#!/bin/bash
#
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: networking
# Required-Stop:
# Should-Start: S
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Firewall
# Description: Firewall
#
### END INIT INFO
## Variáveis
IPT=$(which iptables)
NET="0/0"
PA="1024:65535"
LO="127.0.0.1"
FW="192.168.200.1"
AUDIT="192.168.200.5"
DMZ="192.168.200.3"
WAN1="200.100.50.99"
WAN2="10.0.3.50"
REDE="192.168.200.0/24"
#-----------------------------------------------------------------------
modulos()
{
#### CARREGANDO MÓDULOS ####
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
}
nega()
{
#### FECHANDO O FIREWALL ####
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
}
limpa()
{
#### ABRINDO O FIREWALL ####
$IPT -X
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}
loop()
{
#### LIBERANDO A LOOP BACK ####
$IPT -A INPUT -i lo -d $LO -j ACCEPT
$IPT -A OUTPUT -o lo -d $LO -j ACCEPT
}
input()
{
#### ESTABILIZANDO AS CONEXÕES DE INPUT ####
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
}
output()
{
#### ESTABILIZANDO AS CONEXÕES DE OUTPUT ####
$IPT -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
}
forward()
{
#### ESTABILIZANDO AS CONEXÕES DE FORWARD ####
$IPT -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
}
icmps()
{
##### LIBERANDO ICMPS ####
for tipo in 0 3/0 3/1 3/2 3/3 3/4 4 5 11 12
do
$IPT -A INPUT -p icmp -s $NET -d $FW --icmp-type $tipo -m limit --limit 1/s -j ACCEPT
$IPT -A INPUT -p icmp -s $NET -d $WAN1 --icmp-type $tipo -m limit --limit 1/s -j ACCEPT
$IPT -A INPUT -p icmp -s $NET -d $WAN2 --icmp-type $tipo -m limit --limit 1/s -j ACCEPT
done
$IPT -A OUTPUT -p icmp --icmp-type 8 -s $FW -d $NET -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 8 -s $WAN1 -d $NET -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 8 -s $WAN2 -d $NET -j ACCEPT
}
pt_web_firewall()
{
#### LIBERANDO CONEXÃO WEB PARA O FIREWALL ####
$IPT -A INPUT -p tcp -s $NET --sport 80 -d $WAN2 --dport $PA -j ACCEPT
$IPT -A OUTPUT -p tcp -s $WAN2 --sport $PA -d $NET --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -s $NET --sport $PA -d $FW --dport 80 -j ACCEPT
$IPT -A OUTPUT -p tcp -s $FW --sport 80 -d $NET --dport $PA -j ACCEPT
$IPT -A INPUT -p tcp -s $NET --sport $PA -d $FW --dport 8080 -j ACCEPT
$IPT -A OUTPUT -p tcp -s $FW --sport 8080 -d $NET --dport $PA -j ACCEPT
}
pt_dns_firewall()
{
#### LIBERANDO CONEXÃO DNS NO FIREWALL####
$IPT -A INPUT -p udp -s $NET --sport 53 -d $WAN2 --dport $PA -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -s $NET -d $WAN2 -j ACCEPT
$IPT -A OUTPUT -p udp -s $WAN2 --sport $PA -d $NET --dport 53 -j ACCEPT
$IPT -A OUTPUT -p udp -s $FW --sport $PA -d $NET --dport 53 -j ACCEPT
$IPT -A INPUT -p udp --sport 53 -s $DMZ -d $FW --dport $PA -j ACCEPT
$IPT -A OUTPUT -p udp --sport $PA -s $FW -d $DMZ --dport 53 -j ACCEPT
$IPT -A FORWARD -p udp --sport 53 -s $DMZ -d $NET --dport $PA -j ACCEPT
$IPT -A FORWARD -p udp --sport $PA -s $NET -d $DMZ --dport 53 -j ACCEPT
}
pt_ntp_firewall()
{
#### LIBERANDO CONEXÃO NTP NO FIREWALL####
$IPT -A INPUT -i eth2 -p udp -s $AUDIT --sport 123 -d $FW --dport 123 -j ACCEPT
$IPT -A OUTPUT -o eth2 -p udp -s $FW --sport 123 -d $AUDIT --dport 123 -j ACCEPT
$IPT -A INPUT -p udp --sport 123 -s $AUDIT -d $REDE --dport $PA -j ACCEPT
$IPT -A OUTPUT -p udp --sport $PA -s $REDE -d $AUDIT --dport 123 -j ACCEPT
}
pt_ssh_firewall()
{
#### LIBERANDO CONEXÃO SSH NO FIREWALL####
$IPT -A INPUT -p tcp -s $NET --sport $PA -d $WAN1 --dport 51000 -j ACCEPT
$IPT -A OUTPUT -p tcp -s $WAN1 --sport 51000 -d $NET --dport $PA -j ACCEPT
$IPT -A INPUT -p tcp -s $NET --sport $PA -d $FW --dport 51000 -j ACCEPT
$IPT -A OUTPUT -p tcp -s $FW --sport 51000 -d $NET --dport $PA -j ACCEPT
}
pt_proxy_firewall()
{
#### LIBERANDO CONEXÃO PROXY NO FIREWALL####
$IPT -A INPUT -p tcp -s $NET --sport $PA -d $FW --dport 3128 -j ACCEPT
$IPT -A OUTPUT -p tcp -s $FW --sport 3128 -d $NET --dport $PA -j ACCEPT
}
pt_ldap_firewall()
{
#### LIBERANDO CONEXÃO LDAP NO FIREWALL####
$IPT -A INPUT -p tcp -s $REDE --sport 389 -d $NET --dport $PA -j ACCEPT
$IPT -A OUTPUT -p tcp -s $NET --sport $PA -d $REDE --dport 389 -j ACCEPT
}
pt_mysql_firewall()
{
#### LIBERANDO CONEXÃO MYSQL NO FIREWALL####
$IPT -A INPUT -p tcp -s $REDE --sport 3306 -d $NET --dport $PA -j ACCEPT
$IPT -A OUTPUT -p tcp -s $NET --sport $PA -d $REDE --dport 3306 -j ACCEPT
}
flags_invalidas()
{
##### ATIVANDO CONTROLE DE FLAGS INVALIDAS ####
for FLAGS in SYN,RST SYN,FIN SYN,PSH SYN,URG FIN,RST FIN,URG,PSH
do
for CHAINS in INPUT FORWARD
do
$IPT -A $CHAINS -p tcp -d $FW -m state --state NEW --tcp-flags $FLAGS $FLAGS -j LOG --log-prefix "FLAG_$FLAGS"
$IPT -A $CHAINS -p tcp -d $FW -m state --state NEW --tcp-flags $FLAGS $FLAGS -j DROP
$IPT -A $CHAINS -p tcp -d $WAN1 -m state --state NEW --tcp-flags $FLAGS $FLAGS -j LOG --log-prefix "FLAG_$FLAGS"
$IPT -A $CHAINS -p tcp -d $WAN1 -m state --state NEW --tcp-flags $FLAGS $FLAGS -j DROP
$IPT -A $CHAINS -p tcp -d $WAN2 -m state --state NEW --tcp-flags $FLAGS $FLAGS -j LOG --log-prefix "FLAG_$FLAGS"
$IPT -A $CHAINS -p tcp -d $WAN2 -m state --state NEW --tcp-flags $FLAGS $FLAGS -j DROP
done
done
}
nat ()
{
#### COMPARTILHANDO CONEXÃO DA INTERNET ####
$IPT -A FORWARD -s $REDE -d $NET -j ACCEPT
$IPT -A FORWARD -s $NET -d $REDE -j ACCEPT
$IPT -t nat -A POSTROUTING -s $REDE -o eth1 -j MASQUERADE
}
pre_ssh ()
{
#### REDIRECIONAMENTO DE PORTAS DO SSH PARA MAQUINA INTERNAS ####
for ip in 2 3 4 5
do
$IPT -A OUTPUT -p tcp -s $NET --sport $PA -d 192.168.200.$ip --dport 5$ip'000' -j ACCEPT
$IPT -A INPUT -p tcp --sport 5$ip'000' -s 192.168.200.$ip -d $NET --dport $PA -j ACCEPT
$IPT -A FORWARD -p tcp --sport 5$ip'000' -s 192.168.200.$ip -d $NET --dport $PA -j ACCEPT
$IPT -A FORWARD -p tcp --sport $PA -s $NET -d 192.168.200.$ip --dport 5$ip'000' -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp --sport $PA -s $NET -d $WAN1 --dport 5$ip'000' -j DNAT --to-destination 192.168.200.$ip':'5$ip'000'
done
}
pre_dns ()
{
#### REDIRECIONAMENTO DA PORTA DNS PARA MAQUINA DMZ ####
$IPT -t nat -A PREROUTING -p udp --sport $PA -s $NET -d $WAN1 --dport 53 -j DNAT --to-destination $DMZ:53
}
pre_web ()
{
#### REDIRECIONAMENTO DE PORTAS WEB PARA MAQUINA DMZ ####
for httpports in 80 443
do
$IPT -t nat -A PREROUTING -p tcp --sport $PA -s $NET -d $WAN1 --dport $httpports -j DNAT --to-destination $DMZ:$httpports
done
}
pre_mail ()
{
#### REDIRECIONAMENTO DE PORTAS MAIL PARA MAQUINA DMZ ####
for mailports in 25 110 143 993 995
do
$IPT -t nat -A PREROUTING -p tcp --sport $PA -s $NET -d $WAN1 --dport $mailports -j DNAT --to-destination $DMZ:$mailports
done
}
pre_ftp ()
{
#### REDIRECIONAMENTO DE PORTAS FTP PARA MAQUINA DMZ ####
for ftpports in 20 21
do
$IPT -t nat -A PREROUTING -p tcp --sport $PA -s $NET -d $WAN1 --dport $ftpports -j DNAT --to-destination $DMZ:$ftpports
done
}
#-----------------------------------------------------------------------
case $1 in
start)
modulos
nega
loop
input
output
forward
icmps
pt_web_firewall
pt_dns_firewall
pt_ntp_firewall
pt_ssh_firewall
pt_proxy_firewall
pt_ldap_firewall
pt_mysql_firewall
flags_invalidas
nat
pre_ssh
pre_dns
pre_web
pre_mail
pre_ftp
echo " ******* FIREWAL ATIVADO ******* "
;;
stop)
limpa
echo " ******* FIREWALL DESATIVADO ******* "
;;
filter) $IPT -nL
;;
nat) $IPT -nL -t nat
;;
mangle) $IPT -nL -t mangle
;;
restart) $0 stop
$0 start
;;
*) echo "erro use $0 {start|stop|filter|nat|mangle|restart}"
;;
esac