rendered paste body#!/bin/bash
# modprobe eh usado para carregar modulos do kernel
MOD=$(which modprobe)
# iptables
IPT=$(which iptables)
# Interfaces de rede
I_LINK1="eth0"
I_LINK2="eth2"
I_LAN="eth1"
function start() {
# Carrega o modulo do kernel
$MOD ip_tables
modprobe iptable_nat
# Limpa as regras anteriores
stop;
# Habilita redirecionamento de IP
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#liberando trágo de rede local (127.0.0.1)
iptables -A INPUT -i lo -j ACCEPT
#Liberando SIP
iptables -A INPUT -p tcp -m tcp --dport 5060 -s 187.0.0.0/255.0.0.0 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5060 -s 187.0.0.0/255.0.0.0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5060 -s 189.0.0.0/255.0.0.0 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5060 -s 189.0.0.0/255.0.0.0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5060 -s 200.0.0.0/255.0.0.0 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5060 -s 200.0.0.0/255.0.0.0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5060 -s 201.0.0.0/255.0.0.0 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5060 -s 201.0.0.0/255.0.0.0 -j ACCEPT
#Liberando Voz
iptables -A INPUT -p tcp -m tcp --dport 10000:20000 -s 187.0.0.0/255.0.0.0 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10000:20000 -s 187.0.0.0/255.0.0.0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10000:20000 -s 189.0.0.0/255.0.0.0 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10000:20000 -s 189.0.0.0/255.0.0.0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10000:20000 -s 200.0.0.0/255.0.0.0 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10000:20000 -s 200.0.0.0/255.0.0.0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10000:20000 -s 201.0.0.0/255.0.0.0 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10000:20000 -s 201.0.0.0/255.0.0.0 -j ACCEPT
# Aceitando conexoes de entrada
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 142 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
# Liberando Rede Local
iptables -A INPUT -p tcp -s 10.1.1.0/255.0.0.0 -j ACCEPT
iptables -A INPUT -p udp -s 10.1.1.0/255.0.0.0 -j ACCEPT
#Liberando pacotes que realmente devem estabelecer conexã
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#Liberando ping
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Forward de portas para o servidor de backup
iptables -t nat -A PREROUTING -d 187.5.250.106 -p tcp --dport 22 -j DNAT --to 10.1.1.52:22
iptables -t nat -A POSTROUTING -d 10.1.1.52 -p tcp --dport 22 -j SNAT --to 187.5.250.106
iptables -t nat -A PREROUTING -p tcp --dport 34684 -j DNAT --to 10.1.1.30
# Servidor WEB Maquina virtual
iptables -t nat -A PREROUTING -d 187.5.250.106 -p tcp --dport 81 -j DNAT --to 10.1.1.88:81
iptables -t nat -A POSTROUTING -d 10.1.1.88 -p tcp --dport 81 -j SNAT --to 187.5.250.106
# teste do lyric
# iptables -t nat -A PREROUTING -i $I_LAN -d 74.125.65.141 -j DNAT --to 10.1.1.249
#Compartilhando links
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
##### Toda navegacao sai pela ADSL, o resto pelo link dedicado
# Saida dos pacotes pela ADSL
$IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 3389 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 80 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 0:65535 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -i $I_LAN -p udp --dport 0:65535 -j MARK --set-mark 2
# Saida dos pacotes pelo Link Dedicado
$IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 22 -j MARK --set-mark 1
$IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 142 -j MARK --set-mark 1
$IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dst 187.53.232.107 -j MARK --set-mark 1
echo "Firewall iniciado."