Enviado em 20/02/2017 - 09:56h
Bom dia Pessoal.
#!/bin/bash
### BEGIN INIT INFO
# Provides: firewall.sh
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start firewall.sh at boot time
# Description: Enable service provided by firewall.sh.
### END INIT INFO
IPTABLES=/sbin/iptables
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/tcp_ecn
###### INTERFACE INTERNA
IFI1=eth1
IPI1=192.168.0.1
NMI1=24
NWI1=192.168.0.0
BRDI1=192.168.0.255
###### INTERFACE EXTERNA
IFE1=eth0
IPE1=10.0.0.1
NME1=24
NWE1=10.255.255.255
BRDE1=255.255.255.0
GWE1=10.0.0.1
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -Z
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t mangle -Z
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
/sbin/modprobe ipt_MARK
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_CONNMARK
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ipt_layer7
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_state
/sbin/modprobe iptable_filter
#################################################################################################################
# #
# CHECA QUANTIDADE DE LINKS EXTERNOS APLICA REGRAS PARA CADA LINK EXTERNO #
#
#################################################################################################################
_numlink=`cat $0 | grep ^IFE | wc -l`
if [ $_numlink -gt 1 ]
then
ip rule del table main
ip route flush table $RT_M 2>/dev/null
ip route del default table main 2>/dev/null
ip link set lo up
ip addr add 127.0.0.1/8 brd + dev lo
ip link set $IFI1 up
ip addr add $IPI1/$NMI1 brd + dev $IFI1
ip rule add prio 50 table main
fi
_numlink=`cat $0 | grep ^IFE | wc -l`
if [ $_numlink -gt 1 ]
then
for i in $(seq $_numlink);
do
_IFEX=$(eval echo $`echo IFE$i`)
_IPEX=$(eval echo $`echo IPE$i`)
_NWEX=$(eval echo $`echo NWE$i`)
_NMEX=$(eval echo $`echo NME$i`)
_BRDEX=$(eval echo $`echo BRDE$i`)
_GWEX=$(eval echo $`echo GWE$i`)
_RTEX=$(eval echo $`echo RTE$i`)
#################################################################################################################
# #
# VARIAVEIS PARA TABELAS DE ROTEAMENTO #
# #
#################################################################################################################
RT_M=222
if ! cat /etc/iproute2/rt_tables | grep ^$_RTEX &> /dev/null
then
echo $_RTEX $_RTEX >> /etc/iproute2/rt_tables
fi
if ! cat /etc/iproute2/rt_tables | grep ^$RT_M &> /dev/null
then
echo $RT_M $RT_M >> /etc/iproute2/rt_tables
fi
#################################################################################################
# #
# LIMPANDO REGRAS E REGRAS EM CACHE #
# #
#################################################################################################
ip rule del table $_RTEX
ip route flush table $_RTEX 2>/dev/null
#################################################################################################################
# #
# CRIACAO DE REGRAS DE ROTEAMENTO #
# #
#################################################################################################################
ip link set $_IFEX up
ip addr flush dev $_IFEX
ip addr add $_IPEX/$_NMEX brd $_BRDEX dev $_IFEX
ip rule add prio $_RTEX from $_NWEX/$_NMEX table $_RTEX
ip route add default via $_GWEX dev $_IFEX src $_IPEX proto static table $_RTEX
ip route append prohibit default table $_RTEX metric 1 proto static
done #### FIM LACO FOR ####
ip rule del table $RT_M
ip rule add prio $RT_M table $RT_M
touch /tmp/route.tmp; chmod 777 /tmp/route.tmp
echo "#!/bin/bash" > /tmp/route.tmp
echo "ip route add default table $RT_M proto static \\" >> /tmp/route.tmp
i=$_numlink;
while [ $i -gt 0 ]
do
if [ $i -gt 1 ]
then
echo "nexthop via $(eval echo $`echo GWE$i`) dev $(eval echo $`echo IFE$i`) \\" >> /tmp/route.tmp
else
echo "nexthop via $(eval echo $`echo GWE$i`) dev $(eval echo $`echo IFE$i`)" >> /tmp/route.tmp
fi
i=$(($i-1))
done
sh /tmp/route.tmp
ip route flush cache
fi #### FIM IF ####
# TABELA FILTER
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT ## DROP
$IPTABLES -P OUTPUT ACCEPT
# TABELA NAT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#########################################################################################################################
# #
# ESTADOS DE PACOTES #
# #
# Pacotes com conexao estabeleciada ou em processo de estabelecimento de conexao sao aceitos #
# Pacotes invalidos sao recusados #
# #
#########################################################################################################################
$IPTABLES -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
# ACEITA PACOTES ICMP
$IPTABLES -t nat -A PREROUTING -m limit --limit 10/s -p icmp --icmp-type any -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 10/s -p icmp --icmp-type any -j ACCEPT
# REGRA BRUTE FORCE SSH
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: ' --log-level 7
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset
# SITES QUE NAO ACEITAM PROXY
$IPTABLES -t nat -A PREROUTING -s $NWI1/$NMI1 -p tcp -d 189.56.29.204 -j ACCEPT #NOSSA CAIXA
$IPTABLES -t nat -A PREROUTING -s $NWI1/$NMI1 -p tcp -d 200.201.174.207 -j ACCEPT #CONECTIVIDADE SOCIAL
$IPTABLES -t nat -A PREROUTING -s $NWI1/$NMI1 -p tcp -d 200.201.174.200 -j ACCEPT #CONECTIVIDADE SOCIAL
$IPTABLES -t nat -A PREROUTING -s $NWI1/$NMI1 -p tcp -d 200.201.174.204 -j ACCEPT #CONECTIVIDADE SOCIAL
#################################################################################################################
# #
# I REGRAS APLICADAS EM CADA INTERFACE EXTERNA #
# REDIRECIONAMENTOS (VITUAL SERVER) #
# PREROUTING E POSTROUTING #
# #
#################################################################################################################
for i in $(seq $_numlink);
do
_IFEX=$(eval echo $`echo IFE$i`)
_IPEX=$(eval echo $`echo IPE$i`)
_NWEX=$(eval echo $`echo NWE$i`)
_NMEX=$(eval echo $`echo NME$i`)
_BRDEX=$(eval echo $`echo BRDE$i`)
_GWEX=$(eval echo $`echo GWE$i`)
_RTEX=$(eval echo $`echo RTE$i`)
done
$IPTABLES -t mangle -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -o $_IFEX
$IPTABLES -t nat -A POSTROUTING -o $_IFEX -s $NWI1/$NMI1 -j SNAT --to $_IPEX #ADM
$IPTABLES -t nat -A PREROUTING -s $NWI1/$NMI1 -p tcp --dport 80 -j REDIRECT --to-port 8080 #PROXY TRANSP. #ADM
###### DE DENTRO PARA FORA #######
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 20 -j ACCEPT #FTP ATICO
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 20 -j ACCEPT #FTP ATIVO
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 21 -j ACCEPT #FTP
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 21 -j ACCEPT #FTP
$IPTABLES -I FORWARD -i $IFI1 -p tcp --dport 22 -j ACCEPT #SSH
$IPTABLES -I FORWARD -i $IFI1 -p udp --dport 22 -j ACCEPT #SSH
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 25 -j ACCEPT #SMTP ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 25 -j ACCEPT #SMTP ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 80 -j ACCEPT #HTTP
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 53 -j ACCEPT #DNS
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 53 -j ACCEPT #DNS
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 110 -j ACCEPT #POP ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 110 -j ACCEPT #POP ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 143 -j ACCEPT #IMAP ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 143 -j ACCEPT #IMAP ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 443 -j ACCEPT #HTTPS
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 587 -j ACCEPT #SMTP TERRA
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 587 -j ACCEPT #SMTP TERRA
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 1863 -j ACCEPT #MSN ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 1863 -j ACCEPT #MSN ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 3074 -j ACCEPT #MSN ENTRE REDES
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 3074 -j ACCEPT #MSN ENTRE REDES
$IPTABLES -A FORWARD -p tcp --dport 3128 -j ACCEPT #PROXY SQUID
$IPTABLES -A FORWARD -p udp --dport 3128 -j ACCEPT #PROXY SQUID
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 3306 -j ACCEPT
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 3306 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 3389 -j ACCEPT #TS
$IPTABLES -A FORWARD -p udp --dport 3389 -j ACCEPT #TS
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 3456 -j ACCEPT #RECEITA FEDERA
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 3456 -j ACCEPT #RECEITA FEDERA
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 8017 -j ACCEPT #RECEITA
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 8017 -j ACCEPT #RECEITA
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 8080 -j ACCEPT #PROXY DANSGUARDIAN
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 8080 -j ACCEPT #PROXY DANSGUARDIAN
$IPTABLES -A FORWARD -i $IFI1 -p tcp --dport 19056 -j ACCEPT
$IPTABLES -A FORWARD -i $IFI1 -p udp --dport 19056 -j ACCEPT
##### INPUT #####
$IPTABLES -A INPUT -i lo -j ACCEPT #LOOPBACK LIBERADO
$IPTABLES -A INPUT -i $IFI1 -m pkttype --pkt-type broadcast -j ACCEPT #LIBERA BROADCAST P/ SAMBA
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 20 -j ACCEPT #FTP
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 20 -j ACCEPT #FTP
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 21 -j ACCEPT #FTP
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 21 -j ACCEPT #FTP
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 25 -j ACCEPT #SMTP
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 25 -j ACCEPT #SMTP
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 53 -j ACCEPT #CONSULTA DNS INTERNO
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 53 -j ACCEPT #CONSULTA DNS INTERNO
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 81 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 81 -j ACCEPT #HTTP
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 81 -j ACCEPT #SMTP
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 81 -j ACCEPT #SMTP
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 110 -j ACCEPT #POP
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 110 -j ACCEPT #POP
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 135 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 135 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 137 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 137 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 138 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 138 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 139 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 139 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 143 -j ACCEPT #IMAP
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 143 -j ACCEPT #IMAP
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT #HTTPS
$IPTABLES -A INPUT -p udp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 445 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 445 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 587 -j ACCEPT #SMTP
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 587 -j ACCEPT #SMTP
$IPTABLES -A INPUT -p tcp --dport 3128 -j ACCEPT #PROXY SQUID
$IPTABLES -A INPUT -p udp --dport 3128 -j ACCEPT #PROXY SQUID
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 3306 -j ACCEPT #MYSQL
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 3306 -j ACCEPT #MYSQL
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 8080 -j ACCEPT #DANSGUARDIAN
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 8080 -j ACCEPT #DANSGUARDIAN
$IPTABLES -A INPUT -p tcp --dport 10001 -j ACCEPT #WEBMIN
$IPTABLES -A INPUT -p udp --dport 10001 -j ACCEPT #WEBMIN
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 19056 -j ACCEPT #MYSQL
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 19056 -j ACCEPT #MYSQL
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 28015 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 28015 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p tcp --dport 28016 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p udp --dport 28016 -j ACCEPT #SAMBA ACESSO INTERNO
$IPTABLES -A INPUT -i $IFI1 -p tcp -m multiport --dports 3310:3325 -j ACCEPT #CLAMAV
$IPTABLES -A INPUT -m limit --limit 5/s -p icmp --icmp-type 3 -j ACCEPT #LIBERANDO ICMP
$IPTABLES -A INPUT -j LOG --log-prefix 'DROP INPUT ' --log-level 7
SQUID.CONF
http_port 127.0.0.1:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache_mem 512 MB
maximum_object_size 524288 KB
maximum_object_size_in_memory 128 KB
cache_dir ufs /var/spool/squid3 102400 16 256
cache_swap_low 80
cache_swap_high 95
cache_replacement_policy LFUDA
access_log /var/log/squid3/access.log squid
hosts_file /etc/hosts
half_closed_clients off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl connect_abertas maxconn 120
follow_x_forwarded_for allow localhost
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_group proxy
coredump_dir /var/spool/squid3
DANSGUARDIAN.CONF
filterip = 192.168.0.1
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128
Enviar mensagem ao usuário trabalhando com as opções do php.ini
Meu Fork do Plugin de Integração do CVS para o KDevelop
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Compartilhamento de Rede com samba em modo Público/Anônimo de forma simples, rápido e fácil
Cups: Mapear/listar todas as impressoras de outro Servidor CUPS de forma rápida e fácil
Criando uma VPC na AWS via CLI
Tem como instalar o gerenciador AMD Adrenalin no Ubuntu 24.04? (16)
Arch Linux - Guia para Iniciantes (2)
Problemas ao instalar o PHP (11)
Tenho dois Link's ( IP VÁLIDOS ), estou tentando fazer o failover... (0)