Adicione ao final do arquivo bootmisc.sh em /etc/init.d
modprobe iptable_nat
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A INPUT -p tcp --syn -s 192.168.187.0/255.255.255.0 -j ACCEPT # Coloque o IP da sua rede
iptables -A INPUT -p tcp --syn -s 192.168.100.0/255.255.255.0 -j ACCEPT # Coloque o IP da sua rede
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --destination-port 21 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 110 -j DROP
iptables -A INPUT -p tcp --destination-port 2535 -j DROP
iptables -A INPUT -p tcp --destination-port 139 -j DROP
iptables -A OUTPUT -p tcp --destination-port 139 -j DROP
# permite especificar determinadas portas que vão permanecer abertas
iptables -A INPUT -p tcp --dport 2756 -m iprange --src-range 192.168.187.0-192.168.187.255 -j ACCEPT
iptables -A INPUT -p tcp --dport 2756 -j DENY
iptables -A INPUT -p tcp --dport 2791 -m iprange --src-range 192.168.187.0-192.168.187.255 -j ACCEPT
iptables -A INPUT -p tcp --dport 2791 -j DENY
iptables -A INPUT -p tcp --dport 3011 -m iprange --src-range 192.168.187.0-192.168.187.255 -j ACCEPT
iptables -A INPUT -p tcp --dport 3011 -j DENY
iptables -A INPUT -p tcp --dport 4891 -m iprange --src-range 192.168.187.0-192.168.187.255 -j ACCEPT
iptables -A INPUT -p tcp --dport 4891 -j DENY
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all # Ignora pings
echo "1" > /proc/sys/net/ipv4/tcp_syncookies # Protege contra synflood
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route # Desabilita o suporte a source routed packets
echo "0" > /proc/sys/net/ipv4/conf/eth1/accept_source_route # Desabilita o suporte a source routed packets
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Proteção contra ICMP
# Proteções diversas contra portscanners, ping of death, ataques DoS, etc.
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptables -A FORWARD -m unclean -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -N VALID_CHECK
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport ssh -j DROP
iptables -A INPUT -j DROP
iptables -A INPUT -p tcp --syn -j DROP
iptables -A INPUT -p udp -j DROP
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# ela bloqueia qualquer conexão que não tenha sido permitida acima, justamente por isso ela é a última da cadeia.
iptables -A INPUT -p tcp --syn -j DROP
}
firewall_stop(){
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}
case "$1" in
"start")
firewall_start
;;
"stop")
firewall_stop
echo "O kurumin-firewall está sendo desativado"
sleep 2
echo "ok."
;;
"restart")
echo "O kurumin-firewall está sendo desativado"
sleep 1
echo "ok."
firewall_stop; firewall_start
;;
*)
iptables -L -n
esac
