Skip to content

Instantly share code, notes, and snippets.

@alanyoshida

alanyoshida/Block by ip range

Last active December 16, 2015 00:49
Show Gist options
  • Save alanyoshida/5350500 to your computer and use it in GitHub Desktop.
Save alanyoshida/5350500 to your computer and use it in GitHub Desktop.
Download ZIP
Libera somente o range de ips do arquivo outra versão.
Raw
Block by ip range
#!/bin/bash
WORKDIR="/root/firewall"
############################################
# Libera somente o range de ips do arquivo #
############################################
# Arquivo com range de ips para liberar.
ARQUIVO="accept_ip.txt"
IPT=$(which iptables) # atalho para comando
LO="127.0.0.1" # Loopback
NET="0/0" # Internet
ET0="" # Seu IP aqui
PA="1024:65535" # Portas Altas
# APAGA TABELA DO IPTABLES
$IPT -F
echo "Tabela do Iptables apagada."
# Seta a CHAIN OUTPUT como padrao ACCEPT, ou seja aceita tudo.
echo "Seta configuracoes padroes do INPUT como DROP"
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
# LOG
$IPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "PORT 25 DROP: " --log-level 7
# Permitir trafego LoopBack
echo "Configura Loopback"
$IPT -A INPUT -i lo -d $LO -j ACCEPT
$IPT -A OUTPUT -o lo -d $LO -j ACCEPT
# FORWARD
echo "Configura Forward"
$IPT -A FORWARD -j ACCEPT
# Permitir ICMP
echo "Configura ICMP"
$IPT -A INPUT -p icmp --icmp-type 0 -s $NET -d $ET0 -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 8 -s $ET0 -d $NET -j ACCEPT
# DNS
echo "Configura DNS"
$IPT -A INPUT -p udp -s $NET --sport 53 -d $ET0 --dport $PA -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -s $NET -d $ET0 -j ACCEPT
$IPT -A OUTPUT -p udp -s $ET0 --sport $PA -d $NET --dport 53 -j ACCEPT
# Permitir as conexoes ja estabelecidas
echo "Configura conexoes ja estabelecidas"
$IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Bloqueia na CHAIN INPUT o SMTP diferente de localhost
#$IPT -A INPUT -p tcp ! -s 127.0.0.1 --dport 25 -j DROP
#$IPT -A INPUT -p tcp --dport 25 -j DROP
#$IPT -A INPUT -p tcp --dport 587 -j DROP
#Aceita tudo de localhost
echo "Aceita Localhost"
$IPT -A INPUT -s $LO -j ACCEPT
$IPT -A INPUT -s $ET0 -j ACCEPT
# SMTP CHAIN INPUT Libera os enderecos locais
echo "Configura SMTP"
$IPT -A INPUT -s $LO -p tcp --sport $PA --dport 25 -j ACCEPT
$IPT -A INPUT -s $ET0 -p tcp --sport $PA --dport 25 -j ACCEPT
$IPT -A INPUT -s $LO -p tcp --sport $PA --dport 587 -j ACCEPT
$IPT -A INPUT -s $ET0 -p tcp --sport $PA --dport 587 -j ACCEPT
$IPT -A INPUT -s $LO -p tcp --sport $PA --dport 465 -j ACCEPT
$IPT -A INPUT -s $ET0 -p tcp --sport $PA --dport 465 -j ACCEPT
#POP3 CHAIN INPUT
echo "Configura POP3"
$IPT -A INPUT -p tcp --dport 110 -j ACCEPT
$IPT -A INPUT -p tcp --dport 143 -j ACCEPT
$IPT -A INPUT -p tcp --dport 993 -j ACCEPT
$IPT -A INPUT -p tcp --dport 995 -j ACCEPT
#httpd CHAIN INPUT
echo "Configura HTTP"
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp --dport 442 -j ACCEPT
#SSH CHAIN INPUT
echo "Configura SSH"
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
$IPT -A OUTPUT -p tcp -s $ET0 --sport $PA -d $NET --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -s $NET --sport $PA -d $ET0 --dport 22 -j ACCEPT
#FTP CHAIN INPUT
echo "Configura FTP"
$IPT -A INPUT -p tcp --dport 21 -j ACCEPT
#MYSQL CHAIN INPUT
echo "Configura MYSQL"
$IPT -A INPUT -p tcp --dport 3306 -j ACCEPT
if [ -f $ARQUIVO ]; then
for IP in $(cat $ARQUIVO)
do
$IPT -A INPUT -p tcp --dport 25 -m iprange --src-range $IP -j ACCEPT
$IPT -A INPUT -p tcp --dport 587 -m iprange --src-range $IP -j ACCEPT
$IPT -A INPUT -p tcp --dport 110 -m iprange --src-range $IP -j ACCEPT
echo "Range de ip $IP Adicionado como Accept na CHAIN INPUT"
done
fi
echo "******* FIM SCRIPT *******"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment