awade
/
aplicativo
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
24 Commits
3 Branches
0 Tags
198 MiB
 
 
 
 
 
 
Tree: 57aee718fa
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '57aee718fa'
${ noResults }
aplicativo/asterisk/hdaux_utilitarios_scripts/sip_firewall.sh

76 lines
2.3 KiB
Raw Blame History

#!/bin/bash
#Script de parametrizacao de seguranca com iptables para o Simples PABX IP
#Autor: Alan Pablo
#Referencia: Livro Asterisk na pratica - Alexandre Keller
#Cuiaba - MT - 23/02/2015
#Funcoes
#Funcao para calcular o numero de bits de uma mascara, recebe a mascara de rede como parametro.
#Referencia: http://www.linuxquestions.org/questions/programming-9/bash-cidr-calculator-646701/
mask2cidr() {
nbits=0
IFS=.
for dec in $1 ; do
case $dec in
255) let nbits+=8;;
254) let nbits+=7;;
252) let nbits+=6;;
248) let nbits+=5;;
240) let nbits+=4;;
224) let nbits+=3;;
192) let nbits+=2;;
128) let nbits+=1;;
0);;
*) echo "Error: $dec : Mascara Invalida"; exit 1
esac
done
echo "$nbits"
}
#Funcao para identificar o bloco de ip da rede, recebe a interface de rede como parametro.
rede() {
if [ -z $1 ] ; then
echo "Inteface Invalida: $1"
exit
fi
ip=$(ifconfig $1 | grep "inet addr" | sed -e 's/inet addr/ IP/g' | sed -e 's/Bcast.* //g' | sed -e 's/P-t-P.* //g' | sed -e 's/Mask/ Mascara/g' | awk {'print $1'} | cut -d ":" -f2)
mask=$(ifconfig $1 | grep "inet addr" | sed -e 's/inet addr/ IP/g' | sed -e 's/Bcast.* //g' | sed -e 's/P-t-P.* //g' | sed -e 's/Mask/ Mascara/g' | awk {'print $2'} | cut -d ":" -f2)
mask2bits=$(mask2cidr $mask)
end_rede=$(ipcalc -n $ip/$mask2bits | cut -d '=' -f2)
echo "$end_rede/$mask2bits"
}
#Flush (esvaziar). Remove todas as regras existentes.
iptables -F
#Apagar uma chain vazia
iptables -X
#Fecha todas as entradas
iptables -P INPUT DROP
#Abre todas as entradas
#iptables -P INPUT ACCEPT
#Garantindo o acesso as redes existentes
#Lista as interfaces disponiveis (desconsidera o loopback)
interfaces=$(ifconfig | grep "Link encap"| awk {'print $1'} | grep -v "lo")
for i in $interfaces
do
lan=$(rede $i)
iptables -A INPUT --src $lan -j ACCEPT
done
#Liberacao com base na origem
ips=$(cat /hdaux/utilitarios/ips-liberados.txt | grep -v ";" | grep -v "#")
for i in $ips
do
iptables -A INPUT --src $i -j ACCEPT
done
#LOCALHOST
iptables -A INPUT -i lo -j ACCEPT
#Regra com base no status de conexao: now (NEW) estabelecida (ESTABLISHED) reincidente (RELATED) e invalida (INVALID)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT