Skip to content

Firewall

Firewall para ser carregada no boot.

#!/bin/bash

IPTABLES=$(which iptables)

ALPHA_IP="51.222.8.xxx/32"
BRAVO_IP="51.222.154.xxx/32"
CHARLIE_IP="192.99.63.xxx/32"

PROXMOX_EXTERNAL_IP=$CHARLIE_IP
PROXMOX_INTERNAL_IP="192.168.222.1"

# configurando interfaces adicionais

#ifconfig vmbr0:0 54.39.123.xxx netmask 255.255.255.255
#ifconfig vmbr0:1 54.39.123.xxx netmask 255.255.255.255

###
#################################################################
### lipando regras em cadeias
### setando politica default em cadeias
### apagando cadeias criadas manualmente

### tabela filter
$IPTABLES -t filter -F
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -X

### tabela nat
$IPTABLES -t nat -F
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -X

### tabela mangle
$IPTABLES -t mangle -F
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -X

# dropando pacotes invalidos
$IPTABLES -A INPUT -m conntrack --ctstate INVALID -j DROP
$IPTABLES -A FORWARD -m conntrack --ctstate INVALID -j DROP
$IPTABLES -A OUTPUT -m conntrack --ctstate INVALID -j DROP

# dropando novas conexoes que nao tiverem flag syn
$IPTABLES -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "[DROP_NEW_CON_NOT_SYN]: "
$IPTABLES -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# mantendo conexoes ja estabelecidas (em caso de input/drop no futuro)
$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# ativando o ip forward
echo 1 > /proc/sys/net/ipv4/ip_forward

#### redirects ############################################################

### nginx access
$IPTABLES -t nat -A PREROUTING -p tcp -d $PROXMOX_EXTERNAL_IP --dport 10722 -j DNAT --to-destination 192.168.222.100:22

### nginx service
$IPTABLES -t nat -A PREROUTING -p tcp -d $PROXMOX_EXTERNAL_IP --dport 80 -j DNAT --to-destination 192.168.222.100:80
$IPTABLES -t nat -A PREROUTING -p tcp -d $PROXMOX_EXTERNAL_IP --dport 443 -j DNAT --to-destination 192.168.222.100:443

### regras de entrada/input ###############################################

# fechando tudo
$IPTABLES -t filter -P INPUT DROP

# liberando tudo para os outros proxmoxes
$IPTABLES -A INPUT -s $ALPHA_IP -j ACCEPT
$IPTABLES -A INPUT -s $BRAVO_IP -j ACCEPT
$IPTABLES -A INPUT -s $CHARLIE_IP -j ACCEPT

# liberando loopback
$IPTABLES -A INPUT -t filter -i lo -j ACCEPT
$IPTABLES -A INPUT -t filter -i lo -s $PROXMOX_EXTERNAL_IP -j ACCEPT
$IPTABLES -A INPUT -t filter -i lo -s $PROXMOX_INTERNAL_IP -j ACCEPT

# abrindo ssh pro mundo
$IPTABLES -A INPUT -t filter -p tcp --dport 44044 -j ACCEPT

# abrindo proxmox pro mundo
$IPTABLES -A INPUT -t filter -p tcp --dport 8006 -j ACCEPT

# gerando logs dos drops que virao a seguir
$IPTABLES -t filter -A INPUT -p tcp -j LOG --log-level 6 --log-ip-options --log-prefix '[FI-DROP-TCP]: '
$IPTABLES -t filter -A INPUT -p udp -j LOG --log-level 6  --log-ip-options --log-prefix '[FI-DROP-UDP]: '
$IPTABLES -t filter -A INPUT -p icmp -j LOG --log-level 6 --log-ip-options --log-prefix '[FI-DROP-ICMP]: '
$IPTABLES -t filter -A INPUT -p igmp -j LOG --log-level 6 --log-ip-options --log-prefix '[FI-DROP-IGMP]: '

# se chegou aqui vamos dropar
$IPTABLES -t filter -A INPUT -j DROP

### regras de saida ##################################################################

# fazendo masquerade para ips internos dos KVMs do ProMox
$IPTABLES -t nat -A POSTROUTING -s 192.168.222.0/22 -j MASQUERADE