rendered paste body#!/bin/sh
#
###
#
# Script Firewall & Compartir Internet
# Autor: Alex Barrios
# alex@alexertech.com
# 28-Julio-2006
#
###
###
# Localhost
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
###
# Red Local
#
LAN_IP="192.168.2.1"
LAN_IP_RANGE="192.168.0.0/24"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth0"
###
# Internet 1
#
INET_IP="10.140.20.17"
INET_IFACE="eth1"
###
# Internet 2
#
INET_IP_2="200.84.176.122"
INET_IFACE_2="eth2"
###
# Localizacion de iptables.
#
IPTABLES="/sbin/iptables"
###
# Borra las reglas anteriores
#
echo "Borrando reglas anteriores ..."
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -F
###
# Politicas Predeterminadas de INPUT, FORWARD y OUTPUT
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
###
# NAT enmascarado
#
$IPTABLES -t nat -A POSTROUTING -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $LAN_IFACE -j MASQUERADE
###
# Activa forwarding de paquetes (Linux no lo hace por default)
#
# echo "1" > /proc/sys/net/ipv4/ip_forward
###
# Redireccionamiento de paquetes
#
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 22000 -j REDIRECT --to-ports 22
$IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE_2 --dport 7880 -j DNAT --to-destination 192.168.2.6:80
###
# ICMP (pings) - Regla icmp_packets
#
$IPTABLES -N icmp_packets
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type echo-request -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type echo-reply -j ACCEPT
###
# Reglas INPUT
#
## Permitir
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT # Servidor Local
$IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT # Servicio AUTH
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT # Puerto SSH
$IPTABLES -A INPUT -p tcp --sport 22000 -j ACCEPT # Puerto SSH
$IPTABLES -A INPUT -p tcp --sport 7822 -j ACCEPT # Puerto SSH
$IPTABLES -A INPUT -p tcp -i $INET_IFACE_2 --sport 7880 -j ACCEPT # CAMARA IP
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT # Salir a la Web
$IPTABLES -A INPUT -p tcp --sport 6667 -j ACCEPT # IRC
$IPTABLES -A INPUT -p tcp --sport 5222 -j ACCEPT # Jabber
$IPTABLES -A INPUT -p tcp --sport 1836 -j ACCEPT # MSN
$IPTABLES -A INPUT -p tcp --sport imap -j ACCEPT # IMAP
$IPTABLES -A INPUT -p tcp --sport smtp -j ACCEPT # SMTP
$IPTABLES -A INPUT -p udp -m udp --sport 53 -j ACCEPT # DNS
$IPTABLES -A INPUT -p udp -m udp --sport 500 -j ACCEPT # ?
$IPTABLES -A INPUT -p ICMP -j icmp_packets # Pings
$IPTABLES -A INPUT -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -s 200.35.66.83 -j ACCEPT
$IPTABLES -A INPUT -s 200.41.117.248 -j ACCEPT
## Denegar
$IPTABLES -A INPUT -p tcp --dport 1:1024 -j DROP
$IPTABLES -A INPUT -p udp --dport 1:1024 -j DROP
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
###
# Reglas del renvio de paquetes & compartir internet
#
# $IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j ACCEPT # Compartir Internet
$IPTABLES -A FORWARD -i $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE_2 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
$IPTABLES -A FORWARD -i $INET_IFACE -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $INET_IFACE_2 -m state --state NEW,INVALID -j DROP
###
# Reglas OUTPUT
#
$IPTABLES -A OUTPUT -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A OUTPUT -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $INET_IP_2 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
###
# Imprime que arranco el script
#
echo "Iptables ... done"