Você está na página 1de 2

#!

/bin/sh
echo "ativando o firewall e compartilhamento da internet"
#carregar os modulos
modproble iptables
#compartilhar a internet cuidado a interface eth3 pode mudar no seu pc para eth0
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
#protege contra pacotes danificados
iptables -A FORWARD -m unclean -j DROP
# Abre algumas portas (opcional)
iptables
iptables
iptables
iptables

-A
-A
-A
-A

INPUT
INPUT
INPUT
INPUT

-p
-p
-p
-p

tcp
tcp
tcp
tcp

--destination-port
--destination-port
--destination-port
--destination-port

22 -j ACCEPT
1021 -j ACCEPT
1080 -j ACCEPT
10000 -j ACCEPT

# abrir a rede local para acessar a rede externa


iptables -A INPUT -p tcp --sys -s 192.168.0.0
#!/bin/bash
#
# script comentado em detalhes
#
#
REGRAS PARA IPTABLES
#
#
#

PARA ENTRADA

iptables -t filter -A INPUT -i eth0


iptables -t filter -A INPUT -i eth0
iptables -t filter -I INPUT -i eth0
iptables -t filter -I INPUT -i eth0
iptables -t filter -I INPUT -i eth0
#iptables -t filter -P INPUT DROP
#

-p
-p
-p
-p
-j

PARA ROTEAMENTO

iptables -t filter -A FORWARD -i eth0


iptables -t filter -A FORWARD -i eth0
iptables -t filter -I FORWARD -i eth0
iptables -t filter -I FORWARD -i eth0
iptables -t filter -I FORWARD -i eth0
#iptables -t filter -P FORWARD DROP
#

tcp --dport 0:1024 -j DROP


icmp --icmp-type echo-request -j DROP
tcp --dport 21 -j ACCEPT
tcp --dport 22 -j ACCEPT
LOG

-p
-p
-p
-p
-j

tcp --dport 0:1024 -j DROP


icmp --icmp-type echo-request -j DROP
tcp --dport 21 -j ACCEPT
tcp --dport 22 -j ACCEPT
LOG

PARA SAIDA

iptables -t filter -A OUTPUT -o eth0


iptables -t filter -A OUTPUT -o eth0
iptables -t filter -I OUTPUT -o eth0
iptables -t filter -I OUTPUT -o eth0
iptables -t filter -I OUTPUT -o eth0
iptables -t filter -I OUTPUT -o eth0
#iptables -t filter -P OUTPUT DROP

-p
-p
-p
-p
-p
-j

tcp --dport 0:1024 -j DROP


icmp --icmp-type echo-request -j DROP
tcp --dport 21 -j ACCEPT
tcp --dport 22 -j ACCEPT
tcp --dport 80 -j ACCEPT
LOG

#!/bin/bash
#
# script comentado em detalhes
# Local para o executavel do IPTables
IPT=`which iptables`;
# Interface da rede INTERNA
IF_INTERNA="eth0";
# Interface da rede EXTERNA
IF_EXTERNA="eth1";
# Definio da rede interna
REDE_INTERNA="192.168.1.0/24"
fw_start()
{
#ativa o roteamento dinamico
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# ================ POLITICAS PADRAO ===================
$IPT -t filter -P INPUT
DROP
$IPT -t filter -P FORWARD
DROP
$IPT -t filter -P OUTPUT
ACCEPT
$IPT -t nat
-P PREROUTING ACCEPT
$IPT -t nat
-P POSTROUTING ACCEPT
$IPT -t nat
-P OUTPUT
ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t mangle -P OUTPUT
ACCEPT
$IPT -t mangle -P INPUT
ACCEPT
$IPT -t mangle -P FORWARD
ACCEPT
# Cria chain com
$IPT -N BLOCK
$IPT -A BLOCK -p
$IPT -A BLOCK -p
$IPT -A BLOCK -p
$IPT -A BLOCK -p
CCEPT
$IPT -A BLOCK -m
$IPT -A BLOCK -m
$IPT -A BLOCK -j
$IPT -A BLOCK -j

regras de segurana
icmp --icmp-type echo-request -j DROP
icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
tcp -m limit --limit 1/s -j ACCEPT
tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 1/s -j A
unclean -j DROP
state --state ESTABLISHED,RELATED -j ACCEPT
LOG --log-prefix "FW_ALERT: "
DROP

# Muda a prioridade dos pacotes (Type Of Service) para agilizar as coisas


$IPT -t mangle -A OUTPUT -o $IF_EXTERNA -p tcp -m multiport --dports 21,22,80,
6667 -j TOS --set-tos 0x10