#!/bin/bash
#/usr/sbin/firewall

IPT="/sbin/iptables"

limpaRegra(){
        if [ ! `cat /proc/sys/net/ipv4/ip_forward` == 0 ]; then
                echo 0 > /proc/sys/net/ipv4/ip_forward
                echo "Tráfego entre as placas desabilitado"
        fi
                $IPT -P INPUT ACCEPT
                $IPT -P OUTPUT ACCEPT
                $IPT -P FORWARD ACCEPT
                $IPT -t filter -F
                $IPT -t nat -F
                $IPT -t mangle -F

                $IPT -t filter -X
                $IPT -t nat -X
                $IPT -t mangle -X

                $IPT -t filter -Z
                $IPT -t nat -Z
                $IPT -t mangle -Z

                echo "Limpando as regras em memória"
}
politicaPadrao(){
        $IPT -P INPUT DROP
        $IPT -P OUTPUT DROP
        $IPT -P FORWARD DROP
        $IPT -A INPUT -i lo -j ACCEPT
	$IPT -A OUTPUT -o lo -j ACCEPT
}
liberaDNS(){
        $IPT -A OUTPUT -p udp --dport 53 -j ACCEPT
        $IPT -A INPUT -p udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
        $IPT -A OUTPUT -p tcp --dport 53 -j ACCEPT
        $IPT -A INPUT -p tcp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
        echo "DNS liberado"
}
liberaPing(){
        #Aceita entradas pings com limite
        $IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 61/minute -j ACCEPT
        $IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
        $IPT -A OUTPUT -p icmp -j ACCEPT
        echo "Ping liberado, limite de ping ativado"
}
liberaDhclient(){
	$IPT -A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT
	$IPT -A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
	#Outros clientes...
	$IPT -A INPUT -p udp --sport 68 --dport 67 -j DROP
	echo "DHCP Client liberado"
}
liberaSSH(){
	$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport 22 -j ACCEPT
	$IPT -A INPUT -p tcp --sport 22 --dport 1024:65535 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
	echo "SSH Liberado"
}

liberaHTTP(){
	$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport 80 -j ACCEPT
	$IPT -A INPUT -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
	echo "HTTP Liberado"
}
liberaHTTPS(){
	$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport 443 -j ACCEPT
	$IPT -A INPUT -p tcp --sport 443 --dport 1024:65535 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -p udp --sport 1024:65535 --dport 443 -j ACCEPT
	$IPT -A INPUT -p udp --sport 443 --dport 1024:65535 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
	echo "HTTPS Liberado"
}
liberaCUPS(){
	$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport 631 -j ACCEPT
	$IPT -A OUTPUT -p tcp --dport 515 -j ACCEPT
	$IPT -A INPUT -p tcp --sport 631 --dport 1024:65535 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -p udp --sport 1024:65535 --dport 161 -j ACCEPT
	$IPT -A INPUT -p udp --sport 161 --dport 1024:65535 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
	echo "CUPS Liberado"
}

liberaGrafana(){
	$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport 3000 -j ACCEPT
	$IPT -A INPUT -p tcp --sport 3000 --dport 1024:65535 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
	echo "Grafana Liberado"
}
liberaUrbackup(){
	$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport 55414 -j ACCEPT
	$IPT -A INPUT -p tcp --sport 55414 --dport 1024:65535 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
	echo "Urbackup Liberado"
}
liberaNTP(){
	$IPT -A OUTPUT -p udp --sport 1024:65535 --dport 123 -m state --state NEW -j ACCEPT
	$IPT -A INPUT -p udp --sport 123 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
	echo "NTP Liberado"
}

blockIGMP(){
        $IPT -A INPUT -d 224.0.0.0/24 -j DROP
        $IPT -A OUTPUT -d 224.0.0.0/24 -j DROP
	$IPT -A INPUT -p igmp -j DROP
	echo "IGMP Drop"
}
liberaConexoesEstabelecidas(){
        $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        echo "Conexões RELATED e ESTABLISHED liberado"
}
logAcesso(){
        $IPT -A INPUT -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 3 -j LOG --log-prefix [fw-ssh]
        $IPT -A INPUT -p tcp --dport 80 -m limit --limit 5/minute --limit-burst 3 -j LOG --log-prefix [fw-http]
        $IPT -A INPUT -p tcp --dport 443 -m limit --limit 5/minute --limit-burst 3 -j LOG --log-prefix [fw-https]
        $IPT -A INPUT -p udp --dport 445 -m limit --limit 5/minute --limit-burst 3 -j LOG --log-prefix [fw-smb]
        $IPT -A INPUT -j LOG -m limit --limit 5/minute --limit-burst 3 --log-prefix [fw-input-drop]
        $IPT -A OUTPUT -j LOG -m limit --limit 5/minute --limit-burst 3 --log-prefix [fw-output-drop]
        echo "LOG de acesso habilitado"
}
start(){
        limpaRegra
        politicaPadrao
        liberaDNS
        liberaPing
        liberaDhclient
        liberaHTTP
        liberaHTTPS
        liberaGrafana
        liberaCUPS
        liberaUrbackup
        liberaNTP
        blockIGMP
        liberaConexoesEstabelecidas
        logAcesso
}
stop(){
        limpaRegra
}
restart(){
        stop
        start
}
        case $1 in
        start)
                start
        ;;
        stop)
                stop
        ;;
        restart)
                restart
        ;;
        *)
                echo "Use: service firewall [ stop | start | restart ]"
                exit 1
        ;;
        esac
exit 0