#!

/bin/bash
IPTABLES="/sbin/iptables"
# Portas para fazer forward na SERVICES_MACHINE, setada adiante
#FORWARD_PORTSTCP="25 80 110 143 443 995 3050 10000"
FORWARD_PORTSUDP=""
# Permite entrada
INPUT_PORTSTCP="$FORWARD_PORTSTCP "
INPUT_PORTSTCP+="22"
DMZ_IFACE=eth0
INET_IFACE=eth1
EXT_IP=`ifconfig $INET_IFACE | grep "inet end" | cut -d " " -f 13`
SERVICES_MACHINE=192.168.0.3
#-----------------START-----------------
# Modulos
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Habilitando IP Forward
sysctl net.ipv4.ip_forward=1
## Cria chain que rejeita novas conexões, exceto as vindas da rede interna.
for i in filter; do
iptables -t $i -X block 2> /dev/null
iptables -t $i -N block
iptables -t $i -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t $i -A block -m state --state NEW -i ! $INET_IFACE -j ACCEPT
iptables -t $i -A block -j DROP
done

for j in filter mangle; do

echo -n "Ajustando politicas $j para drop .... "
for i in INPUT FORWARD; do
echo -n " $i"
iptables -t $j -P $i DROP
done
echo -ne " pronto.\n"
done
echo -n "Liberando a saida em .... "
for i in filter nat mangle; do
echo -n " $i"
iptables -t $i -P OUTPUT ACCEPT
done
echo -ne " pronto.\n"

echo -n "Liberando a rede interna .... "

for i in filter mangle; do
echo -n " $i"
iptables -t $i -A INPUT -p tcp --syn -i $DMZ_IFACE -j ACCEPT
 iptables -t $i -A OUTPUT -p tcp --syn -o $DMZ_IFACE -j ACCEPT
iptables -t $i -A FORWARD -p tcp --syn -i $DMZ_IFACE -j ACCEPT
# Protecao contra port scanners ocultos
iptables -t $i -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
--limit 1/s -j ACCEPT
#Protecoes contra ataques
iptables -t $i -A INPUT -m state --state INVALID -j DROP
#Proteção contra IP Spoofing
iptables -t $i -A INPUT -s 172.16.0.0/16 -i $INET_IFACE -j DROP
#iptables -t $i -A INPUT -s 192.168.0.0/24 -i $INET_IFACE -j DROP
#Proteção contra Syn-floods
iptables -t $i -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#Proteção contra ping da morte
iptables -t $i -A FORWARD -p icmp --icmp-type echo-request -m limit --li
mit 1/s -j ACCEPT
done
echo -ne " pronto.\n"
# NAT para gateway
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
# Loopback
for i in INPUT; do
$IPTABLES -A $i -i lo -j ACCEPT
done
$IPTABLES -t nat -A PREROUTING -i lo -j ACCEPT
# Abre portas
echo -n "Abrindo portas... "
for i in $INPUT_PORTSTCP; do
echo -n " $i"
iptables -A INPUT -p tcp --dport $i -d $EXT_IP -j ACCEPT
iptables -t mangle -A INPUT -p tcp --dport $i -d $EXT_IP -j ACCEPT
done
echo -ne " pronto.\n"
echo -n "Iniciando port forward... "
for i in $FORWARD_PORTSTCP; do
echo -n " $i"
iptables -A FORWARD -p tcp --dport $i -j ACCEPT
iptables -t mangle -A FORWARD -p tcp --dport $i -j ACCEPT
# iptables -t nat -A PREROUTING -p tcp -d comjota.com.br --dport $i -j DNA
T --to-destination $SERVICES_MACHINE:$i
done
echo -ne " pronto.\n"
# Abre a rede interna
echo -n "Liberando o DMZ na interface $DMZ_IFACE... "
iptables -A INPUT -i $DMZ_IFACE -j ACCEPT
iptables -A OUTPUT -o $DMZ_IFACE -j ACCEPT
iptables -A OUTPUT -o $INET_IFACE -j ACCEPT
iptables -t mangle -A INPUT -i $DMZ_IFACE -j ACCEPT
iptables -t mangle -A OUTPUT -o $DMZ_IFACE -j ACCEPT
iptables -t mangle -A OUTPUT -o $INET_IFACE -j ACCEPT
echo -ne " pronto.\n"
# Tranca o resto
for i in filter; do
iptables -t $i -A block -j DROP
done
echo -n "Travando tudo que não está acima... "
for j in filter mangle; do
for i in INPUT FORWARD; do
echo -n "$j->$i "
iptables -t $j -A $i -j block
done
done
echo -ne " pronto.\n"