Author: Gustavo Santos

** Devido a um bug no editor do WordPress quando digito – – junto, o que é o correto no prompt ele agrega para — portanto em todos os posts pode ser necessário essa correção em algum momento. Outro problema são as aspas duplas e simples que quando copiadas não são reconhecidas no linux.

# !/bin/bash

echo “Ativando Regras de Firewall”

#########################
# Variaveis / Entidades #
#########################

iptables=”/sbin/iptables”

# Redes

# Maquinas

# Portos
FTP=”20,21″
FTP_DATA=”20″
FTP_ATIVO=”21″
SSH=”22″
SMTP=”25″
DNS=”53″
HTTP=”80″
SNMP=”161,162″
HTTPS=”443″
ORACLE=”1521″
RECEITA=”3456″
MSTSC=”4899″
HTTP_PROXY=”8080″
MON_ZABBIX=”10050,10051″
FWSSH=”65534″

echo Variaveis Carregadas! 166

################
# Habilitacoes #
################

# IP Forward
echo 1 > /proc/sys/net/ipv4/ip_forward

# Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Loga Marcianos – end. impossiveis
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Disponibilizando maior quantidade de portos
echo 10000 65000 > /proc/sys/net/ipv4/ip_local_port_range

# Aumentando a memoria resevarda por conexao recebida/enviada
echo 256960 > /proc/sys/net/core/rmem_default
echo 256960 > /proc/sys/net/core/rmem_max
echo 256960 > /proc/sys/net/core/wmem_default
echo 256960 > /proc/sys/net/core/wmem_max
echo “4096 87380 4194304” > /proc/sys/net/ipv4/tcp_rmem
echo “4096 16384 4194304” > /proc/sys/net/ipv4/tcp_wmem

# Tempo para finalizar uma conexao fechada pelo host
echo 15 > /proc/sys/net/ipv4/tcp_fin_timeout

# Número de testes antes de finalizar a conexao
echo 5 > /proc/sys/net/ipv4/tcp_keepalive_probes

# Habilita a reciclagem de conexões em TIME_WAIT para novas conexoes consideradas seguras pelo protocolo
echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse

# Ignora Broadcast de ICMP
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Bloqueia tentativa de burlar a conexao em uma interface especifica
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Modulos FTP
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

# Aumento de quantidade de requisicoes atendidas
echo 10000000 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max

# Controle de Execucao
echo Habilitacoes concluidas! 222

############
# Flush all#
############

$iptables -F
$iptables -X
$iptables -Z
$iptables -F -t nat

# Controle de Execucao
echo Limpeza de regras executada! 234

####################
# Politicas Padrao #
####################

$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
$iptables -P FORWARD DROP

# Controle de Execucao
echo Politicas aplicadas! 245

#############################
# Conexoes ja Estabelecidas #
#############################

$iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# Controle de Execucao
echo Manutencao de conexao aplicada! 255

##############
# IP´s Alias #
##############

ifconfig eth2:1 END_IP_ALIAS # Alias do Firewall

# Controle de Execucao
echo Alias Levantados! 264

############
# IP`s NAT #
############

ifconfig eth3:1 END_IP_NAT # Nat Administrativo // Rede

# Controle de Execucao
echo Enderecos NAT Levantados! 289

##########################
# Bloqueio IPs Suspeitos #
##########################

# Bloqueio Your Freedom
$iptables -A FORWARD -d 212.227.0.0/16 -j DROP
$iptables -A FORWARD -s 212.227.0.0/16 -j DROP
$iptables -A FORWARD -s 213.251.0.0/16 -j DROP
$iptables -A FORWARD -d 213.251.0.0/16 -j DROP
$iptables -A FORWARD -s 66.90.0.0/16 -j DROP
$iptables -A FORWARD -d 66.90.0.0/16 -j DROP
$iptables -A FORWARD -s 66.96.0.0/16 -j DROP
$iptables -A FORWARD -d 66.96.0.0/16 -j DROP
$iptables -A FORWARD -s 67.159.0.0/16 -j DROP
$iptables -A FORWARD -d 67.159.0.0/16 -j DROP
$iptables -A FORWARD -s 81.169.0.0/16 -j DROP
$iptables -A FORWARD -d 81.169.0.0/16 -j DROP
$iptables -A FORWARD -s 85.214.0.0/16 -j DROP
$iptables -A FORWARD -d 85.214.0.0/16 -j DROP

echo Your Freedom Bloqueado! 311

######################
# Liberacao Firewall #
######################

# Syn-Flood
#$iptables -N syn-flood
#$iptables -A INPUT -p tcp –syn -j syn-flood
#$iptables -A FORWARD -p tcp –syn -j syn-flood
#$iptables -A syn-flood -m limit –limit 35/s -j RETURN
#$iptables -A syn-flood -j DROP

# Log USERX – Um usuário suspeito na sua rede
$iptables -A FORWARD -s $USERX -j LOG –log-level debug –log-prefix “IPTABLES-FORWARD-USERX”

# Novos devem ser Syn
$iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

# Anti Xmas
$iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP

# Null mal formado
$iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP

# Fragmentos
$iptables -A INPUT -f -j DROP
$iptables -A FORWARD -f -j DROP

# Pacotes Invalidos
$iptables -A INPUT -i eth0 -m state –state INVALID -j DROP
$iptables -A FORWARD -m state –state INVALID -j DROP

# MTU
$iptables -A FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –set-mss 1460

# Controle de ICMP
$iptables -A INPUT -p icmp -s $LAN -m limit –limit 10/s -j ACCEPT
$iptables -A INPUT -p icmp -s $DMZ -m limit –limit 10/s -j ACCEPT
$iptables -A INPUT -p icmp -s $SERV -m limit –limit 10/s -j ACCEPT
$iptables -A FORWARD -p icmp -s $LAN -m limit –limit 10/s -j ACCEPT
$iptables -A FORWARD -p icmp -s $DMZ -m limit –limit 10/s -j ACCEPT
$iptables -A FORWARD -p icmp -s $SERV -m limit –limit 10/s -j ACCEPT

# Acesso SSH
$iptables -A INPUT -p tcp -s $MAQ1 –dport $FWSSH -j ACCEPT
$iptables -A INPUT -p tcp -s $MAQ2 –dport $FWSSH -j ACCEPT

# Monitoracao Zabbix
$iptables -A FORWARD -p tcp -m multiport –dport $MON_ZABBIX -s $ZABBIX -j ACCEPT

# Monitoracao Cacti
$iptables -A INPUT -p udp -m multiport –dport $SNMP -s $CACTI -j ACCEPT
$iptables -A FORWARD -p udp -m multiport –dport $SNMP -s $CACTI -j ACCEPT
$iptables -A FORWARD -p udp -m multiport –dport $SNMP -d $CACTI -j ACCEPT

# Consulta DNS
$iptables -A INPUT -p udp -d $DNS1 –dport $DNS -j ACCEPT
$iptables -A INPUT -p udp -s $DNS1 –sport $DNS -j ACCEPT
$iptables -A FORWARD -p udp -d $DNS1 –dport $DNS -j ACCEPT
$iptables -A FORWARD -p udp -s $DNS1 –sport $DNS -j ACCEPT
$iptables -A INPUT -p udp -d $DNS2 –dport $DNS -j ACCEPT
$iptables -A INPUT -p udp -s $DNS2 –sport $DNS -j ACCEPT
$iptables -A FORWARD -p udp -d $DNS2 –dport $DNS -j ACCEPT
$iptables -A FORWARD -p udp -s $DNS2 –sport $DNS -j ACCEPT
$iptables -A INPUT -p udp -d $CORREIO_INT_DNS3 –dport $DNS -j ACCEPT
$iptables -A INPUT -p udp -s $CORREIO_INT_DNS3 –sport $DNS -j ACCEPT
$iptables -A FORWARD -p udp -d $CORREIO_INT_DNS3 –dport $DNS -j ACCEPT
$iptables -A FORWARD -p udp -s $CORREIO_INT_DNS3 –sport $DNS -j ACCEPT

# Controle de Execucao
echo Liberacoes do Firewall aplicadas! 382

#############
# Redirects #
#############

# Redirect Relay
$iptables -t nat -A PREROUTING -p tcp -d $RELAY –dport $SMTP -j DNAT –to-destination $NRELAY:$SMTP

# Redirect proxy
$iptables -t nat -A PREROUTING -p tcp -d $FW_SEDE_USU_Eth1 –dport $HTTP_PROXY -j DNAT –to-destination $PROXY:$HTTP_PROXY

# Controle de Execucao
echo Redirects implementados! 798

###################
# Sistema de Logs #
###################

# Dados Bloqueados
$iptables -A INPUT -j LOG –log-level debug –log-prefix “IPTABLES-INPUT-DROP: ”
$iptables -A FORWARD -j LOG –log-level debug –log-prefix “IPTABLES-FORWARD-DROP: ”

# Controle de Execucao
echo “Log do que e descartado implementado!” 809

####################
# Mensagens finais #
####################

sleep 1
echo “Regras de Firewall Ativadas”

#OBS: As rotas se encontram no arquivo /etc/rotas

############# FIM #############