#!/bin/bash
# tutorial http://www.zago.eti.br/ssh/knock.html
# :r !lynx -dump http://www.zago.eti.br/modelos/fireknock.sh
##### definir variaveis
iptables=/usr/sbin/iptables
INTERNA=eth0


##### carregar modulos
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE


##### Zera regras
$iptables -F
$iptables -X
$iptables -F -t mangle
$iptables -X -t mangle
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP





##### ACCEPT (libera) pacotes de retorno da internet
$iptables -A INPUT -i ! $INTERNA -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT




##### Log de acesso por porta 
$iptables -A INPUT -p tcp --dport 22 -i $INTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: SSH: "

## regras abaixo estao comentadas, sem efeito
##### Libera acesso externo para ssh e servidor web
#$iptables -A INPUT -p tcp --dport 22 -i $EXTERNA -j ACCEPT
#$iptables -A INPUT -p tcp --dport 22 -i $INTERNA -j ACCEPT