP ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 25 -j ACCEPT #SMTP ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 80 -j ACCEPT #HTTP
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 53 -j ACCEPT #DNS
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 53 -j ACCEPT #DNS
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 110 -j ACCEPT #POP ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 110 -j ACCEPT #POP ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 143 -j ACCEPT #IMAP ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 143 -j ACCEPT #IMAP ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 443 -j ACCEPT #HTTPS
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 587 -j ACCEPT #SMTP TERRA
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 587 -j ACCEPT #SMTP TERRA
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 1863 -j ACCEPT #MSN ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 1863 -j ACCEPT #MSN ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 3074 -j ACCEPT #MSN ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 3074 -j ACCEPT #MSN ENTRE REDES
$IPTABLES -A FORWARD -p tcp --dport 3128 -j ACCEPT #PROXY SQUID
$IPTABLES -A FORWARD -p udp --dport 3128 -j ACCEPT #PROXY SQUID
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 3306 -j ACCEPT
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 3306 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 3389 -j ACCEPT #TS
$IPTABLES -A FORWARD -p udp --dport 3389 -j ACCEPT #TS
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 3456 -j ACCEPT #RECEITA FEDERA
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 3456 -j ACCEPT #RECEITA FEDERA
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 8017 -j ACCEPT #RECEITA
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 8017 -j ACCEPT #RECEITA
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 8080 -j ACCEPT #PROXY DANSGUARDIAN
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 8080 -j ACCEPT #PROXY DANSGUARDIAN
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 19056 -j ACCEPT
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 19056 -j ACCEPT
##### INPUT #####
$IPTABLES -A INPUT -i lo -j ACCEPT #LOOPBACK LIBERADO
$IPTABLES -A INPUT -i $IFI1 -m pkttype --pkt-type broadcast -j ACCEPT #LIBERA BROADCAST P/ SAMBA
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 20 -j ACCEPT #FTP
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 20 -j ACCEPT #FTP
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 21 -j ACCEPT #FTP
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 21 -j ACCEPT #FTP
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 25 -j ACCEPT #SMTP
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 25 -j ACCEPT #SMTP
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 53 -j ACCEPT #CONSULTA DNS INTERNO
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 53 -j ACCEPT #CONSULTA DNS INTERNO
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 81 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 81 -j ACCEPT #HTTP
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 81 -j ACCEPT #SMTP
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 81 -j ACCEPT #SMTP
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 110 -j ACCEPT #POP
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 110 -j ACCEPT #POP
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 135 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 135 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 137 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 137 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 138 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 138 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 139 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 139 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 143 -j ACCEPT #IMAP
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 143 -j ACCEPT #IMAP
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT #HTTPS
$IPTABLES -A INPUT -p udp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 445 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 445 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 587 -j ACCEPT #SMTP
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 587 -j ACCEPT #SMTP
$IPTABLES -A INPUT -p tcp --dport 3128 -j ACCEPT #PROXY SQUID
$IPTABLES -A INPUT -p udp --dport 3128 -j ACCEPT #PROXY SQUID
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 3306 -j ACCEPT #MYSQL
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 3306 -j ACCEPT #MYSQL
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 8080 -j ACCEPT #DANSGUARDIAN
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 8080 -j ACCEPT #DANSGUARDIAN
$IPTABLES -A INPUT -p tcp --dport 10001 -j ACCEPT #WEBMIN
$IPTABLES -A INPUT -p udp --dport 10001 -j ACCEPT #WEBMIN
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 19056 -j ACCEPT #MYSQL
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 19056 -j ACCEPT #MYSQL
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 28015 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 28015 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 28016 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 28016 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p tcp -m multiport --dports 3310:3325 -j ACCEPT #CLAMAV
$IPTABLES -A INPUT -m limit --limit 5/s -p icmp --icmp-type 3 -j ACCEPT #LIBERANDO ICMP
$IPTABLES -A INPUT -j LOG --log-prefix 'DROP INPUT ' --log-level 7
SQUID.CONF
http_port 127.0.0.1:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache_mem 512 MB
maximum_object_size 524288 KB
maximum_object_size_in_memory 128 KB
cache_dir ufs /var/spool/squid3 102400 16 256
cache_swap_low 80
cache_swap_high 95
cache_replacement_policy LFUDA
access_log /var/log/squid3/access.log squid
hosts_file /etc/hosts
half_closed_clients off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl connect_abertas maxconn 120
follow_x_forwarded_for allow localhost
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_group proxy
coredump_dir /var/spool/squid3
DANSGUARDIAN.CONF
filterip = 192.168.0.1
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128
Enviar mensagem ao usuário trabalhando com as opções do php.ini
Meu Fork do Plugin de Integração do CVS para o KDevelop
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Criando uma VPC na AWS via CLI
Multifuncional HP imprime mas não digitaliza
Dica básica para escrever um Artigo.
Como Exibir Imagens Aleatórias no Neofetch para Personalizar seu Terminal
Pq me aparece isso quando fui atualizar o Ubuntu 24.10 no terminal? (2)
Pegar a ultima ocorrencia viva (2)
como coloco para instalar com esse erro. (13)
Alguém sabe de documentos de texto e /ou vídeo aulas de certificações ... (1)