This Bash script configures an iptables firewall on a system. It starts by flushing and resetting existing rules. Then it implements default deny policies, blocks ping requests, and sets various security settings. It allows established and related connections, and could optionally allow SSH, Samba, and Apache. Running the script with start/stop parameters will start/stop the firewall configuration.

1. #! /bin/bash
###############################################################################
# Autor: Tácio de Jesus Andrade
# Criação: 11/04/2011
# Modificação: 02/05/2011
# Função: Arquivo de Configuração Padrão do Firewall IpTables
# Utilização: Mova-o para o diretório /etc/init.d/ (em distros Debian-Like)
# e adicione o serviço para iniciar com o Sistema (pode-se utilizar
# o rcconf ou o comando de carregamento do serviço de sua distro)
###############################################################################
case "$1" in
start)
###############
# TITULO ABRE #
###############
echo "Iniciando a Configuração do Firewall"
########################
# Zera todas as Regras #
########################
echo "Regras Zeradas"
iptables -F
########################################
# Bloqueia tudo, nada entra e nada sai #
########################################
echo "Fechando tudo"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
############################################################################
# Impede ataques DoS a maquina limitando a quantidade de respostas do ping #
############################################################################
#echo "Previne ataques DoS"
# iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s
-j ACCEPT
#################################
# Bloqieia completamente o ping #
#################################
echo "Bloqueia o pings"
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
##########################
# Politicas de segurança #
##########################
echo "Implementação de politicas de segurança"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Impede falsear
pacote
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Perigo de
descobrimento de rotas de roteamento (desativar em roteador)
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Risco de DoS
echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Só inicia a conexão quando
recebe a confirmação, diminuindo a banda gasta
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter # Faz o firewall
responder apenas a placa de rede que recebeu o pacote
iptables -A INPUT -m state --state INVALID -j DROP # Elimina os pacotes
invalidos
#################################
# Libera conexoes estabelecidas #

2. #################################
echo "Liberando conexões estabelecidas"
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
################################################################################
#######
# Libera o acesso via SSH e Limita o número de tentativas de acesso a 4 a
cada minuto #
################################################################################
#######
#echo "Liberando o SSH"
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m
recent --update --seconds 60 --hitcount 4 -j DROP
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables -A INPUT -p udp --dport 22 -j ACCEPT
##################
# Libera o Samba #
##################
#echo "Liberando o Samba"
# iptables -A INPUT -p tcp --dport 137:139 -j ACCEPT
# iptables -A INPUT -p udp --dport 137:139 -j ACCEPT
###################
# Libera o Apache #
###################
#echo "Liberando o Apache"
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
################
# TITULO FECHA #
################
echo "Configuração do Firewall Concluida."
;;
stop)
echo "Finalizando o Firewall"
rm -rf /var/lock/subsys/firewall
# -----------------------------------------------------------------
# Remove todas as regras existentes
# -----------------------------------------------------------------
iptables -F
iptables -X
iptables -t mangle -F
# -----------------------------------------------------------------
# Reseta as politicas padrões, aceitar tudo
# -----------------------------------------------------------------
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
restart|reload)
$0 stop
$0 start
;;

3. *)
echo "Selecione uma opção valida {start|stop|status|restart|reload}"
exit 1
esac
exit 0