iptables.sh + NAT

#!/bin/bash
# 2006/10/19 Fixed by cross@ssorc.tw
set -x

#
#                                +———+
# [ 192.168.1.0/24 ] — $inif – | Gateway | – $exif — [ Internet ]
#                                +———+
#

exif="eth2"     # top    – 61.219.31.244/255.255.255.0
                #          61.219.31.245
                #          61.219.31.246
                #          61.219.31.254 -> gw

inif="eth0"     # mid    – 192.168.1.1/255.255.255.0
                #
                #

if="eth1"       # buttom – [ Cancel now. ]

exip="61.219.31.244"
inip="192.168.1.1"

exip244="61.219.31.244"
exip245="61.219.31.245"
exip246="61.219.31.246"

exnet="61.219.31.0/24"
innet="192.168.1.0/24"

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X

modprobe ip_queue
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -P INPUT       ACCEPT
iptables -P FORWARD     ACCEPT
iptables -P OUTPUT      ACCEPT

iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT  -p tcp –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp –sport 22 -j ACCEPT

# OpenVPN
iptables -A INPUT -p udp –dport 1194 -m state –state NEW -j ACCEPT
iptables -A INPUT   -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

# webmin
iptables -A INPUT -i $inif -s 192.168.1.0/24 -p tcp –dport 10000 -j ACCEPT

# ntop
iptables -A INPUT -i $inif -s 192.168.1.0/24 -p tcp –dport 3000:3001 -j ACCEPT

iptables -A INPUT -i $inif -s 192.168.1.0/24 -p tcp –dport 8080 -j ACCEPT

# HylaFax
#iptables -A INPUT -p tcp –dport 4559 –syn -m state –state NEW -j ACCEPT

# Rsync
iptables -A INPUT -i $inif -s 192.168.1.0/24 -p tcp –dport 873  -j ACCEPT

# Samba
iptables -A INPUT -i $inif -s 192.168.1.0/24 -p tcp –dport 137:139  -j ACCEPT
iptables -A INPUT -i $inif -s 192.168.1.0/24 -p udp –dport 137:139  -j ACCEPT

# MySQL
iptables -A INPUT -i $inif -s 192.168.1.100  -p tcp –dport 3306 -j ACCEPT

# DHCP
iptables -A INPUT -i $inif -p udp –dport 67 -m state –state NEW -j ACCEPT

# bacula
iptables -A INPUT -i $inif  -s 192.168.1.100 -j ACCEPT
iptables -A OUTPUT -o $inif  -d 192.168.1.100 -j ACCEPT

# CUPS
iptables -A INPUT -i $inif -s 192.168.1.0/24 -p tcp –dport 631 -j ACCEPT
iptables -A INPUT -i $inif -s 192.168.1.0/24 -p udp –dport 631 -j ACCEPT

## Global INPUT – Start Line
# MIDAS
iptables -A INPUT -p tcp –dport 12345 -j ACCEPT

# FTP
iptables -A INPUT -p tcp -m multiport –dports 1473,3000,3306,7273,8080,10000 -j DROP
iptables -A INPUT -p tcp -m multiport –dports 21 -j ACCEPT
iptables -A INPUT -p tcp –sport 1024:65535 –dport 1024:65535 -j ACCEPT

# HTTP
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –dport 81 -j ACCEPT

# SMTP & POP3 & IMAP
iptables -A INPUT -p tcp              –dport  25       -j QUEUE
iptables -A INPUT -p tcp -m multiport –dports 110,143  -j QUEUE
iptables -A INPUT -p tcp -m multiport –dports 993,995  -j QUEUE

# DNS
iptables -A INPUT -p tcp –dport 53                      -j QUEUE
iptables -A INPUT -p udp –dport 53 -m state –state NEW -j QUEUE

# ICMP
iptables -A INPUT -p icmp –icmp-type 8 -m state –state NEW -j QUEUE

# ESTABLISHED & RELATED
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT  -j DROP
## Global INPUT – END Line

# FORWARD
#iptables -A FORWARD -i $inif -s 192.168.1.12 -p tcp –dport 3389 -j ACCEPT
#iptables -A FORWARD -i $exif -d 192.168.1.12 -p tcp –sport 3389 -j ACCEPT
#iptables -A FORWARD -s 192.168.1.100 -p icmp –icmp-type 8 -m state –state NEW -j ACCEPT
#iptables -A FORWARD -d 192.168.1.100 -p icmp –icmp-type echo-reply -j ACCEPT
iptables -A FORWARD -d 195.137.99.99 -p tcp –dport 80 -j DROP
iptables -A FORWARD -s 192.168.1.100 -p udp –dport 161 -j ACCEPT
iptables -A FORWARD -s 192.168.1.100 -j QUEUE
iptables -A FORWARD -d 192.168.1.100 -j QUEUE
iptables -A FORWARD -s 192.168.1.2 -j QUEUE
iptables -A FORWARD -d 192.168.1.2 -j QUEUE
iptables -A FORWARD -j ACCEPT

# NAT
iptables -t nat -A PREROUTING -d 61.219.31.244 -p tcp -m multiport –dports 80,3306,8080 –syn -m state –state NEW -j DNAT –to-destination 192.168.1.2
iptables -t nat -A PREROUTING -d 61.219.31.246 -p tcp -m multiport –dports 21,22,80,443   –syn -m state –state NEW -j DNAT –to-destination 192.168.1.100
iptables -t nat -A PREROUTING -d 61.219.31.244 -p tcp –dport 25   –syn -m state –state NEW -j DNAT –to-destination 192.168.1.100
iptables -t nat -A PREROUTING -d 61.219.31.244 -p udp –dport 53         -m state –state NEW -j DNAT –to-destination 192.168.1.100
iptables -t nat -A PREROUTING -d 61.219.31.244 -p tcp –dport 53         -m state –state NEW -j DNAT –to-destination 192.168.1.100
iptables -t nat -A PREROUTING -d 61.219.31.244 -p tcp –dport 3388 –syn -m state –state NEW -j DNAT –to-destination 192.168.1.99

iptables -t nat -A POSTROUTING -s 192.168.1.100 -p tcp –sport 80 -j SNAT –to-source 61.219.31.246
iptables -t nat -A POSTROUTING -s 61.219.31.244 -p tcp –dport 25 -j SNAT –to-source 61.219.31.245
iptables -t nat -A POSTROUTING -s 192.168.1.0/24                  -j MASQUERADE