Ok
Ai vai o meu script de firewall
#!/bin/bash
IPTABLES=`which iptables`
# -----------------------
PME="eth0"
GVT="eth1"
VPN="tun0"
# -----------------------
VLAN_SOFT=10.1.x.0/24
VLAN_TELEFONIA=10.10.2.0/26
# -----------------------
PME_GW="201.x.x.xx"
GVT_GW="200.xx.xx.xx"
# -----------------------
LINK_PME="eth0"
LINK_GVT="eth1"
REDE_INT="eth3"
# -----------------------
IP_PME="201.x.x.h"
IP_GVT="200.x.x.y"
# -----------------------
MAIL_PORT=22,25,80,110
WWW_PORT=80,81,82,443,1533
WWW_PORT0=8008,8080,8081,8082
# -----------------------
case $1 in
start)
echo "|=====================================================|"
echo "|:Script de Firewall - IPTABLES |"
echo "|:Criado por: Eduardo Gomes |"
echo "|:Técnico em Informática |"
echo "|:
[email protected] |"
echo "|:Uso: /etc/init.d/firewall |"
echo "|:$HOSTNAME:.............................ok:|"
echo "|=====================================================|"
echo "|:LIMPANDO AS REGRAS DO FIREWALL:..................ok:|"
$IPTABLES -F
$IPTABLES -Z
$IPTABLES -X
$IPTABLES -F -t nat
$IPTABLES -X -t nat
$IPTABLES -F -t mangle
$IPTABLES -X -t mangle
$IPTABLES -Z -t mangle
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "|:Create Reject-and-log-SSH-Bruteforce:............ok:|"
$IPTABLES -N REJECT-SSH
$IPTABLES -A REJECT-SSH -j DROP -m recent --rcheck --name SSH --seconds 60 --hitcount 10
$IPTABLES -A REJECT-SSH -j LOG --log-prefix SSH-Bruteforce:
$IPTABLES -A REJECT-SSH -j REJECT -p tcp --reject-with tcp-reset
$IPTABLES -A REJECT-SSH -j REJECT
echo "|:Blacklist SSH:...................................ok:|"
$IPTABLES -N ssh
$IPTABLES -N blacklist
$IPTABLES -A blacklist -m recent --name blacklist --set
$IPTABLES -A blacklist -j LOG --log-prefix 'SSH REJECTED: '
$IPTABLES -A blacklist -j REJECT
# ------------------------------------------------------------
# echo "|:Inclua aqui teus ips para não sofrer o bloqueio:.ok:|"
# $IPTABLES -A ssh -i eth1 -s 10.10.10.13/32 -p tcp --dport 22 -j ACCEPT
# ------------------------------------------------------------
$IPTABLES -A ssh -m recent --set --name couting1
$IPTABLES -A ssh -m recent --update --name couting1 --seconds 20 --hitcount 3 -j blacklist
$IPTABLES -A ssh -j ACCEPT
echo "|:Kill SSH Brute-force attacks:....................ok:|"
$IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --name SSH --seconds 60 --hitcount 4 -j REJECT-SSH
$IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
echo "|:Liberar as portas principais do servidor:........ok:|"
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 1571 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 5060 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 9998 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 10000:20000 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 10024 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 10025 -j ACCEPT
echo "|:REGRAS DE INPUT:.................................ok:|"
$IPTABLES -A INPUT -p icmp -s 10.10.1.0/27 -d 0/0 -j ACCEPT
$IPTABLES -A INPUT -p icmp -s 10.10.2.0/26 -d 0/0 -j ACCEPT
$IPTABLES -A INPUT -p icmp -s 10.10.3.0/25 -d 0/0 -j ACCEPT
$IPTABLES -A INPUT -p icmp -s 10.10.7.0/25 -d 0/0 -j ACCEPT
$IPTABLES -A INPUT -p icmp -s 10.10.10.0/24 -d 0/0 -j ACCEPT
$IPTABLES -A INPUT -p icmp -s 10.20.20.0/24 -d 0/0 -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn -s 10.10.1.0/27 --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn -s 10.10.2.0/26 --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p icmp -j DROP
$IPTABLES -A INPUT -j LOG --log-prefix "INPUT Barrado: "
$IPTABLES -A INPUT -j REJECT
$IPTABLES -P INPUT DROP
echo "|:REGRAS DE PREROUTING E REDIRECIONAMENTO:.........ok:|"
echo "|:..........************* QoS *************........ok:|"
$IPTABLES -t mangle -A POSTROUTING -p udp --sport 1571 -j TOS --set-tos 16
$IPTABLES -t mangle -A POSTROUTING -p udp --sport 5060 -j TOS --set-tos 16
$IPTABLES -t mangle -A POSTROUTING -p udp --sport 5061 -j TOS --set-tos 16
$IPTABLES -t mangle -A POSTROUTING -p udp --sport 10000:20000 -j TOS --set-tos 16
$IPTABLES -t mangle -A PREROUTING -p udp --dport 1571 -j TOS --set-tos 16
$IPTABLES -t mangle -A PREROUTING -p udp --dport 5060 -j TOS --set-tos 16
$IPTABLES -t mangle -A PREROUTING -p udp --dport 5061 -j TOS --set-tos 16
$IPTABLES -t mangle -A PREROUTING -p udp --dport 10000:20000 -j TOS --set-tos 16
# echo "|:..........************* HTB *************........ok:|"
# $IPTABLES -t mangle -A POSTROUTING -p udp --sport 10000:20000 -j MARK --set-mark 0x10
# $IPTABLES -t mangle -A POSTROUTING -p udp --sport 5060 -j MARK --set-mark 0x10
# $IPTABLES -t mangle -A PREROUTING -p udp --dport 10000:20000 -j MARK --set-mark 0x10
# $IPTABLES -t mangle -A PREROUTING -p udp --dport 5060 -j MARK --set-mark 0x10
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 10.10.2.4
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 10.10.2.4
# $IPTABLES -t nat -A PREROUTING -p udp --dport 5060:5080 -i eth0 -j DNAT --to 10.10.2.4
# $IPTABLES -t nat -A PREROUTING -p udp --dport 5060:5080 -i eth1 -j DNAT --to 10.10.2.4
# $IPTABLES -t nat -A PREROUTING -p udp --dport 10000:20000 -i eth0 -j DNAT --to 10.10.2.4
# $IPTABLES -t nat -A PREROUTING -p udp --dport 10000:20000 -i eth1 -j DNAT --to 10.10.2.4
# echo "|:Proxy transparente para toda as redes:...........ok:|"
# $IPTABLES -A PREROUTING -t nat -p tcp -s $TELEFONIA --dport 80 -j REDIRECT --to-port 3128
# $IPTABLES -A PREROUTING -t nat -p tcp -s $SOFT --dport 80 -j REDIRECT --to-port 3128
echo "|:Marcar pacotes para usar o Link 1:...............ok:|"
$IPTABLES -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -d $IP_PME -m conntrack --ctorigdst $IP_PME -j MARK --set-mark 1 -m mark --mark 0
echo "|:Marcar pacotes para usar o Link 2:...............ok:|"
$IPTABLES -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -d $IP_GVT -m conntrack --ctorigdst $IP_GVT -j MARK --set-mark 2 -m mark --mark 0
$IPTABLES -t mangle -A PREROUTING -i eth0 -j CONNMARK --save-mark
$IPTABLES -t mangle -A PREROUTING -i eth1 -j CONNMARK --save-mark
$IPTABLES -t mangle -A PREROUTING -i eth3 -p tcp -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
echo "|:................................:...........ok:|"
# echo "|:Proxy transparente para toda as redes:...........ok:|"
# ip route del default
# echo "|:................................:...........ok:|"
# ip rule del prio 10 table main
# ip rule del prio 19 fwmark 1 from 192.168.1.3 table link1
# ip rule del prio 20 fwmark 2 from 192.168.1.3 table link2
# ip rule del prio 21 fwmark 3 from 192.168.1.3 table link1
# ip rule del prio 22 fwmark 4 from 192.168.1.3 table link2
# ip rule del prio 23 fwmark 5 from 192.168.1.2 table link1
# ip rule del prio 24 fwmark 6 from 192.168.1.2 table link2
# ip rule del prio 25 fwmark 7 from 192.168.1.4 table link1
# ip rule del prio 26 fwmark 8 from 192.168.1.4 table link2
ip rule add prio 30 table link1
# echo "|:Configurando as tabelas de cada Link:............ok:|"
if ! cat /etc/iproute2/rt_tables | grep -q '^250'
then
echo "250 link1" >> /etc/iproute2/rt_tables
fi
#
if ! cat /etc/iproute2/rt_tables | grep -q '^251'
then
echo "251 link2" >> /etc/iproute2/rt_tables
fi
echo "|:Flush nas tabelas:...............................ok:|"
ip route flush table link1
ip route flush table link2
echo "|:Falo que prioridade a tabela main tem:...........ok:|"
# ip rule add prio 10 table main
echo "|:Falo quem é o gateway da tabela link1:...........ok:|"
ip route add default proto static via $PME_GW src $IP_PME table link1
echo "|:Falo quem é o gateway da tabela link2:...........ok:|"
ip route add default proto static via $GVT_GW src $IP_GVT table link2
# Crio a regra de roteamento para cada tabela de acordo com a marcação do pacote
echo "|:Pacotes http que entraram pela tabela link1:.....ok:|"
ip rule add fwmark 1 from 10.10.2.4 table link1 prio 19
echo "|:Pacotes http que entraram pela tabela link2:.....ok:|"
ip rule add fwmark 2 from 10.10.2.4 table link2 prio 20
# pacotes pop3 que entraram pela tabela link1
#ip rule add fwmark 3 from 192.168.1.3 table link1 prio 21
#ip rule add prio 30 table link1
ip route flush cache
echo "|:ATIVA O MASCARAMENTO DE SAÍDA:...................ok:|"
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo "|:ATIVAR O REDIRECIONAMENTO NO ARQUIVO IP_FORWARD:.ok:|"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "|:REGRAS DE FORWARD:...............................ok:|"
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
echo "|:IPS COM PRIVILEGIOS ESPECIAIS:...................ok:|"
$IPTABLES -A FORWARD -s 10.10.2.4/32 -j ACCEPT
$IPTABLES -A FORWARD -s 10.10.2.5/32 -j ACCEPT
echo "|:Liberar portas de saída:.........................ok:|"
$IPTABLES -A FORWARD -p tcp --dport 21 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 21 --sport 1024:65535 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 22 --sport 1024:65535 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 25 --sport 1024:65535 -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 53 --sport 1024:65535 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 443 --sport 1024:65535 -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 5060 -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 5060 --sport 1024:65535 -j ACCEPT
#$IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD Barrado: "
#$IPTABLES -A FORWARD -j REJECT
$IPTABLES -P FORWARD ACCEPT
echo "|:REGRAS DE OUTPUT:................................ok:|"
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "|:..........************* QoS *************........ok:|"
$IPTABLES -t mangle -A OUTPUT -p udp --dport 1571 -j TOS --set-tos 16
$IPTABLES -t mangle -A OUTPUT -p udp --dport 5060 -j TOS --set-tos 16
$IPTABLES -t mangle -A OUTPUT -p udp --dport 5061 -j TOS --set-tos 16
$IPTABLES -t mangle -A OUTPUT -p udp --dport 10000:20000 -j TOS --set-tos 16
$IPTABLES -t mangle -A OUTPUT -p udp --dport 1571 -j TOS --set-tos 16
$IPTABLES -t mangle -A OUTPUT -p udp --dport 5060 -j TOS --set-tos 16
$IPTABLES -t mangle -A OUTPUT -p udp --dport 5061 -j TOS --set-tos 16
$IPTABLES -t mangle -A OUTPUT -p udp --dport 10000:20000 -j TOS --set-tos 16
$IPTABLES -P OUTPUT ACCEPT
;;
stop)
$IPTABLES -F
$IPTABLES -Z
$IPTABLES -X
$IPTABLES -F -t nat
$IPTABLES -X -t nat
$IPTABLES -F -t mangle
$IPTABLES -X -t mangle
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
;;
stats)
$IPTABLES -nL
;;
restart)
$0 stop
$0 start
;;
nat)
$IPTABLES -L -v -t nat -n
;;
mangle)
$IPTABLES -t mangle -L
;;
*)
echo "Usage: $0 [start|stop|stats|restart|nat|mangle]"
;;
esac