#!/bin/sh . /etc/iptables/paths . /etc/iptables/networks . /etc/iptables/aliases ## para tudo! echo 0> /proc/sys/net/ipv4/ip_forward ### $IPTABLES -F && $IPTABLES -X $IPTABLES -F -t nat && $IPTABLES -X -t nat $IPTABLES -F -t mangle && $IPTABLES -X -t mangle #------------------------- FILTER IPT="$IPTABLES -t filter" ######################################################################### ############################## INPUT #################################### ########################################################################## CHAIN=INPUT DEFAULTPOLICY=DROP ADD="$IPT -A $CHAIN" #dropa tudo que tenta se comunicar com os processos locais #mata tambem o tunel $IPT -P $CHAIN $DEFAULTPOLICY # aceita conexoes estabelecidas ou novas para o firewall $ADD -m state --state ESTABLISHED,RELATED -j ACCEPT ##aceita pacotes de loopback (certos programas usam) $ADD -i lo -j ACCEPT #iptables -A OUTPUT -o lo -j ACCEPT ##aceita o protocolo ipip (pq estamos usando no tunel) $ADD -i $INTERNET_IF -p ipencap -j ACCEPT #iptables -A OUTPUT -o eth0 -p ipencap -j ACCEPT #permite ssh para o firewall (eu) $ADD -i $LOCAL_IF -s $LOCAL_NET -p tcp --dport 22 -j $LOG "SSH_local " $ADD -i $LOCAL_IF -s $LOCAL_NET -p tcp --dport 22 -j ACCEPT # Log & Drop $ADD -i $LOCAL_IF -j $LOG "INPUT_DROP_local " $ADD -i $INTERNET_IF -j $LOG "INPUT_DROP_internet " $ADD -i $LOCAL_IF -j REJECT $ADD -i $INTERNET_IF -j DROP $ADD -j DROP #---- CHAIN=OUTPUT DEFAULTPOLICY=ACCEPT ADD="$IPT -A $CHAIN" $IPT -P $CHAIN $DEFAULTPOLICY #################################### ######################## forward ########### ############################## #---- CHAIN=FORWARD DEFAULTPOLICY=DROP ADD="$IPT -A $CHAIN" $IPT -P $CHAIN $DEFAULTPOLICY $ADD -m state --state ESTABLISHED,RELATED -j ACCEPT # DNS # $ADD -i $LOCAL_IF -o $INTERNET_IF -p udp --dport 53 -m state --state NEW -j ACCEPT # HTTP # $ADD -i $LOCAL_IF -o $INTERNET_IF -p tcp --dport 80 -m state --state NEW -j ACCEPT # icmp ping # $ADD -i $LOCAL_IF -o $INTERNET_IF -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT #libera internet pra rede interna $ADD -i $LOCAL_IF -o $INTERNET_IF -s $LOCAL_NET -j ACCEPT #------------------------------ END FILTER ########################################################################## ############################ nat ###################################### ########################################################################## #------------------------------ NAT IPT="$IPTABLES -t nat" #---- CHAIN=PREROUTING DEFAULTPOLICY=ACCEPT ADD="$IPT -A $CHAIN" $IPT -P $CHAIN $DEFAULTPOLICY #---- CHAIN=POSTROUTING DEFAULTPOLICY=ACCEPT ADD="$IPT -A $CHAIN" #roteia a pacotes que estao saindo pela eth0 com ip origem muda pro meu $ADD -o $INTERNET_IF -s $LOCAL_NET -j SNAT --to $INTERNET_IP #nat da source ## quando o ip nao �fixo # $ADD -o $LOCAL_NET -s $LOCAL_NET -j MASQUERADE ########################################################################## #---- CHAIN=OUTPUT DEFAULTPOLICY=ACCEPT ADD="$IPT -A $CHAIN" $IPT -P $CHAIN $DEFAULTPOLICY #------------------------------ END NAT #------------------------------ MANGLE IPT="$IPTABLES -t mangle" #---- CHAIN=PREROUTING DEFAULTPOLICY=ACCEPT ADD="$IPT -A $CHAIN" $IPT -P $CHAIN $DEFAULTPOLICY #---- CHAIN=OUTPUT DEFAULTPOLICY=ACCEPT ADD="$IPT -A $CHAIN" $IPT -P $CHAIN $DEFAULTPOLICY #------------------------------ END MANGLE #------------------------------ AFTER SETTING UP IPTABLES # Turn ON forwarding echo 1 > /proc/sys/net/ipv4/ip_forward exit 0