#!/bin/bash

input="INPUT-CUSTOM"

iptables -F $input
iptables -F DOCKER-USER
ip6tables -F $input


#gootips (Trusted IPs)

for i in $(cat ); do

done

iptables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic"

iptables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related"

iptables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings"

iptables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH"

ip6tables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic"

ip6tables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related traffic"



# start custom rules

#Bloqueio ping da morte
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
iptables -N PING-MORTE
iptables -A $input -p icmp --icmp-type echo-request -j PING-MORTE
iptables -A PING-MORTE -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A PING-MORTE -j DROP

#bloquear ataque do tipo SYN-FLOOD (Precisa-se definir uma $WAN)
if [ "X$WAN" != "X" ]; then
  echo "0" > /proc/sys/net/ipv4/tcp_syncookies
  iptables -N syn-flood
  iptables -A $input -i $WAN -p tcp --syn -j syn-flood
  iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
  iptables -A syn-flood -j DROP
if

#Bloqueio de ataque ssh de força bruta(Precisa-se definir uma $WAN)
if [ "X$WAN" != "X" ]; then
  iptables -N SSH-BRUT-FORCE
  iptables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE
  iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN
  iptables -A SSH-BRUT-FORCE -j DROP
fi

#Bloqueio de scanners ocultos (Shealt Scan)
#$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT

# end custom rules

iptables -A $input -j RETURN
iptables -A DOCKER-USER -j RETURN
ip6tables -A $input -j RETURN