#!/bin/bash #Script de configuracao iptables # Cesar Henrique Kallas # cesarkallas at gmx dot net # http://cesarkallas.soulivre.org # 11/2005 echo -e "\n\n === Inicializando Firewall === \n\n" # Carrega os módulos echo "Carregando modulos firewall [ ok ]" modprobe iptable_nat modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp #Limpar regras atuais echo "Resetando regras anteriores [ ok ]" iptables -t nat -F iptables -F iptables -X iptables -X -t nat iptables -Z # Compartilha a conexao de internet echo "Compartilhando conexao [ ok ]" iptables -t nat -A POSTROUTING -o lo -j ACCEPT iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE echo "1" > /proc/sys/net/ipv4/ip_forward #proteje contra pacotes DDOS #iptables -A FORWARD -m unclean -j DROP # Portas liberadas para acesso externo echo "Abrindo portas de servicos [ ok ]" iptables -A INPUT -p tcp --destination-port 21 -j ACCEPT iptables -A INPUT -p udp --destination-port 21 -j ACCEPT iptables -A INPUT -p tcp --destination-port 20 -j ACCEPT iptables -A INPUT -p udp --destination-port 20 -j ACCEPT iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT iptables -A INPUT -p tcp --destination-port 8001 -j ACCEPT #iptables -A INPUT -p tcp --destination-port 3306 -j ACCEPT iptables -A INPUT -p tcp --destination-port 443 -j ACCEPT #iptables -A INPUT -p tcp --destination-port 110 -j ACCEPT iptables -A INPUT -p tcp --destination-port 4654 -j ACCEPT # Skynet (Bruno) iptables -A INPUT -p tcp --destination-port 65000 -j ACCEPT #iptables -A INPUT -p tcp --destination-port 443 -j ACCEPT iptables -A INPUT -p tcp --destination-port 3128 -j ACCEPT #iptables -A INPUT -p tcp --destination-port 8080 -j ACCEPT iptables -A INPUT -p tcp --destination-port 6346 -j ACCEPT #iptables -A INPUT -p tcp --destination-port 2222 -j ACCEPT # Libera qualquer acesso para fora da rede iptables -A OUTPUT -j ACCEPT echo "Bloquear acesso ao restante [ ok ]" # Libera se estiver acessando dentro da rede intern para as seguintes portas iptables -A INPUT -p tcp --destination-port 2049 -s 10.0.0.1/255.0.0.0 -j ACCEPT iptables -A INPUT -p tcp --destination-port 111 -s 10.0.0.1/255.0.0.0 -j ACCEPT iptables -A INPUT -p tcp --destination-port 703 -s 10.0.0.1/255.0.0.0 -j ACCEPT iptables -A INPUT -p tcp --destination-port 713 -s 10.0.0.1/255.0.0.0 -j ACCEPT iptables -A INPUT -p tcp --destination-port 721 -s 10.0.0.1/255.0.0.0 -j ACCEPT iptables -A INPUT -p tcp --destination-port 5000 -s 10.0.0.1/255.0.0.0 -j ACCEPT iptables -A INPUT -p tcp --destination-port 2222 -s 10.0.0.1/255.0.0.0 -j ACCEPT # Libera tudo para acesso de dentro da rede iptables -A INPUT -p tcp --syn -s 10.0.0.1/255.0.0.0 -j ACCEPT # Fecha todas as portas nao abertas iptables -A INPUT -p tcp -i eth1 --syn -j DROP iptables -A INPUT -p tcp -i eth0 --syn -j DROP #iptables -A INPUT -p tcp -i eth0 -j DROP #iptables -A INPUT -p tcp -i eth1 -j DROP #Bloquear ping, e pacotes danificados (DDos), se quiser bloquear, coloque 1 no echo #echo "Restringindo ping, pacotes DDos [ ok ]" #echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all # a linha abaixo restringem pacotes DDos # linha pacote DDOS adcionada mais acima # Redirecionar para outra maquina iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to 10.0.0.1:22 # Redirecionar para porta local #iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 22 echo "Protecao contra brute-force [ ok ]" # Create a reject-and-log-SSH-Bruteforce chain to forward things to. iptables -N REJECT-SSH iptables -A REJECT-SSH -j DROP -m recent --rcheck --name SSH --seconds 60 --hitcount 3 iptables -A REJECT-SSH -j LOG --log-prefix SSH-Bruteforce: iptables -A REJECT-SSH -j REJECT -p tcp --reject-with tcp-reset iptables -A REJECT-SSH -j REJECT # Kill SSH brute-force attacks. Allow only three connections per minute # from any source. iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --name SSH --seconds 60 --hitcount 4 -j REJECT-SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH echo -e "\n\n === Firewall OK === \n\n"