Firewall com redirect

Basicona para qualquer servidor.

# variaveis

IPTABLES="/usr/sbin/iptables"

OPENVPN="1.2.3.4"
PROMETHEUS="1.2.3.4"
KUMA="1.2.3.4"

LO_NIC="lo"
LO_IPA="127.0.0.1"

MINHA_REDE_INTERNA="192.168.12.0/22"

MAIN_IPA="1.2.3.4" # ip que sai para internet
DCKR_IPA="172.17.0.1" # ip da bridge do docker

ABRIR_PORTAS_OPENVPN="YES"
PORTAS_OPENVPN_TCP="22 53 80 443 8080 5432"
PORTAS_OPENVPN_UDP="53"

ABRIR_PORTAS_SSH="YES"
PORTAS_SSH="22 2222 44044"

ABRIR_PORTAS_TCP="NO"
PORTAS_TCP="53 80 443 8080 8081"

ABRIR_PORTAS_UDP="NO"
PORTAS_UDP="53"

### limpando tabela filter
$IPTABLES -t filter -F
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -X

### limpando tabela nat
$IPTABLES -t nat -F
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -X

### limpando tabela mangle
$IPTABLES -t mangle -F
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -X

# dropando pacotes invalidos
$IPTABLES -A INPUT -m conntrack --ctstate INVALID -j DROP
$IPTABLES -A FORWARD -m conntrack --ctstate INVALID -j DROP
$IPTABLES -A OUTPUT -m conntrack --ctstate INVALID -j DROP

# dropando novas conexoes que nao tiverem flag syn
$IPTABLES -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "[DROP_NEW_CON_NOT_SYN]: "
$IPTABLES -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j DROP 

# mantendo conexoes ja estabelecidas
$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# ativando o ip forward
echo 1 > /proc/sys/net/ipv4/ip_forward

# definindo politica da cadeia INPUT da tabela filter
# aqui estamos fechando tudo e vamos abrir só oq precisar
$IPTABLES -P INPUT DROP

# liberando loopback
$IPTABLES -t filter -A INPUT -p ALL -i $LO_NIC -s $LO_IPA -j ACCEPT

# liberando loopack com origem nas interface principal
$IPTABLES -t filter -A INPUT -p ALL -i $LO_NIC -s $MAIN_IPA -j ACCEPT

# se tiver docker rodando, descomente.
# $IPTABLES -t filter -A INPUT -p ALL -i $LO_NIC -s $DCKR_IPA -j ACCEPT

# Abrindo portas para clientes OPENVPN
if [ "${ABRIR_PORTAS_OPENVPN}" == "YES" ];then
  for PORTA_TCP in ${PORTAS_OPENVPN_TCP};do
    $IPTABLES -A INPUT -s $OPENVPN -p tcp --dport ${PORTA_TCP} -j ACCEPT
  done
  for PORTA_UDP in ${PORTAS_OPENVPN_UDP};do
    $IPTABLES -A INPUT -s $OPENVPN -p udp --dport ${PORTA_UDP} -j ACCEPT
  done
fi

# Abrindo portas SSH
if [ "${ABRIR_PORTAS_SSH}" == "YES" ];then
  for PORTA in ${PORTAS_SSH};do
    $IPTABLES -A INPUT -p tcp --dport ${PORTA} -j ACCEPT
  done
fi

# Abrindo portas TCP
if [ "${ABRIR_PORTAS_TCP}" == "YES" ];then
  for PORTA in ${PORTAS_TCP};do
    $IPTABLES -A INPUT -p tcp --dport ${PORTA} -j ACCEPT
  done
fi

# Abrindo portas UDP
if [ "${ABRIR_PORTAS_UDP}" == "YES" ];then
  for PORTA in ${PORTAS_UDP};do
    $IPTABLES -A INPUT -p udp --dport ${PORTA} -j ACCEPT
  done
fi

# liberando prometheus para coletar o que precisar
$IPTABLES -A INPUT -p tcp -s $PROMETHEUS -j ACCEPT

# liberando uptime-kuma para coletar o que precisar
$IPTABLES -A INPUT -p tcp -s $KUMA -j ACCEPT

# logando tudo que chegar aqui
$IPTABLES -t filter -A INPUT -p tcp -j LOG --log-level 6 --log-ip-options --log-prefix '[FI-DROP-TCP]: '
$IPTABLES -t filter -A INPUT -p udp -j LOG --log-level 6 --log-ip-options --log-prefix '[FI-DROP-UDP]: '
$IPTABLES -t filter -A INPUT -p icmp -j LOG --log-level 6 --log-ip-options --log-prefix '[FI-DROP-ICMP]: '
$IPTABLES -t filter -A INPUT -p igmp -j LOG --log-level 6 --log-ip-options --log-prefix '[FI-DROP-IGMP]: '

# dropando qualquer outro pacote que por ventura chegue aqui
$IPTABLES -t filter -A INPUT -j DROP

# redirecionando port 15522 do host para 22 do ip interno 192.168.222.155
$IPTABLES -t nat -A PREROUTING -p tcp -d $MAIN_IPA --dport 15522 -j DNAT --to-destination 192.168.12.155:22
# redirecionando port 15501 do host para 3000 do ip interno 192.168.222.155
$IPTABLES -t nat -A PREROUTING -p tcp -d $MAIN_IPA --dport 15501 -j DNAT --to-destination 192.168.12.155:3000
# redirecionando port 15502 do host para 4000 do ip interno 192.168.222.155
$IPTABLES -t nat -A PREROUTING -p tcp -d $MAIN_IPA --dport 15501 -j DNAT --to-destination 192.168.12.155:4000

# fazendo masquerade para ips internos dos KVMs do ProMox
$IPTABLES -t nat -A POSTROUTING -s $MINHA_REDE_INTERNA -j MASQUERADE

# se tiver docker, reinicie o daemon para
# recriar regras nat/prerouting e filter/forward
# no inicio o script limpa tudo
#
#systemctl restart docker