wikiv3:exscript
Exemplo de Script
# cat /etc/init.d/firewall
- firewall.sh
#!/bin/bash # ### BEGIN INIT INFO # Provides: firewall # Required-Start: networking # Required-Stop: # Should-Start: S # Should-Stop: # Default-Start: 2 3 4 5 # Default-Stop: # Short-Description: Firewall # Description: Firewall # ### END INIT INFO ## Variáveis IPT=$(which iptables) NET="0/0" PA="1024:65535" LO="127.0.0.1" FW="192.168.200.1" AUDIT="192.168.200.5" DMZ="192.168.200.3" WAN1="200.100.50.99" WAN2="10.0.3.50" REDE="192.168.200.0/24" #----------------------------------------------------------------------- modulos() { #### CARREGANDO MÓDULOS #### modprobe ip_conntrack_ftp modprobe ip_nat_ftp } nega() { #### FECHANDO O FIREWALL #### $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP } limpa() { #### ABRINDO O FIREWALL #### $IPT -X $IPT -F $IPT -F -t nat $IPT -F -t mangle $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT } loop() { #### LIBERANDO A LOOP BACK #### $IPT -A INPUT -i lo -d $LO -j ACCEPT $IPT -A OUTPUT -o lo -d $LO -j ACCEPT } input() { #### ESTABILIZANDO AS CONEXÕES DE INPUT #### $IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT } output() { #### ESTABILIZANDO AS CONEXÕES DE OUTPUT #### $IPT -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT } forward() { #### ESTABILIZANDO AS CONEXÕES DE FORWARD #### $IPT -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT } icmps() { ##### LIBERANDO ICMPS #### for tipo in 0 3/0 3/1 3/2 3/3 3/4 4 5 11 12 do $IPT -A INPUT -p icmp -s $NET -d $FW --icmp-type $tipo -m limit --limit 1/s -j ACCEPT $IPT -A INPUT -p icmp -s $NET -d $WAN1 --icmp-type $tipo -m limit --limit 1/s -j ACCEPT $IPT -A INPUT -p icmp -s $NET -d $WAN2 --icmp-type $tipo -m limit --limit 1/s -j ACCEPT done $IPT -A OUTPUT -p icmp --icmp-type 8 -s $FW -d $NET -j ACCEPT $IPT -A OUTPUT -p icmp --icmp-type 8 -s $WAN1 -d $NET -j ACCEPT $IPT -A OUTPUT -p icmp --icmp-type 8 -s $WAN2 -d $NET -j ACCEPT } pt_web_firewall() { #### LIBERANDO CONEXÃO WEB PARA O FIREWALL #### $IPT -A INPUT -p tcp -s $NET --sport 80 -d $WAN2 --dport $PA -j ACCEPT $IPT -A OUTPUT -p tcp -s $WAN2 --sport $PA -d $NET --dport 80 -j ACCEPT $IPT -A INPUT -p tcp -s $NET --sport $PA -d $FW --dport 80 -j ACCEPT $IPT -A OUTPUT -p tcp -s $FW --sport 80 -d $NET --dport $PA -j ACCEPT $IPT -A INPUT -p tcp -s $NET --sport $PA -d $FW --dport 8080 -j ACCEPT $IPT -A OUTPUT -p tcp -s $FW --sport 8080 -d $NET --dport $PA -j ACCEPT } pt_dns_firewall() { #### LIBERANDO CONEXÃO DNS NO FIREWALL#### $IPT -A INPUT -p udp -s $NET --sport 53 -d $WAN2 --dport $PA -j ACCEPT $IPT -A INPUT -p icmp --icmp-type 3 -s $NET -d $WAN2 -j ACCEPT $IPT -A OUTPUT -p udp -s $WAN2 --sport $PA -d $NET --dport 53 -j ACCEPT $IPT -A OUTPUT -p udp -s $FW --sport $PA -d $NET --dport 53 -j ACCEPT $IPT -A INPUT -p udp --sport 53 -s $DMZ -d $FW --dport $PA -j ACCEPT $IPT -A OUTPUT -p udp --sport $PA -s $FW -d $DMZ --dport 53 -j ACCEPT $IPT -A FORWARD -p udp --sport 53 -s $DMZ -d $NET --dport $PA -j ACCEPT $IPT -A FORWARD -p udp --sport $PA -s $NET -d $DMZ --dport 53 -j ACCEPT } pt_ntp_firewall() { #### LIBERANDO CONEXÃO NTP NO FIREWALL#### $IPT -A INPUT -i eth2 -p udp -s $AUDIT --sport 123 -d $FW --dport 123 -j ACCEPT $IPT -A OUTPUT -o eth2 -p udp -s $FW --sport 123 -d $AUDIT --dport 123 -j ACCEPT $IPT -A INPUT -p udp --sport 123 -s $AUDIT -d $REDE --dport $PA -j ACCEPT $IPT -A OUTPUT -p udp --sport $PA -s $REDE -d $AUDIT --dport 123 -j ACCEPT } pt_ssh_firewall() { #### LIBERANDO CONEXÃO SSH NO FIREWALL#### $IPT -A INPUT -p tcp -s $NET --sport $PA -d $WAN1 --dport 51000 -j ACCEPT $IPT -A OUTPUT -p tcp -s $WAN1 --sport 51000 -d $NET --dport $PA -j ACCEPT $IPT -A INPUT -p tcp -s $NET --sport $PA -d $FW --dport 51000 -j ACCEPT $IPT -A OUTPUT -p tcp -s $FW --sport 51000 -d $NET --dport $PA -j ACCEPT } pt_proxy_firewall() { #### LIBERANDO CONEXÃO PROXY NO FIREWALL#### $IPT -A INPUT -p tcp -s $NET --sport $PA -d $FW --dport 3128 -j ACCEPT $IPT -A OUTPUT -p tcp -s $FW --sport 3128 -d $NET --dport $PA -j ACCEPT } pt_ldap_firewall() { #### LIBERANDO CONEXÃO LDAP NO FIREWALL#### $IPT -A INPUT -p tcp -s $REDE --sport 389 -d $NET --dport $PA -j ACCEPT $IPT -A OUTPUT -p tcp -s $NET --sport $PA -d $REDE --dport 389 -j ACCEPT } pt_mysql_firewall() { #### LIBERANDO CONEXÃO MYSQL NO FIREWALL#### $IPT -A INPUT -p tcp -s $REDE --sport 3306 -d $NET --dport $PA -j ACCEPT $IPT -A OUTPUT -p tcp -s $NET --sport $PA -d $REDE --dport 3306 -j ACCEPT } flags_invalidas() { ##### ATIVANDO CONTROLE DE FLAGS INVALIDAS #### for FLAGS in SYN,RST SYN,FIN SYN,PSH SYN,URG FIN,RST FIN,URG,PSH do for CHAINS in INPUT FORWARD do $IPT -A $CHAINS -p tcp -d $FW -m state --state NEW --tcp-flags $FLAGS $FLAGS -j LOG --log-prefix "FLAG_$FLAGS" $IPT -A $CHAINS -p tcp -d $FW -m state --state NEW --tcp-flags $FLAGS $FLAGS -j DROP $IPT -A $CHAINS -p tcp -d $WAN1 -m state --state NEW --tcp-flags $FLAGS $FLAGS -j LOG --log-prefix "FLAG_$FLAGS" $IPT -A $CHAINS -p tcp -d $WAN1 -m state --state NEW --tcp-flags $FLAGS $FLAGS -j DROP $IPT -A $CHAINS -p tcp -d $WAN2 -m state --state NEW --tcp-flags $FLAGS $FLAGS -j LOG --log-prefix "FLAG_$FLAGS" $IPT -A $CHAINS -p tcp -d $WAN2 -m state --state NEW --tcp-flags $FLAGS $FLAGS -j DROP done done } nat () { #### COMPARTILHANDO CONEXÃO DA INTERNET #### $IPT -A FORWARD -s $REDE -d $NET -j ACCEPT $IPT -A FORWARD -s $NET -d $REDE -j ACCEPT $IPT -t nat -A POSTROUTING -s $REDE -o eth1 -j MASQUERADE } pre_ssh () { #### REDIRECIONAMENTO DE PORTAS DO SSH PARA MAQUINA INTERNAS #### for ip in 2 3 4 5 do $IPT -A OUTPUT -p tcp -s $NET --sport $PA -d 192.168.200.$ip --dport 5$ip'000' -j ACCEPT $IPT -A INPUT -p tcp --sport 5$ip'000' -s 192.168.200.$ip -d $NET --dport $PA -j ACCEPT $IPT -A FORWARD -p tcp --sport 5$ip'000' -s 192.168.200.$ip -d $NET --dport $PA -j ACCEPT $IPT -A FORWARD -p tcp --sport $PA -s $NET -d 192.168.200.$ip --dport 5$ip'000' -j ACCEPT $IPT -t nat -A PREROUTING -p tcp --sport $PA -s $NET -d $WAN1 --dport 5$ip'000' -j DNAT --to-destination 192.168.200.$ip':'5$ip'000' done } pre_dns () { #### REDIRECIONAMENTO DA PORTA DNS PARA MAQUINA DMZ #### $IPT -t nat -A PREROUTING -p udp --sport $PA -s $NET -d $WAN1 --dport 53 -j DNAT --to-destination $DMZ:53 } pre_web () { #### REDIRECIONAMENTO DE PORTAS WEB PARA MAQUINA DMZ #### for httpports in 80 443 do $IPT -t nat -A PREROUTING -p tcp --sport $PA -s $NET -d $WAN1 --dport $httpports -j DNAT --to-destination $DMZ:$httpports done } pre_mail () { #### REDIRECIONAMENTO DE PORTAS MAIL PARA MAQUINA DMZ #### for mailports in 25 110 143 993 995 do $IPT -t nat -A PREROUTING -p tcp --sport $PA -s $NET -d $WAN1 --dport $mailports -j DNAT --to-destination $DMZ:$mailports done } pre_ftp () { #### REDIRECIONAMENTO DE PORTAS FTP PARA MAQUINA DMZ #### for ftpports in 20 21 do $IPT -t nat -A PREROUTING -p tcp --sport $PA -s $NET -d $WAN1 --dport $ftpports -j DNAT --to-destination $DMZ:$ftpports done } #----------------------------------------------------------------------- case $1 in start) modulos nega loop input output forward icmps pt_web_firewall pt_dns_firewall pt_ntp_firewall pt_ssh_firewall pt_proxy_firewall pt_ldap_firewall pt_mysql_firewall flags_invalidas nat pre_ssh pre_dns pre_web pre_mail pre_ftp echo " ******* FIREWAL ATIVADO ******* " ;; stop) limpa echo " ******* FIREWALL DESATIVADO ******* " ;; filter) $IPT -nL ;; nat) $IPT -nL -t nat ;; mangle) $IPT -nL -t mangle ;; restart) $0 stop $0 start ;; *) echo "erro use $0 {start|stop|filter|nat|mangle|restart}" ;; esac
wikiv3/exscript.txt · Last modified: by 127.0.0.1