#!/bin/bash
# Firewall,configurado e montado por: Alexandre Starck de Oliveira
# Para esse arquivo ser iniciado no boot deve ser colocado de acordo com as regras abaixo:
### 1º)-Dar permissão de arquivo executável Ex: chmod +x /etc/init.d/firewall
### 2º)-Primeira opção,para ser iniciado no boot.Colocar o diretório completo no arquivo rc.local Ex:
# vim /etc/rc.local
# /etc/init.d/firewall # esse diretório deve ser colocado na última linha do arquivo rc.local
### 3º)-Outra opção é criar um link simbólico. Ex: ln -s /etc/init.d/firewall /etc/rc5.d/S99Firewall
# O link apontará para o arquivo /etc/init.d/firewall, que é o nosso script, o S99 do arquivo de link significa:
# o "S" de Start (iniciar) e o 99 é a ordem que ele será executado juntamente com o sistema.
# Compartilhando a Internet
echo 1 > /proc/sys/net/ipv4/ip_forward
# Variáveris #
LanExt=eth1 # placa de internet
LanInt=192.168.10.1/24
Rede=192.168.10.0/24 # minha rede local
# Módulos #
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
####################
### Função START ###
####################
firewall_start() {
echo "Iniciando o Firewall.......................[ OK ]"
# Limpa as regras #
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
# Politicas padrao #
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
# Manter conexoes jah estabelecidas para nao parar
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Aceita todo o trafego vindo do loopback e indo pro loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
#######################
### LOG DO FIREWALL ###
#######################
#iptables -A INPUT -d $LanExt -p tcp --dport 22 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH EXT 22"
#iptables -A INPUT -d $LanExt -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FIREWALL: FTP EXT 21"
#iptables -A INPUT -d $LanInt -p tcp --dport 22 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH INT 22"
#iptables -A INPUT -d $LanInt -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FIREWALL: FTP INT 21"
###############################
# Proteções #
###############################
# Protege contra os "Ping of Death"
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 20/m -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 20/m -j ACCEPT
# Protege contra port scanners avançados (Ex.: nmap)
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 20/m -j ACCEPT
# Bloqueando tracertroute
iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j REJECT
# Protecoes contra ataques
iptables -A INPUT -m state --state INVALID -j REJECT
###############################
# TABELA Input #
###############################
### Destino Externo ###
# Liberando Porta 22 (SSH)
#iptables -A INPUT -d $LanExt -p tcp --dport 22 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH EXT 2222"
iptables -A INPUT -d $LanExt -p tcp --dport 22 -j ACCEPT
# Liberando Porta 21 (ftp)
#iptables -A INPUT -d $LanExt -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FIREWALL: FTP EXT 21"
iptables -A INPUT -d $LanExt -p tcp --dport 21 -j ACCEPT
### Destino Interno ###
# Liberando Porta 22 (SSH)
#iptables -A INPUT -d $LanInt -p tcp --dport 22 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH INT 22"
iptables -A INPUT -d $LanInt -p tcp --dport 22 -j ACCEPT
# Liberando porta 3128 (Squid)
iptables -A INPUT -d $LanInt -p tcp --dport 3128 -j ACCEPT
# Liberando Porta 80 (http)
#iptables -A INPUT -d $LanInt -p tcp --dport 80 -j LOG --log-level 6 --log-prefix "FIREWALL: HTTP INT 80"
iptables -A INPUT -d $LanInt -p tcp --dport 80 -j ACCEPT
# Liberando Porta 21 (ftp)
#iptables -A INPUT -d $LanInt -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FIREWALL: FTP INT 21"
iptables -A INPUT -d $LanInt -p tcp --dport 21 -j ACCEPT
# Liberando porta 3000 (NTOP)
iptables -A INPUT -d $LanInt -p tcp --dport 3000 -j ACCEPT
###############################
# TABELA Forward #
###############################
# Libera computador das regras do firewall
iptables -A FORWARD -s 192.168.4.13 -p tcp -j ACCEPT
iptables -A FORWARD -s 192.168.4.13 -p udp -j ACCEPT
### MSN ###
# Libera msn para o IP #
# nome
iptables -A FORWARD -s 192.168.4.11 -p tcp --dport 1863 -j ACCEPT
# Bloqueio de MSN #
#iptables -A FORWARD -s 192.168.4.0 -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -s 192.168.4.0 -d loginnet.passport.com -j DROP
#iptables -A FORWARD -s 198.164.4.0/24 -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -s 198.164.4.0/24 -d loginnet.passport.com -j DROP
#iptables -A FORWARD -s 198.164.4.0/24 -d messenger.hotmail.com -j DROP
#iptables -A FORWARD -s 198.164.4.0/24 -d webmessenger.msn.com -j DROP
#iptables -A FORWARD -p tcp --dport 1080 -j DROP
#iptables -A FORWARD -s 198.164.4.0/24 -p tcp --dport 1080 -j DROP
#iptables -A FORWARD -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -d 64.4.13.0/24 -j DROP
# Liberando Porta 2222 (SSH)
iptables -A FORWARD -s $Rede -p tcp --dport 2222 -j ACCEPT
# Liberando Porta 22 (SSH)
iptables -A FORWARD -s $Rede -p tcp --dport 22 -j ACCEPT
# Liberando Porta 110 (pop-3)
iptables -A FORWARD -s $Rede -p tcp --dport 110 -j ACCEPT
# Liberando Porta 995 (spop-3)
iptables -A FORWARD -s $Rede -p tcp --dport 995 -j ACCEPT
# Liberando Porta 25 (smtp)
iptables -A FORWARD -s $Rede -p tcp --dport 25 -j ACCEPT
# Liberando Porta 465 (smtp-s)
iptables -A FORWARD -s $Rede -p tcp --dport 465 -j ACCEPT
# Liberando Porta 2121 (ftp)
iptables -A FORWARD -s $Rede -p tcp --dport 2121 -j ACCEPT
# Liberando Porta 21 (ftp)
iptables -A FORWARD -s $Rede -p udp --dport 21 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 20 -j ACCEPT
# Liberando porta 53 (DNS)
iptables -A FORWARD -s $Rede -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 53 -j ACCEPT
# Regras forward para o funcionamento de redirecionamento de portas (NAT)
# Redirecionando porta 5900 (VNC)
#iptables -A FORWARD -p tcp --dport 5900 -j ACCEPT
#ptables -A FORWARD -p tcp --dport 5800 -j ACCEPT
###############################
######### TABELA NAT ## #######
###############################
# Redireconamento de portas
# VNC Para algum micro (192.168.1.31 = nome da pessoa)
#iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 5900 -j DNAT --to 192.168.0.77:5900
# Mascaramento de rede para acesso externo #
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#Bloqueia todo o resto
#iptables -A INPUT -p tcp -j LOG --log-level 6 --log-prefix "FIREWALL: GERAL "
iptables -A INPUT -p tcp --syn -j DROP
iptables -A INPUT -p tcp -j DROP
iptables -A INPUT -p udp -j DROP
}
##################
### Função STOP ##
##################
firewall_stop() {
echo "Parando firewall e funcionando apenas com mascaramento ........................[ OK ]"
# Limpa as regras #
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
# Politicas padrao #
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
# Manter conexoes jah estabelecidas para nao parar
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Aceita todo o trafego vindo do loopback e indo pro loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
###############################
# TABELA Forward #
###############################
### MSN ###
# Libera msn para o IP #
# nome
#iptables -A FORWARD -s 192.168.0.34 -p tcp --dport 1863 -j ACCEPT
# nome
#iptables -A FORWARD -s 192.168.0.5 -p tcp --dport 1863 -j ACCEPT
# Bloqueio de MSN #
#iptables -A FORWARD -s 192.168.1.0 -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -s 192.168.1.0 -d loginnet.passport.com -j DROP
#iptables -A FORWARD -s 198.164.1.0/24 -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -s 198.164.1.0/24 -d loginnet.passport.com -j DROP
#iptables -A FORWARD -s 198.164.1.0/24 -d messenger.hotmail.com -j DROP
#iptables -A FORWARD -s 198.164.1.0/24 -d webmessenger.msn.com -j DROP
#iptables -A FORWARD -p tcp --dport 1080 -j DROP
#iptables -A FORWARD -s 198.164.1.0/24 -p tcp --dport 1080 -j DROP
#iptables -A FORWARD -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -d 64.4.13.0/24 -j DROP
###############################
######### TABELA NAT ## #######
###############################
# Mascaramento de rede para acesso externo #
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Efetivando o PROXY TRANPARENTE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 # (Redireciona para o squid) - eth1 -> Placa de rede local
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
echo "Regras Limpas e Firewall desabilitado ...........................................[ << ATENÇÂO >> FIREWALL DESATIVADO ]"
firewall_restart() {
echo "Reiniciando Firewall.............................................................................[ OK ]"
firewall_stop
sleep 3
firewall_start
echo "Firewall Reiniciado..............................................................................[ OK ]"
}
case "$1" in
'start')
firewall_start
echo "Firewall Iniciado................................................................................[ OK ]"
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
*)
echo "Opções possíveis:"
echo "firewall start"
echo "firewall stop"
echo "firewall restart"
esac
### <<>> ###
### Meu Proxy ######
###############################################################
# squid.conf (configuração)
# Por Alexandre Starck de Oliveira
# e-mail starck2007@hotmail.com
# Nessa versão é bem diferente as configurações de proxy transparente, não é necessário mais acrescentar essas linhas no arquivo squid.conf:
# httpd_accel_port 80
# httpd_accel_host virtual
# httpd_accel_with_proxy on
# httpd_accel_uses_host_header on
# >> Agora só precisa colocar:
# http_port 3128 transparent vhost vport
# always_direct allow all
# >> O restante da configuração é o padrão do Squid.
http_port 3128 transparent 192.168.10.1:3128
error_directory /usr/share/squid3/errors/pt-br
visible_hostname Servidor # como root digite hostname
dns_nameservers 200.149.55.140 200.165.132.147 # padrão "TELEMAR".Em caso de dúvida ligar para velox para fornecer seu número de DNS....
always_direct allow all A
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 21 22 80 139 443 563 70 210 280 488 59 777 901 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Aqui entram todas as ACL's
# *** Define a lista de palavras impróprias
acl palavras dstdomain -i "/etc/squid/list/palavras"
http_access deny palavras
# *** Define a lista de sites impróprios
acl sites url_regex -i "/etc/squid/list/sites"
http_access deny sites
acl Rede src 192.168.10.0/24
http_access allow localhost
http_access allow Rede
http_access deny all
# OBS: Não esquecendo de inserir os DNS's,IP's e GATEWAY nas "Máquinas Virtuais".
# IMPORTANTE: Usar cabo "crossouver" para as máquinas locais <>.
###<<<< FIM >>>>###
# Firewall,configurado e montado por: Alexandre Starck de Oliveira
# Para esse arquivo ser iniciado no boot deve ser colocado de acordo com as regras abaixo:
### 1º)-Dar permissão de arquivo executável Ex: chmod +x /etc/init.d/firewall
### 2º)-Primeira opção,para ser iniciado no boot.Colocar o diretório completo no arquivo rc.local Ex:
# vim /etc/rc.local
# /etc/init.d/firewall # esse diretório deve ser colocado na última linha do arquivo rc.local
### 3º)-Outra opção é criar um link simbólico. Ex: ln -s /etc/init.d/firewall /etc/rc5.d/S99Firewall
# O link apontará para o arquivo /etc/init.d/firewall, que é o nosso script, o S99 do arquivo de link significa:
# o "S" de Start (iniciar) e o 99 é a ordem que ele será executado juntamente com o sistema.
echo 1 > /proc/sys/net/ipv4/ip_forward
# Variáveris #
LanInt=192.168.10.1/24
Rede=192.168.10.0/24 # minha rede local
# Módulos #
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
####################
### Função START ###
####################
firewall_start() {
echo "Iniciando o Firewall.......................[ OK ]"
# Limpa as regras #
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
# Politicas padrao #
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
# Manter conexoes jah estabelecidas para nao parar
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Aceita todo o trafego vindo do loopback e indo pro loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
#######################
### LOG DO FIREWALL ###
#######################
#iptables -A INPUT -d $LanExt -p tcp --dport 22 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH EXT 22"
#iptables -A INPUT -d $LanExt -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FIREWALL: FTP EXT 21"
#iptables -A INPUT -d $LanInt -p tcp --dport 22 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH INT 22"
#iptables -A INPUT -d $LanInt -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FIREWALL: FTP INT 21"
###############################
# Proteções #
###############################
# Protege contra os "Ping of Death"
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 20/m -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 20/m -j ACCEPT
# Protege contra port scanners avançados (Ex.: nmap)
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 20/m -j ACCEPT
# Bloqueando tracertroute
iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j REJECT
# Protecoes contra ataques
iptables -A INPUT -m state --state INVALID -j REJECT
###############################
# TABELA Input #
###############################
### Destino Externo ###
# Liberando Porta 22 (SSH)
#iptables -A INPUT -d $LanExt -p tcp --dport 22 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH EXT 2222"
iptables -A INPUT -d $LanExt -p tcp --dport 22 -j ACCEPT
# Liberando Porta 21 (ftp)
#iptables -A INPUT -d $LanExt -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FIREWALL: FTP EXT 21"
iptables -A INPUT -d $LanExt -p tcp --dport 21 -j ACCEPT
### Destino Interno ###
# Liberando Porta 22 (SSH)
#iptables -A INPUT -d $LanInt -p tcp --dport 22 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH INT 22"
iptables -A INPUT -d $LanInt -p tcp --dport 22 -j ACCEPT
# Liberando porta 3128 (Squid)
iptables -A INPUT -d $LanInt -p tcp --dport 3128 -j ACCEPT
# Liberando Porta 80 (http)
#iptables -A INPUT -d $LanInt -p tcp --dport 80 -j LOG --log-level 6 --log-prefix "FIREWALL: HTTP INT 80"
iptables -A INPUT -d $LanInt -p tcp --dport 80 -j ACCEPT
# Liberando Porta 21 (ftp)
#iptables -A INPUT -d $LanInt -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FIREWALL: FTP INT 21"
iptables -A INPUT -d $LanInt -p tcp --dport 21 -j ACCEPT
# Liberando porta 3000 (NTOP)
iptables -A INPUT -d $LanInt -p tcp --dport 3000 -j ACCEPT
###############################
# TABELA Forward #
###############################
# Libera computador das regras do firewall
iptables -A FORWARD -s 192.168.4.13 -p tcp -j ACCEPT
iptables -A FORWARD -s 192.168.4.13 -p udp -j ACCEPT
### MSN ###
# Libera msn para o IP #
# nome
iptables -A FORWARD -s 192.168.4.11 -p tcp --dport 1863 -j ACCEPT
# Bloqueio de MSN #
#iptables -A FORWARD -s 192.168.4.0 -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -s 192.168.4.0 -d loginnet.passport.com -j DROP
#iptables -A FORWARD -s 198.164.4.0/24 -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -s 198.164.4.0/24 -d loginnet.passport.com -j DROP
#iptables -A FORWARD -s 198.164.4.0/24 -d messenger.hotmail.com -j DROP
#iptables -A FORWARD -s 198.164.4.0/24 -d webmessenger.msn.com -j DROP
#iptables -A FORWARD -p tcp --dport 1080 -j DROP
#iptables -A FORWARD -s 198.164.4.0/24 -p tcp --dport 1080 -j DROP
#iptables -A FORWARD -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -d 64.4.13.0/24 -j DROP
# Liberando Porta 2222 (SSH)
iptables -A FORWARD -s $Rede -p tcp --dport 2222 -j ACCEPT
# Liberando Porta 22 (SSH)
iptables -A FORWARD -s $Rede -p tcp --dport 22 -j ACCEPT
# Liberando Porta 110 (pop-3)
iptables -A FORWARD -s $Rede -p tcp --dport 110 -j ACCEPT
# Liberando Porta 995 (spop-3)
iptables -A FORWARD -s $Rede -p tcp --dport 995 -j ACCEPT
# Liberando Porta 25 (smtp)
iptables -A FORWARD -s $Rede -p tcp --dport 25 -j ACCEPT
# Liberando Porta 465 (smtp-s)
iptables -A FORWARD -s $Rede -p tcp --dport 465 -j ACCEPT
# Liberando Porta 2121 (ftp)
iptables -A FORWARD -s $Rede -p tcp --dport 2121 -j ACCEPT
# Liberando Porta 21 (ftp)
iptables -A FORWARD -s $Rede -p udp --dport 21 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 20 -j ACCEPT
# Liberando porta 53 (DNS)
iptables -A FORWARD -s $Rede -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 53 -j ACCEPT
# Regras forward para o funcionamento de redirecionamento de portas (NAT)
# Redirecionando porta 5900 (VNC)
#iptables -A FORWARD -p tcp --dport 5900 -j ACCEPT
#ptables -A FORWARD -p tcp --dport 5800 -j ACCEPT
###############################
######### TABELA NAT ## #######
###############################
# Redireconamento de portas
# VNC Para algum micro (192.168.1.31 = nome da pessoa)
#iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 5900 -j DNAT --to 192.168.0.77:5900
# Mascaramento de rede para acesso externo #
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#Bloqueia todo o resto
#iptables -A INPUT -p tcp -j LOG --log-level 6 --log-prefix "FIREWALL: GERAL "
iptables -A INPUT -p tcp --syn -j DROP
iptables -A INPUT -p tcp -j DROP
iptables -A INPUT -p udp -j DROP
}
##################
### Função STOP ##
##################
firewall_stop() {
echo "Parando firewall e funcionando apenas com mascaramento ........................[ OK ]"
# Limpa as regras #
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
# Politicas padrao #
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
# Manter conexoes jah estabelecidas para nao parar
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Aceita todo o trafego vindo do loopback e indo pro loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
###############################
# TABELA Forward #
###############################
### MSN ###
# Libera msn para o IP #
# nome
#iptables -A FORWARD -s 192.168.0.34 -p tcp --dport 1863 -j ACCEPT
# nome
#iptables -A FORWARD -s 192.168.0.5 -p tcp --dport 1863 -j ACCEPT
# Bloqueio de MSN #
#iptables -A FORWARD -s 192.168.1.0 -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -s 192.168.1.0 -d loginnet.passport.com -j DROP
#iptables -A FORWARD -s 198.164.1.0/24 -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -s 198.164.1.0/24 -d loginnet.passport.com -j DROP
#iptables -A FORWARD -s 198.164.1.0/24 -d messenger.hotmail.com -j DROP
#iptables -A FORWARD -s 198.164.1.0/24 -d webmessenger.msn.com -j DROP
#iptables -A FORWARD -p tcp --dport 1080 -j DROP
#iptables -A FORWARD -s 198.164.1.0/24 -p tcp --dport 1080 -j DROP
#iptables -A FORWARD -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -d 64.4.13.0/24 -j DROP
###############################
######### TABELA NAT ## #######
###############################
# Mascaramento de rede para acesso externo #
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Efetivando o PROXY TRANPARENTE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 # (Redireciona para o squid) - eth1 -> Placa de rede local
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
echo "Regras Limpas e Firewall desabilitado ...........................................[ << ATENÇÂO >> FIREWALL DESATIVADO ]"
firewall_restart() {
echo "Reiniciando Firewall.............................................................................[ OK ]"
firewall_stop
sleep 3
firewall_start
echo "Firewall Reiniciado..............................................................................[ OK ]"
}
case "$1" in
'start')
firewall_start
echo "Firewall Iniciado................................................................................[ OK ]"
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
*)
echo "Opções possíveis:"
echo "firewall start"
echo "firewall stop"
echo "firewall restart"
esac
### <<
### Meu Proxy ######
###############################################################
# squid.conf (configuração)
# Por Alexandre Starck de Oliveira
# e-mail starck2007@hotmail.com
# Nessa versão é bem diferente as configurações de proxy transparente, não é necessário mais acrescentar essas linhas no arquivo squid.conf:
# httpd_accel_port 80
# httpd_accel_host virtual
# httpd_accel_with_proxy on
# httpd_accel_uses_host_header on
# >> Agora só precisa colocar:
# http_port 3128 transparent vhost vport
# always_direct allow all
# >> O restante da configuração é o padrão do Squid.
http_port 3128 transparent 192.168.10.1:3128
error_directory /usr/share/squid3/errors/pt-br
visible_hostname Servidor # como root digite hostname
dns_nameservers 200.149.55.140 200.165.132.147 # padrão "TELEMAR".Em caso de dúvida ligar para velox para fornecer seu número de DNS....
always_direct allow all A
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 21 22 80 139 443 563 70 210 280 488 59 777 901 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Aqui entram todas as ACL's
# *** Define a lista de palavras impróprias
acl palavras dstdomain -i "/etc/squid/list/palavras"
http_access deny palavras
# *** Define a lista de sites impróprios
acl sites url_regex -i "/etc/squid/list/sites"
http_access deny sites
acl Rede src 192.168.10.0/24
http_access allow localhost
http_access allow Rede
http_access deny all
# OBS: Não esquecendo de inserir os DNS's,IP's e GATEWAY nas "Máquinas Virtuais".
###<<<< FIM >>>>###
Nenhum comentário:
Postar um comentário