.Conf
» » » mc_firewall.sh
mc_firewall.sh
08/02/2010
Firewall simples para rede
Categoria:
Software: Iptables
[ Hits: 2562 ]
Arquivo simples, para iniciantes, usando firewall iptables.
# AUTOR MILTON CAETANO FILHO #
# http://www.scriptsadmin.com #
# e-mail contato@scriptsadmin.com #
#!/bin/bash
# Local para o executavel do IPTables
IPT="/sbin/iptables";
# Interface da rede INTERNA
IF_INTERNA="eth1";
# Interface da rede EXTERNA
#IF_EXTERNA="eth1:1";
# Definiç da rede interna
REDE_INTERNA="xxx.xxx.xxx.xxx/16"
fw_start()
{
#ativa o roteamento dinamico
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# ================ POLITICAS PADRAO ===================
$IPT -t filter -P INPUT DROP
$IPT -t filter -P FORWARD DROP
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
# Cria chain com regras de seguranç $IPT -N BLOCK
$IPT -A BLOCK -p icmp --icmp-type echo-request -j DROP
$IPT -A BLOCK -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -A BLOCK -p tcp -m limit --limit 1/s -j ACCEPT
$IPT -A BLOCK -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 1/s -j ACCEPT
$IPT -A BLOCK -m unclean -j DROP
$IPT -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A BLOCK -j LOG --log-prefix "FW_ALERT: "
$IPT -A BLOCK -j DROP
# Muda a prioridade dos pacotes (Type Of Service) para agilizar as coisas
$IPT -t mangle -A OUTPUT -o $IF_EXTERNA -p tcp -m multiport --dports 21,22,80,443 -j TOS --set-tos 0x10
echo "MUDANDO A PRIORIDADE DOS PACOTES";
# Libera todo o trafego local
$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A INPUT -i $IF_INTERNA -j ACCEPT
$IPT -t filter -A FORWARD -i $IF_INTERNA -j ACCEPT
echo "LIBERANDO O TRAFEGO LOCAL"
# Libera sóP, SSH e WEEB
$IPT -t filter -A INPUT -i $IF_EXTERNA -p tcp -m multiport --dports 21,22,80,443 -j ACCEPT
echo "LIBERANDO PORTAS FTP SSH HTTP HTTPS";
# Libera a conexao para a rede interna
$IPT -t nat -A POSTROUTING -s $REDE_INTERNA -j MASQUERADE
echo "LIBERANDO CONEXAO PARA REDE INTERNA";
# Cria um NAT para o SSH de uma maquina da rede interna
# $IPT -t filter -A FORWARD -p tcp -d 0/0 --dport 2222 -j ACCEPT
# $IPT -t nat -A PREROUTING -p tcp -d 0/0 --dport 2222 -j DNAT --to 192.168.1.2:22
# Regras para evitar packet flood
$IPT -A INPUT -j BLOCK
$IPT -A FORWARD -j BLOCK
}
fw_stop()
{
$IPT -t filter -P INPUT ACCEPT
$IPT -t filter -P FORWARD ACCEPT
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t filter -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -t filter -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT -t filter -Z
$IPT -t nat -Z
$IPT -t mangle -Z
}
fw_usage()
{
echo
echo "$0 (start | stop | restart | clear)"
echo
echo "start - Ativa o firewall"
echo "stop - Desativa o firewall"
echo "restart - Reativa o firewall"
echo "clear - Limpa os contatores"
:wq}
fw_clear()
{
$IPT -t filter -Z
$IPT -t nat -Z
$IPT -t mangle -Z
}
case $1 in
start)
fw_start;
;;
stop)
fw_stop;
;;
restart)
fw_stop;
fw_start;
;;
clear)
fw_clear;
;;
*)
fw_usage;
exit;
;;
esac
|
Comentários
[1] Comentário enviado por
Cr4mmer em 20/02/2010:
ótima Contribução ...
Parabéns ! Gostei !
Indicar para um amigo
Escrever uma .conf