#!/bin/sh
# Iptables Firewall by Rogerio Gonçalves - [email protected]
#
extnet=eth0
#intnet=eth1
IPT="/usr/sbin/iptables"
tcp="22,25,110,6969"
udp="53"
ipnet=`ifconfig eth0 | grep inet | cut -d : -f 2 | cut -d -f 1`
#iplan=`ifconfig eth1 | grep inet | cut -d : -f 2 | cut -d -f 1`
LOG_FLOOD="1/s"
#ftp module
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
# clear
$IPT -F INPUT
$IPT -F FORWARD
$IPT -F OUTPUT
$IPT -t nat -F PREROUTING
$IPT -t nat -F POSTROUTING
# drop
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
# input
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp -d $ipnet --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -i $extnet -m state --state NEW -p tcp -m multiport --dport $tcp -j ACCEPT
$IPT -A INPUT -i $extnet -m state --state NEW -p udp -m multiport --dport $udp -j ACCEPT
#$IPT -A INPUT -i $intnet -m state --state NEW -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
#VPN
#$IPT -A INPUT -p udp --dport 5000 -j ACCEPT
#$IPT -A INPUT -p tcp --dport 5000 -j ACCEPT
# forward
# forward
#$IPT -A FORWARD -i $intnet -j ACCEPT
$IPT -A FORWARD -i $extnet -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -P OUTPUT ACCEPT
# nat
#$IPT -t nat -A POSTROUTING -s 192.168.0.0/24 -d ! 192.168.1.0/24 -o $extnet -j MASQUERADE
# protect
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
$IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# syn
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# scans
$IPT -A FORWARD -p icmp --icmp-type echo-reply -m limit --limit 1/s -j RETURN
# ping of dead
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
# spoof ip
echo 1 >$i
done
echo "2048" > /proc/sys/net/ipv4/ip_conntrack_max
# log
#$IPT -A INPUT -p tcp --dport 21 -j LOG --log-prefix "Serviço: FTP"
#$IPT -A INPUT -p tcp --dport 22 -j LOG --log-prefix "Serviço: SSH"
#$IPT -A INPUT -p tcp --dport 110 -j LOG --log-prefix "Serviço: POP "
#$IPT -A INPUT -p tcp --dport 80 -j LOG --log-prefix "Serviço: HTTP "
#$IPT -A INPUT -p tcp --dport 25 -j LOG --log-prefix "Serviço: SMTP "
#$IPT -A INPUT -p tcp --dport 143 -j LOG --log-prefix "Serviço: IMAP"
$IPT -A INPUT -p icmp -m limit --limit $LOG_FLOOD -j LOG --log-level info --log-prefix "ICMP Dropped "
$IPT -A INPUT -p tcp -m limit --limit $LOG_FLOOD -j LOG --log-level info --log-prefix "TCP Dropped "
$IPT -A INPUT -p udp -m limit --limit $LOG_FLOOD -j LOG --log-level info --log-prefix "UDP Dropped "
$IPT -A INPUT -f -m limit --limit $LOG_FLOOD -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
$IPT -A INPUT -m limit --limit 1/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#msn lan
#$IPT -I FORWARD -s 192.168.0.111/24 -p tcp --dport 1863 -j REJECT
#$IPT -I FORWARD -s 192.168.0.111/24 -d loginnet.passport.com -j REJECT
#$IPT -I FORWARD -s 192.168.0.111/24 -d webmessenger.msn.com -j REJECT
# dnat
#$IPT -t nat -A PREROUTING -i $extnet -p tcp --dport 25 -j DNAT --to 192.168.23.21
#$IPT -t nat -A PREROUTING -i $extnet -p tcp --dport 110 -j DNAT --to 192.168.23.223
#$IPT -t nat -A PREROUTING -i $intnet -p tcp --dport 80 -j REDIRECT --to-port 3128
#$IPT -t nat -A PREROUTING -i $extnet -p tcp --dport 3389 -j DNAT --to 192.168.23.134
#$IPT -t nat -I PREROUTING -i $extnet -p tcp --dport 1999 -j DNAT --to 192.168.23.56
echo "Inicializando firewall.."
$IPT -A INPUT -p icmp -m limit --limit $LOG_FLOOD -j LOG --log-level info --log-prefix "ICMP Dropped "
$IPT -A INPUT -p tcp -m limit --limit $LOG_FLOOD -j LOG --log-level info --log-prefix "TCP Dropped "
$IPT -A INPUT -p udp -m limit --limit $LOG_FLOOD -j LOG --log-level info --log-prefix "UDP Dropped "
$IPT -A INPUT -f -m limit --limit $LOG_FLOOD -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
$IPT -A INPUT -m limit --limit 1/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "