iptables.sh + Bridge mode

#!/bin/bash
# 2006/10/18 Author cross@ssorc.tw
set -x

exif="eth0"
inif="eth1"

exip="210.17.16.68"
inip="10.1.1.1"

exnet="210.17.16.64/255.255.255.224" # -> 210.17.16.64/27
innet="10.1.1.0/24"

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X

modprobe ip_tables
modprobe ip_queue
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -P INPUT       ACCEPT
iptables -P FORWARD     ACCEPT
iptables -P OUTPUT      ACCEPT

iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -s $exnet -j ACCEPT
iptables -A INPUT -s $innet -j ACCEPT

iptables -A INPUT  -p tcp –dport  22 -j ACCEPT
iptables -A OUTPUT -p tcp –sport  22 -j ACCEPT

# for MIDAS
iptables -A INPUT -s 61.219.31.244 -d 210.17.16.68 -p tcp -m multiport –dports 80,25 –syn -m state –state NEW -j ACCEPT
iptables -A INPUT -s 61.219.31.244 -d 210.17.16.68 -p tcp -m multiport –dports 3000,3001 –syn -m state –state NEW -j ACCEPT

iptables -A INPUT -s 61.219.31.244 -p udp –dport 161 -j ACCEPT

# global
# ICMP
iptables -A INPUT -p icmp –icmp-type 8 -m state –state NEW -j QUEUE

iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -j DROP

# FORWARD
iptables -A FORWARD -s 61.219.31.244 -p udp –dport 161 -j ACCEPT
iptables -A FORWARD -s 210.17.16.64/27 -d 210.17.16.64/27 -j ACCEPT

# for MIDAS
iptables -A FORWARD -s 61.219.31.244 -d 210.17.16.88 -p tcp -m multiport –dports 25,3306,5432 –syn -m state –state NEW -j ACCEPT
iptables -A FORWARD -s 61.219.31.244 -d 210.17.16.88 -p tcp -m multiport –dports 53 –syn -m state –state NEW -j QUEUE
iptables -A FORWARD -s 61.219.31.244 -d 210.17.16.81 -p tcp -m multiport –dports 25,3306 –syn -m state –state NEW -j ACCEPT
iptables -A FORWARD -s 61.219.31.244 -d 210.17.16.81 -p tcp -m multiport –dports 53 –syn -m state –state NEW -j QUEUE

iptables -A FORWARD -d 210.17.16.81 -p tcp -m multiport –dports 22,80 –syn -m state –state NEW -j QUEUE
iptables -A FORWARD -d 210.17.16.81 -p tcp -m state –state ESTABLISHED,RELATED -j QUEUE
iptables -A FORWARD -d 210.17.16.81 -p tcp -j DROP
iptables -A FORWARD -d 210.17.16.81 -p icmp –icmp-type 8 -m state –state NEW -j QUEUE
iptables -A FORWARD -d 210.17.16.81 -p icmp -m state –state ESTABLISHED,RELATED -j QUEUE
iptables -A FORWARD -d 210.17.16.81 -p icmp -j DROP
iptables -A FORWARD -d 210.17.16.81 -p udp -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 210.17.16.81 -p udp -j DROP

iptables -A FORWARD -d 210.17.16.91 -p tcp -m multiport –dports 53 –syn -m state –state NEW -j QUEUE
iptables -A FORWARD -d 210.17.16.91 -p tcp -m state –state ESTABLISHED,RELATED -j QUEUE
iptables -A FORWARD -d 210.17.16.91 -p tcp -j DROP
iptables -A FORWARD -d 210.17.16.91 -p udp -m multiport –dports 53 -m state –state NEW -j QUEUE
iptables -A FORWARD -d 210.17.16.91 -p udp -m state –state ESTABLISHED,RELATED -j QUEUE
iptables -A FORWARD -d 210.17.16.91 -p udp -j DROP
iptables -A FORWARD -d 210.17.16.91 -p icmp -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 210.17.16.91 -p icmp -j DROP

# 65 88 90 92
iptables -A FORWARD -d 210.17.16.65 -p tcp -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 210.17.16.65 -p tcp -j DROP
iptables -A FORWARD -d 210.17.16.65 -p udp -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 210.17.16.65 -p udp -j DROP
iptables -A FORWARD -d 210.17.16.65 -p icmp -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 210.17.16.65 -p icmp -j DROP

iptables -A FORWARD -d 210.17.16.88 -p tcp -m multiport –dports 21,22,80 –syn -m state –state NEW -j QUEUE
iptables -A FORWARD -d 210.17.16.88 -p tcp -m state –state ESTABLISHED,RELATED -j QUEUE
iptables -A FORWARD -d 210.17.16.88 -p tcp -j DROP
iptables -A FORWARD -d 210.17.16.88 -p udp -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 210.17.16.88 -p udp -j DROP
iptables -A FORWARD -d 210.17.16.88 -p icmp –icmp-type 8 -m state –state NEW -j QUEUE
iptables -A FORWARD -d 210.17.16.88 -p icmp -m state –state ESTABLISHED,RELATED -j QUEUE
iptables -A FORWARD -d 210.17.16.88 -p icmp -j DROP

iptables -A FORWARD -d 210.17.16.90 -p tcp -m multiport –dports 53 –syn -m state –state NEW -j QUEUE
iptables -A FORWARD -d 210.17.16.90 -p tcp -m state –state ESTABLISHED,RELATED -j QUEUE
iptables -A FORWARD -d 210.17.16.90 -p tcp -j DROP
iptables -A FORWARD -d 210.17.16.90 -p udp -m multiport –dports 53 -m state –state NEW -j QUEUE
iptables -A FORWARD -d 210.17.16.90 -p udp -m state –state ESTABLISHED,RELATED -j QUEUE
iptables -A FORWARD -d 210.17.16.90 -p udp -j DROP
iptables -A FORWARD -d 210.17.16.90 -p icmp -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 210.17.16.90 -p icmp -j DROP

iptables -A FORWARD -d 210.17.16.92 -p tcp -m multiport –dports 53 –syn -m state –state NEW -j QUEUE
iptables -A FORWARD -d 210.17.16.92 -p tcp -m state –state ESTABLISHED,RELATED -j QUEUE
iptables -A FORWARD -d 210.17.16.92 -p tcp -j DROP
iptables -A FORWARD -d 210.17.16.92 -p udp -m multiport –dports 53 -m state –state NEW -j QUEUE
iptables -A FORWARD -d 210.17.16.92 -p udp -m state –state ESTABLISHED,RELATED -j QUEUE
iptables -A FORWARD -d 210.17.16.92 -p udp -j DROP
iptables -A FORWARD -d 210.17.16.92 -p icmp -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 210.17.16.92 -p icmp -j DROP