|
| 1 | +#!/bin/bash |
| 2 | + |
| 3 | +RANGEBRASIL="/usr/RANGE_BRASIL" |
| 4 | +CONFIG="/usr/firewall.conf" |
| 5 | +IPTABLES=/sbin/iptables |
| 6 | + |
| 7 | + service fail2ban stop |
| 8 | + |
| 9 | + echo "" |
| 10 | + echo "#######################################" |
| 11 | + echo "########## FIREWALL ERIX 2.0 ##########" |
| 12 | + echo "#######################################" |
| 13 | + echo "" |
| 14 | + |
| 15 | +# Limpar Tabela |
| 16 | + # Limpa todas as Rules em todas as tabelas |
| 17 | + $IPTABLES -t filter -F |
| 18 | + $IPTABLES -t nat -F |
| 19 | + $IPTABLES -t mangle -F |
| 20 | + # Remove todas as Chains em todas as tabelas |
| 21 | + $IPTABLES -t filter -X |
| 22 | + $IPTABLES -t nat -X |
| 23 | + $IPTABLES -t mangle -X |
| 24 | + #Zera todos os contadores de todas as Chains em todas as tabelas |
| 25 | + $IPTABLES -t filter -Z |
| 26 | + $IPTABLES -t nat -Z |
| 27 | + $IPTABLES -t mangle -Z |
| 28 | + echo "" |
| 29 | + echo "##### ZERANDO TODAS AS REGRAS..............[OK]" |
| 30 | +# Carrega os modulos |
| 31 | + modprobe ip_tables |
| 32 | + modprobe iptable_filter |
| 33 | + modprobe iptable_mangle |
| 34 | + modprobe iptable_nat |
| 35 | + modprobe ipt_MASQUERADE |
| 36 | + |
| 37 | +#libera ping no kernel, pode ser trocado o valor para 1 para desabilitar o ping |
| 38 | + echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all |
| 39 | + |
| 40 | +#estabelece syn_cookie para evitar ataque de syn_flood |
| 41 | + echo "1" > /proc/sys/net/ipv4/tcp_syncookies |
| 42 | + |
| 43 | +# Protege contra IP spoofing: |
| 44 | + echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter |
| 45 | + |
| 46 | +# Descarta pacotes malformados, protegendo contra ataques diversos: |
| 47 | + $IPTABLES -I INPUT -m state --state INVALID -j DROP |
| 48 | + |
| 49 | +# Libera loopback e conexoes iniciadas pelo servidor |
| 50 | + $IPTABLES -I INPUT -d 127.0.0.1 -j ACCEPT |
| 51 | + $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
| 52 | + $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT |
| 53 | + |
| 54 | + echo "" |
| 55 | + echo "##### CARREGANDO POLITICAS PADRAO DAS TABELAS" |
| 56 | + |
| 57 | + |
| 58 | +# Define a politica DEFAULT das TABELAS |
| 59 | + $IPTABLES -P INPUT DROP |
| 60 | + $IPTABLES -P OUTPUT ACCEPT |
| 61 | + $IPTABLES -P FORWARD DROP |
| 62 | + |
| 63 | + echo "##### POLITICAS PADRAO DAS TABELAS.........[OK] " |
| 64 | + |
| 65 | + echo "" |
| 66 | + echo "##### CARREGANDO REGRAS DO ARQUIVO DE CONFIGURACAO" |
| 67 | + |
| 68 | + |
| 69 | +# LIBERANDO BITRIX 24 |
| 70 | + $IPTABLES -I INPUT -p ALL -s erimat.bitrix24.com.br -j ACCEPT |
| 71 | + |
| 72 | +sed 1d $CONFIG | while read i;do |
| 73 | +IP=$(echo $i | awk '{print $1;}') |
| 74 | +proto=$(echo $i | awk '{print $2;}') |
| 75 | +ports=$(echo $i | awk '{print $3;}') |
| 76 | + |
| 77 | +if [ "${IP}" = "BRASIL" ] |
| 78 | +then |
| 79 | + for j in `cat $RANGEBRASIL`; do |
| 80 | + $IPTABLES -A INPUT -p tcp -m multiport --dports 80,22,3306,4445,2608,48805,44276,2611,443,5060,5061,10000:20000 -s $j -j ACCEPT |
| 81 | + $IPTABLES -A INPUT -p udp -m multiport --dports 80,22,3306,4445,2608,48805,44276,2611,443,5060,5061,10000:20000 -s $j -j ACCEPT |
| 82 | + done |
| 83 | + |
| 84 | +elif [ "${proto}" = "all" ] || [ "${proto}" = "icmp" ] |
| 85 | +then |
| 86 | + $IPTABLES -A INPUT -p ${proto} -s ${IP} -j ACCEPT |
| 87 | + |
| 88 | +else |
| 89 | + $IPTABLES -A INPUT -p ${proto} -m multiport --dports ${ports} -s ${IP} -j ACCEPT |
| 90 | +fi |
| 91 | + |
| 92 | + |
| 93 | +done |
| 94 | + |
| 95 | + echo "##### REGRAS DO ARQUIVO DE CONFIGURACAO....[OK]" |
| 96 | + echo "" |
| 97 | + |
| 98 | + echo "INICIANDO FAIL2BAN" |
| 99 | + echo "" |
| 100 | + |
| 101 | + service fail2ban start |
| 102 | + |
| 103 | + echo "######################################" |
| 104 | + echo "########## FIREWALL ATIVADO ##########" |
| 105 | + echo "######################################" |
| 106 | + echo "" |
| 107 | + |
| 108 | +#### ESPACO RESERVADO A REGRAS CUSTOMIZADAS |
0 commit comments