** Devido a um bug no editor do WordPress quando digito – – junto, o que é o correto no prompt ele agrega para — portanto em todos os posts pode ser necessário essa correção em algum momento. Outro problema são as aspas duplas e simples que quando copiadas não são reconhecidas no linux.
# !/bin/bash
echo “Ativando Regras de Firewall”
#########################
# Variaveis / Entidades #
#########################
iptables=”/sbin/iptables”
# Redes
# Maquinas
# Portos
FTP=”20,21″
FTP_DATA=”20″
FTP_ATIVO=”21″
SSH=”22″
SMTP=”25″
DNS=”53″
HTTP=”80″
SNMP=”161,162″
HTTPS=”443″
ORACLE=”1521″
RECEITA=”3456″
MSTSC=”4899″
HTTP_PROXY=”8080″
MON_ZABBIX=”10050,10051″
FWSSH=”65534″
echo Variaveis Carregadas! 166
################
# Habilitacoes #
################
# IP Forward
echo 1 > /proc/sys/net/ipv4/ip_forward
# Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Loga Marcianos – end. impossiveis
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Disponibilizando maior quantidade de portos
echo 10000 65000 > /proc/sys/net/ipv4/ip_local_port_range
# Aumentando a memoria resevarda por conexao recebida/enviada
echo 256960 > /proc/sys/net/core/rmem_default
echo 256960 > /proc/sys/net/core/rmem_max
echo 256960 > /proc/sys/net/core/wmem_default
echo 256960 > /proc/sys/net/core/wmem_max
echo “4096 87380 4194304” > /proc/sys/net/ipv4/tcp_rmem
echo “4096 16384 4194304” > /proc/sys/net/ipv4/tcp_wmem
# Tempo para finalizar uma conexao fechada pelo host
echo 15 > /proc/sys/net/ipv4/tcp_fin_timeout
# Número de testes antes de finalizar a conexao
echo 5 > /proc/sys/net/ipv4/tcp_keepalive_probes
# Habilita a reciclagem de conexões em TIME_WAIT para novas conexoes consideradas seguras pelo protocolo
echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse
# Ignora Broadcast de ICMP
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Bloqueia tentativa de burlar a conexao em uma interface especifica
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Modulos FTP
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
# Aumento de quantidade de requisicoes atendidas
echo 10000000 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
# Controle de Execucao
echo Habilitacoes concluidas! 222
############
# Flush all#
############
$iptables -F
$iptables -X
$iptables -Z
$iptables -F -t nat
# Controle de Execucao
echo Limpeza de regras executada! 234
####################
# Politicas Padrao #
####################
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
$iptables -P FORWARD DROP
# Controle de Execucao
echo Politicas aplicadas! 245
#############################
# Conexoes ja Estabelecidas #
#############################
$iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
# Controle de Execucao
echo Manutencao de conexao aplicada! 255
##############
# IP´s Alias #
##############
ifconfig eth2:1 END_IP_ALIAS # Alias do Firewall
# Controle de Execucao
echo Alias Levantados! 264
############
# IP`s NAT #
############
ifconfig eth3:1 END_IP_NAT # Nat Administrativo // Rede
# Controle de Execucao
echo Enderecos NAT Levantados! 289
##########################
# Bloqueio IPs Suspeitos #
##########################
# Bloqueio Your Freedom
$iptables -A FORWARD -d 212.227.0.0/16 -j DROP
$iptables -A FORWARD -s 212.227.0.0/16 -j DROP
$iptables -A FORWARD -s 213.251.0.0/16 -j DROP
$iptables -A FORWARD -d 213.251.0.0/16 -j DROP
$iptables -A FORWARD -s 66.90.0.0/16 -j DROP
$iptables -A FORWARD -d 66.90.0.0/16 -j DROP
$iptables -A FORWARD -s 66.96.0.0/16 -j DROP
$iptables -A FORWARD -d 66.96.0.0/16 -j DROP
$iptables -A FORWARD -s 67.159.0.0/16 -j DROP
$iptables -A FORWARD -d 67.159.0.0/16 -j DROP
$iptables -A FORWARD -s 81.169.0.0/16 -j DROP
$iptables -A FORWARD -d 81.169.0.0/16 -j DROP
$iptables -A FORWARD -s 85.214.0.0/16 -j DROP
$iptables -A FORWARD -d 85.214.0.0/16 -j DROP
echo Your Freedom Bloqueado! 311
######################
# Liberacao Firewall #
######################
# Syn-Flood
#$iptables -N syn-flood
#$iptables -A INPUT -p tcp –syn -j syn-flood
#$iptables -A FORWARD -p tcp –syn -j syn-flood
#$iptables -A syn-flood -m limit –limit 35/s -j RETURN
#$iptables -A syn-flood -j DROP
# Log USERX – Um usuário suspeito na sua rede
$iptables -A FORWARD -s $USERX -j LOG –log-level debug –log-prefix “IPTABLES-FORWARD-USERX”
# Novos devem ser Syn
$iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
# Anti Xmas
$iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
# Null mal formado
$iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
# Fragmentos
$iptables -A INPUT -f -j DROP
$iptables -A FORWARD -f -j DROP
# Pacotes Invalidos
$iptables -A INPUT -i eth0 -m state –state INVALID -j DROP
$iptables -A FORWARD -m state –state INVALID -j DROP
# MTU
$iptables -A FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –set-mss 1460
# Controle de ICMP
$iptables -A INPUT -p icmp -s $LAN -m limit –limit 10/s -j ACCEPT
$iptables -A INPUT -p icmp -s $DMZ -m limit –limit 10/s -j ACCEPT
$iptables -A INPUT -p icmp -s $SERV -m limit –limit 10/s -j ACCEPT
$iptables -A FORWARD -p icmp -s $LAN -m limit –limit 10/s -j ACCEPT
$iptables -A FORWARD -p icmp -s $DMZ -m limit –limit 10/s -j ACCEPT
$iptables -A FORWARD -p icmp -s $SERV -m limit –limit 10/s -j ACCEPT
# Acesso SSH
$iptables -A INPUT -p tcp -s $MAQ1 –dport $FWSSH -j ACCEPT
$iptables -A INPUT -p tcp -s $MAQ2 –dport $FWSSH -j ACCEPT
# Monitoracao Zabbix
$iptables -A FORWARD -p tcp -m multiport –dport $MON_ZABBIX -s $ZABBIX -j ACCEPT
# Monitoracao Cacti
$iptables -A INPUT -p udp -m multiport –dport $SNMP -s $CACTI -j ACCEPT
$iptables -A FORWARD -p udp -m multiport –dport $SNMP -s $CACTI -j ACCEPT
$iptables -A FORWARD -p udp -m multiport –dport $SNMP -d $CACTI -j ACCEPT
# Consulta DNS
$iptables -A INPUT -p udp -d $DNS1 –dport $DNS -j ACCEPT
$iptables -A INPUT -p udp -s $DNS1 –sport $DNS -j ACCEPT
$iptables -A FORWARD -p udp -d $DNS1 –dport $DNS -j ACCEPT
$iptables -A FORWARD -p udp -s $DNS1 –sport $DNS -j ACCEPT
$iptables -A INPUT -p udp -d $DNS2 –dport $DNS -j ACCEPT
$iptables -A INPUT -p udp -s $DNS2 –sport $DNS -j ACCEPT
$iptables -A FORWARD -p udp -d $DNS2 –dport $DNS -j ACCEPT
$iptables -A FORWARD -p udp -s $DNS2 –sport $DNS -j ACCEPT
$iptables -A INPUT -p udp -d $CORREIO_INT_DNS3 –dport $DNS -j ACCEPT
$iptables -A INPUT -p udp -s $CORREIO_INT_DNS3 –sport $DNS -j ACCEPT
$iptables -A FORWARD -p udp -d $CORREIO_INT_DNS3 –dport $DNS -j ACCEPT
$iptables -A FORWARD -p udp -s $CORREIO_INT_DNS3 –sport $DNS -j ACCEPT
# Controle de Execucao
echo Liberacoes do Firewall aplicadas! 382
#############
# Redirects #
#############
# Redirect Relay
$iptables -t nat -A PREROUTING -p tcp -d $RELAY –dport $SMTP -j DNAT –to-destination $NRELAY:$SMTP
# Redirect proxy
$iptables -t nat -A PREROUTING -p tcp -d $FW_SEDE_USU_Eth1 –dport $HTTP_PROXY -j DNAT –to-destination $PROXY:$HTTP_PROXY
# Controle de Execucao
echo Redirects implementados! 798
###################
# Sistema de Logs #
###################
# Dados Bloqueados
$iptables -A INPUT -j LOG –log-level debug –log-prefix “IPTABLES-INPUT-DROP: ”
$iptables -A FORWARD -j LOG –log-level debug –log-prefix “IPTABLES-FORWARD-DROP: ”
# Controle de Execucao
echo “Log do que e descartado implementado!” 809
####################
# Mensagens finais #
####################
sleep 1
echo “Regras de Firewall Ativadas”
#OBS: As rotas se encontram no arquivo /etc/rotas
############# FIM #############