Skip to content

Firewall basica

Basicona para qualquer servidor.

# variaveis

IPTABLES="/usr/sbin/iptables"

GOODVPN="1.2.3.4"
OPENVPN="1.2.3.4"

PROMETHEUS="1.2.3.4"
KUMA="1.2.3.4"

SERVIDOR_1="1.2.3.4"
SERVIDOR_2="1.2.3.4"
SERVIDOR_3="1.2.3.4"
SERVIDOR_4="1.2.3.4"

LO_NIC="lo"
LO_IPA="127.0.0.1"

MAIN_IPA="1.2.3.4" # ip que sai para internet
DCKR_IPA="1.2.3.4" # ip da bridge do docker

### limpando tabela filter
$IPTABLES -t filter -F
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -X

### limpando tabela nat
$IPTABLES -t nat -F
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -X

### limpando tabela mangle
$IPTABLES -t mangle -F
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -X

# dropando pacotes invalidos
$IPTABLES -A INPUT -m conntrack --ctstate INVALID -j DROP
$IPTABLES -A FORWARD -m conntrack --ctstate INVALID -j DROP
$IPTABLES -A OUTPUT -m conntrack --ctstate INVALID -j DROP

# dropando novas conexoes que nao tiverem flag syn
$IPTABLES -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "[DROP_NEW_CON_NOT_SYN]: "
$IPTABLES -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j DROP 

# mantendo conexoes ja estabelecidas
$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# definindo politica da cadeia INPUT da tabela filter
# aqui estamos fechando tudo e vamos abrir só oq precisar
$IPTABLES -P INPUT DROP

# liberando loopback
$IPTABLES -t filter -A INPUT -p ALL -i $LO_NIC -s $LO_IPA -j ACCEPT

# liberando loopack com origem nas interface principal
$IPTABLES -t filter -A INPUT -p ALL -i $LO_NIC -s $MAIN_IPA -j ACCEPT

# liberando loopack com origem na interface brisde do docker

# se tiver docker rodando, descomente.
# $IPTABLES -t filter -A INPUT -p ALL -i $LO_NIC -s $DCKR_IPA -j ACCEPT

# liberando ssh para VPN
$IPTABLES -A INPUT -p tcp -s $GOODVPN --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $OPENVPN --dport 22 -j ACCEPT

# liberando mongodb para servidores de APP
$IPTABLES -A INPUT -p tcp -s $SERVIDOR_1 --dport 27017 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $SERVIDOR_2 --dport 27017 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $SERVIDOR_3 --dport 27017 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $SERVIDOR_4 --dport 27017 -j ACCEPT

# liberando prometheus para coletar o que precisar
$IPTABLES -A INPUT -p tcp -s $PROMETHEUS -j ACCEPT

# liberando uptime-kuma para coletar o que precisar
$IPTABLES -A INPUT -p tcp -s $KUMA -j ACCEPT

# logando tudo que chegar aqui
$IPTABLES -t filter -A INPUT -p tcp -j LOG --log-level 6 --log-ip-options --log-prefix '[FI-DROP-TCP]: '
$IPTABLES -t filter -A INPUT -p udp -j LOG --log-level 6 --log-ip-options --log-prefix '[FI-DROP-UDP]: '
$IPTABLES -t filter -A INPUT -p icmp -j LOG --log-level 6 --log-ip-options --log-prefix '[FI-DROP-ICMP]: '
$IPTABLES -t filter -A INPUT -p igmp -j LOG --log-level 6 --log-ip-options --log-prefix '[FI-DROP-IGMP]: '

# dropando qualquer outro pacote que por ventura chegue aqui
$IPTABLES -t filter -A INPUT -j DROP

# se tiver docker, reinicie o daemon para
# recriar regras nat/prerouting e filter/forward
# no inicio o script limpa tudo

# descomente se precisar
#systemctl restart docker