#Desenvolvido e Mantido por DebOpen com a ajuda da lista debianuser
#e-mail: debopen@gmail.com
echo -n "Inicializando Firewall ..."
#Zeras todas as regras e seta as politicas padroes
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -Z
#Ativando syn cookies protecao no kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] then;
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
fi
#Setando o kernel para IP dinamico mascarado
if [ -e /proc/sys/net/ipv4/ip_dynaddr ] then;
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
fi
#Habilitando IP_Forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
#Caminho do executavel
IPTABLES=/sbin/iptables
#
#Variaveis das interfaces
INTRA=eth+
INTER=ppp+
#Liberacao de LoopBack
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
#Protecao contra enderecos spoofados da internet
$IPTABLES -t nat -A PREROUTING -i $INTER -s 10.0.0.0/8 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INTER -s 172.16.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INTER -s 192.168.0.0/24 -j DROP
#Protecoes diversas contra PortScanners, Ping of Death, ataques DoS,
> $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
> 1/s -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
> --limit 1/s -j ACCEPT
> $IPTABLES -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
> $IPTABLES -A FORWARD -m unclean -j DROP
>
>
> #Habilita pings
> $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
> $IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
>
>
> #Habilita SSH de fora para manutencao do servidor
> $IPTABLES -A INPUT -i $INTER -p tcp --dport 22 -j ACCEPT
>
>
> #Acesso de fora para rede local tendo classe de ip 192.168.0.0
> $IPTABLES -t nat -A PREROUTING -i $INTER -p tcp -d $INTRA --dport 22 -j
> --to-destination 192.168.0.2:22 #Pode ser qual IP da rede ex.
> 192.168.0.3 e assim por diante
>
>
> #Libera conexoes de retorno dos servicos ativos na rede interna
> $IPTABLES -A INPUT -i $INTER -p tcp --sport 20 -j ACCEPT #FTP DATA
> $IPTABLES -A INPUT -i $INTER -p tcp --sport 21 -j ACCEPT #FTP
> $IPTABLES -A INPUT -i $INTER -p tcp --sport 25 -j ACCEPT #SMTP
> $IPTABLES -A INPUT -i $INTER -p tcp --sport 110 -j ACCEPT #POP3
> $IPTABLES -A INPUT -i $INTER -p tcp --sport 80 -j ACCEPT #HTTP
> $IPTABLES -A INPUT -i $INTER -p tcp --sport 443 -j ACCEPT #HTTPS
> $IPTABLES -A INPUT -i $INTER -p udp --sport 53 -j ACCEPT #DNS
> $IPTABLES -A INPUT -i $INTER -p tcp --sport 1863 -j ACCEPT #MSN
> $IPTABLES -A INPUT -i $INTER -p tcp --sport ???? -j ACCEPT #SKYPE
>
>
> #Opcao dois -> Libera conexoes de retorno dos servicos ativos na rede
> interna
> $IPTABLES -A INPUT -i $INTER -p tcp -m --multiport --sport 20, 21, 25,
> 110, 80, 443, 53, 1863, ???? -j ACCEPT
>
>
> #Libera as conexoes da rede interna para internet
> $IPTABLES -A FORWARD -i $INTRA -p tcp --dport 20 -j ACCEPT #FTP DATA
> $IPTABLES -A FORWARD -i $INTRA -p tcp --dport 21 -j ACCEPT #FTP
> $IPTABLES -A FORWARD -i $INTRA -p tcp --dport 25 -j ACCEPT #SMTP
> $IPTABLES -A FORWARD -i $INTRA -p tcp --dport 110 -j ACCEPT #POP3
> $IPTABLES -A FORWARD -i $INTRA -p tcp --dport 80 -j ACCEPT #HTTP
> $IPTABLES -A FORWARD -i $INTRA -p tcp --dport 443 -j ACCEPT #HTTPS
> $IPTABLES -A FORWARD -i $INTRA -p udp --dport 53 -j ACCEPT #DNS
> $IPTABLES -A FORWARD -i $INTRA -p tcp --dport 1863 -j ACCEPT #MSN
> $IPTABLES -A FORWARD -i $INTRA -p tcp --dport ???? -j ACCEPT #SKYPE
>
>
> #Opcao dois -> Libera as conexoes da rede interna para internet
> $IPTABLES -A INPUT -i $INTRA -p tcp -m --multiport --dport 20, 21, 25,
> 110, 80, 443, 53, 1863, ???? -j ACCEPT
>
>
> #Tratamento de Statefull
> $IPTABLES -A FORWARD -o $INTRA -m state --state NEW, INVALID -j DROP
> $IPTABLES -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT
>
>
> #Mascarando conexoes da rede se sua conexao estiver
> #na interface eth0, basta trocar eth0 por ppp0
> #A interface ppp0 é usada tambem em dial-up,
> #entao neste caso troque a eth0 por ppp0
> $IPTABLES -t nat -A POSTROUTING -o $INTER -j MASQUERADE
>
>
> #Em muitas distribuições com o Kernel 2.6 é necessário usar um quarto
> #comando ao compartilhar uma conexão ADSL. Este comando ajusta os
> #tamanhos dos pacotes recebidos do modem ao MTU usado na rede local.
> $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m \
> tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
>
> echo -n "Firewall Carregado com Sucesso ..."