Firewall com proxy transparente completo

Publicado por Leonardo Berbert Gomes 21/11/2006

[ Hits: 13.654 ]

Homepage: https://www.linkedin.com/in/leoberbert

Download firewall




Bem pessoal, este foi o script de firewall mais eficaz que já fiz até hoje. Basta adaptá-lo com as suas placas de rede e ser feliz. Recomendo a todos.

  



Esconder código-fonte

#!/bin/bash
#
#########################################################################
#                                                                       #
# Função do Script: FIREWALL                                            #
# Versão: 1.0                                                           #
#                                                                       #
# By Leonardo B.G. - 2006 - leoberbert@gmail.com.br                     #
# Copyright (C) 2006 G.B., Leonardo                                     #
#                                                                       #
#########################################################################
#
EXTERNAL=eth0
INTERNAL=eth1
IP=10.11.110.0/24
WIN=10.11.110.18
#TS=IP_DO_SERVIDOR_TS

#--- Set TOS 16
TOS_SERV="80 443"

flush_rules()
{
 iptables -F
 iptables -t nat -F
 iptables -t mangle -F
 iptables -X
 iptables -Z
}

add_rules()
{
 ######################Habilitando o roteamento e bloqueando alguns de pacotes
 echo 1 > /proc/sys/net/ipv4/ip_forward
 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all 

 ######################CARREGANDO MODULOS
 /sbin/modprobe iptable_nat
 /sbin/modprobe ip_tables 
 /sbin/modprobe ipt_state 
 /sbin/modprobe ip_conntrack
 /sbin/modprobe ip_conntrack_ftp
 /sbin/modprobe ipt_multiport
 /sbin/modprobe ip_nat_ftp
 /sbin/modprobe iptable_mangle
 /sbin/modprobe ipt_tos
 /sbin/modprobe ipt_limit

 ######################Liberacao do Loopback 
 iptables -A INPUT -i lo -j ACCEPT
 
 ######################Priorizar o trafego http/https da rede:
 for PORT in $TOS_SERV
 do
   iptables -t mangle -A OUTPUT -o $EXTERNAL -p tcp --dport $PORT -j TOS --set-tos 16
 done
 
 ######################REDIRECIONANDO PROXY TRANSPARENTE
 iptables -t nat -I PREROUTING -i $INTERNAL -p tcp -d ! 200.201.174.0/24 \
  --dport 80 -j REDIRECT --to-port 3128

 ######################Mascaramento
 #iptables -t nat -A POSTROUTING -s $IP -d 0/0 -j MASQUERADE
 #iptables -t nat -A POSTROUTING -s $IP -o $EXTERNAL -j MASQUERADE

 ######################LIBERANDO SSH
 #iptables -A INPUT -s 10.11.110.18 -p tcp --dport 22 -j ACCEPT
 #iptables -A INPUT -s 200.195.1.114 -p tcp --dport 22 -j ACCEPT
 #iptables -A INPUT -p tcp --dport 22 -j DROP

 ######################OUTLOOK
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 25 -o $EXTERNAL
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 110 -o $EXTERNAL
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p udp --dport 53 -o $EXTERNAL

 ######################Fecha fecha conexao squid  por interface de rede
 iptables -A INPUT -i $EXTERNAL -p tcp --dport 3128 -j DROP

 ######################PORTAS LIBERADAS
 #FTP
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 21 -o $EXTERNAL
 #
 #HTTPS
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 443 -o $EXTERNAL
 #
 #SIG/PROAF
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 6969 -o $EXTERNAL
 #
 #DCTF CMPF
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 8017 -o $EXTERNAL
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 3456 -o $EXTERNAL
 #
 #SSH
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 22 -o $EXTERNAL
 #
 #BANCO CENTRAL
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 5024 -o $EXTERNAL
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 1024 -o $EXTERNAL
 #
 #VNC
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 5900 -o $EXTERNAL
 #
 #PcAnyWhere
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 5631 -o $EXTERNAL
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p udp --dport 5632 -o $EXTERNAL
 #
 #Intranets porta 8080
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 8080 -o $EXTERNAL
 #
 #Download Direto Suporte
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 8527 -o $EXTERNAL
 #
 #Painel IDMG
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 19638 -o $EXTERNAL
 #
 #Terminal Server
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 3389 -o $EXTERNAL
 #
 #CONECTIVIDADE CAIXA ECONOMICA
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp -d 200.201.174.207 --dport 80 -o $EXTERNAL
 #
 #CPANEL
 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 2082 -o $EXTERNAL

 ######################REDIRECIONAMENTOS
 #VNC
 iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 5900 -j DNAT --to $WIN
 #
 #PcAnyWhere
 iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 5631 -j DNAT --to $WIN
 iptables -t nat -A PREROUTING -i $EXTERNAL -p udp --dport 5632 -j DNAT --to $WIN
 #
 #TS
 #iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 3389 -j DNAT --to $TS

 ######################Log a portas proibidas e alguns backdoors
 #Porta FTP
 iptables -A INPUT -p tcp --dport 21 -j LOG --log-prefix "Servico: FTP"
 #
 #Porta Wincrash
 iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Servico: Wincrash"
 #
 #Portas BackOrifice
 iptables -A INPUT -p tcp --dport 31337 -j LOG --log-prefix "Servico: BackOrifice"
 iptables -A INPUT -p tcp --dport 31338 -j LOG --log-prefix "Servico: BackOrifice"
 #
 #Bloqueando tracertroute 
 iptables -A INPUT -p udp -s 0/0 -i $EXTERNAL --dport 33435:33525 -j DROP 
 #
 #Precaucao contra BUG's na traducao de enderecos de rede (NAT)
 iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
 #
 #Bloqueia Pings vindo de fora
 iptables -A INPUT -i $EXTERNAL -m state --state NEW -p icmp -j ACCEPT
 
 ######################Protege contra pacotes danificados
 #Portscanners, Ping of Death, ataques DoS, Syb-flood e Etc
 iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
 iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
 iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
 iptables -A FORWARD -m unclean -j DROP
 #
 #Allow all connections OUT and only related ones IN
 iptables -A FORWARD -i $EXTERNAL -o $INTERNAL -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -i $INTERNAL -o $EXTERNAL -j ACCEPT
}

case $1 in
 start)
  echo -n Starting Firewall...
  add_rules
  echo "Done"
 ;;
 stop)
  echo -n Stoping Firewall...
  flush_rules
  echo "Done"
 ;;
 restart)
  echo -n Restarting Firewall...
  flush_rules
  add_rules
  echo "Done"
 ;;
 status)
  echo "============================ Firewall rules:"
  iptables -L -n
  echo "============================ Masquerade tables:"
  iptables -t nat -L -n
  echo "============================ Mangle table:"
  iptables -t mangle -L -n
  ;;
 *)
  echo Usar: "$0 { status | start | stop | restart }"
  ;;
esac

Scripts recomendados

Shell Script / Perl para sincronizar base de usuários do AD com o Zimbra

mPlayRecTv - assista e grave a programação da TV com MPlayer

Monitorando seus daemon de impressão...

Claro 3g Sony Ericsson md300 script conexao - Revisado

Backup-Script2.0 -- Modo Gráfico sem precisar de X


  

Comentários

Nenhum comentário foi encontrado.


Contribuir com comentário




Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts