iptables.sh + NAT

#!/bin/bash
# 2006/10/19 Fixed by [email protected]
set -x

#
# +———+
# [ 192.168.1.0/24 ] — $inif – | Gateway | – $exif — [ Internet ]
# +———+
#

exif="eth2"     # top    – 61.219.31.244/255.255.255.0
                #          61.219.31.245
                #          61.219.31.246
                #          61.219.31.254 -> gw

inif="eth0"     # mid    – 192.168.1.1/255.255.255.0
                #
                #

if="eth1" # buttom – [ Cancel now. ]

exip="61.219.31.244"
inip="192.168.1.1"

exip244="61.219.31.244"
exip245="61.219.31.245"
exip246="61.219.31.246"

exnet="61.219.31.0/24"
innet="192.168.1.0/24"

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X

modprobe ip_queue
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -P INPUT       ACCEPT
iptables -P FORWARD     ACCEPT
iptables -P OUTPUT      ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp –sport 22 -j ACCEPT

# OpenVPN
iptables -A INPUT -p udp –dport 1194 -m state –state NEW -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

# webmin
iptables -A INPUT -i $inif -s 192.168.1.0/24 -p tcp –dport 10000 -j ACCEPT

# ntop
iptables -A INPUT -i $inif -s 192.168.1.0/24 -p tcp –dport 3000:3001 -j ACCEPT

iptables -A INPUT -i $inif -s 192.168.1.0/24 -p tcp –dport 8080 -j ACCEPT

# HylaFax
#iptables -A INPUT -p tcp –dport 4559 –syn -m state –state NEW -j ACCEPT

# Rsync
iptables -A INPUT -i $inif -s 192.168.1.0/24 -p tcp –dport 873 -j ACCEPT

# Samba
iptables -A INPUT -i $inif -s 192.168.1.0/24 -p tcp –dport 137:139 -j ACCEPT
iptables -A INPUT -i $inif -s 192.168.1.0/24 -p udp –dport 137:139 -j ACCEPT

# MySQL
iptables -A INPUT -i $inif -s 192.168.1.100 -p tcp –dport 3306 -j ACCEPT

# DHCP
iptables -A INPUT -i $inif -p udp –dport 67 -m state –state NEW -j ACCEPT

# bacula
iptables -A INPUT -i $inif -s 192.168.1.100 -j ACCEPT
iptables -A OUTPUT -o $inif -d 192.168.1.100 -j ACCEPT

# CUPS
iptables -A INPUT -i $inif -s 192.168.1.0/24 -p tcp –dport 631 -j ACCEPT
iptables -A INPUT -i $inif -s 192.168.1.0/24 -p udp –dport 631 -j ACCEPT

## Global INPUT – Start Line
# MIDAS
iptables -A INPUT -p tcp –dport 12345 -j ACCEPT

# FTP
iptables -A INPUT -p tcp -m multiport –dports 1473,3000,3306,7273,8080,10000 -j DROP
iptables -A INPUT -p tcp -m multiport –dports 21 -j ACCEPT
iptables -A INPUT -p tcp –sport 1024:65535 –dport 1024:65535 -j ACCEPT

# HTTP
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –dport 81 -j ACCEPT

# SMTP & POP3 & IMAP
iptables -A INPUT -p tcp –dport 25 -j QUEUE
iptables -A INPUT -p tcp -m multiport –dports 110,143 -j QUEUE
iptables -A INPUT -p tcp -m multiport –dports 993,995 -j QUEUE

# DNS
iptables -A INPUT -p tcp –dport 53 -j QUEUE
iptables -A INPUT -p udp –dport 53 -m state –state NEW -j QUEUE

# ICMP
iptables -A INPUT -p icmp –icmp-type 8 -m state –state NEW -j QUEUE

# ESTABLISHED & RELATED
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -j DROP
## Global INPUT – END Line

# FORWARD
#iptables -A FORWARD -i $inif -s 192.168.1.12 -p tcp –dport 3389 -j ACCEPT
#iptables -A FORWARD -i $exif -d 192.168.1.12 -p tcp –sport 3389 -j ACCEPT
#iptables -A FORWARD -s 192.168.1.100 -p icmp –icmp-type 8 -m state –state NEW -j ACCEPT
#iptables -A FORWARD -d 192.168.1.100 -p icmp –icmp-type echo-reply -j ACCEPT
iptables -A FORWARD -d 195.137.99.99 -p tcp –dport 80 -j DROP
iptables -A FORWARD -s 192.168.1.100 -p udp –dport 161 -j ACCEPT
iptables -A FORWARD -s 192.168.1.100 -j QUEUE
iptables -A FORWARD -d 192.168.1.100 -j QUEUE
iptables -A FORWARD -s 192.168.1.2 -j QUEUE
iptables -A FORWARD -d 192.168.1.2 -j QUEUE
iptables -A FORWARD -j ACCEPT

# NAT
iptables -t nat -A PREROUTING -d 61.219.31.244 -p tcp -m multiport –dports 80,3306,8080 –syn -m state –state NEW -j DNAT –to-destination 192.168.1.2
iptables -t nat -A PREROUTING -d 61.219.31.246 -p tcp -m multiport –dports 21,22,80,443   –syn -m state –state NEW -j DNAT –to-destination 192.168.1.100
iptables -t nat -A PREROUTING -d 61.219.31.244 -p tcp –dport 25   –syn -m state –state NEW -j DNAT –to-destination 192.168.1.100
iptables -t nat -A PREROUTING -d 61.219.31.244 -p udp –dport 53         -m state –state NEW -j DNAT –to-destination 192.168.1.100
iptables -t nat -A PREROUTING -d 61.219.31.244 -p tcp –dport 53         -m state –state NEW -j DNAT –to-destination 192.168.1.100
iptables -t nat -A PREROUTING -d 61.219.31.244 -p tcp –dport 3388 –syn -m state –state NEW -j DNAT –to-destination 192.168.1.99

iptables -t nat -A POSTROUTING -s 192.168.1.100 -p tcp –sport 80 -j SNAT –to-source 61.219.31.246
iptables -t nat -A POSTROUTING -s 61.219.31.244 -p tcp –dport 25 -j SNAT –to-source 61.219.31.245
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

iptables.sh + NAT

Related posts 相關文章

ipset 是什麼，算是 iptables 的管理工具

使用 iptables 的 hex string 阻擋攻擊

Centos7 服務無法啟動 enable or restart failed

APF = Advanced Policy Firewall 底層是 iptables 的防火牆工具

作者

留言

撰寫回覆或留言取消回覆

iptables.sh + NAT

Related posts 相關文章

ipset 是什麼，算是 iptables 的管理工具

使用 iptables 的 hex string 阻擋攻擊

Centos7 服務無法啟動 enable or restart failed

APF = Advanced Policy Firewall 底層是 iptables 的防火牆工具

作者

留言

撰寫回覆或留言 取消回覆

撰寫回覆或留言取消回覆