#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
############
modprobe ip_tables
modprobe iptable_nat
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe ipt_multiport
############

echo 1 >/proc/sys/net/ipv4/ip_forward
#close Explicit Congestion Notification
echo 0>/proc/sys/net/ipv4/tcp_ecn
############
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
#Igonre any broadcast icmp echo reuqests
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

############
iptables -F
iptables -X
iptables -F -t nat
iptables -t nat -X
iptables -F -t mangle
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP       

iptables -P FORWARD DROP

############
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
############
iptables -A FORWARD -p tcp -m multiport --dport 135,137,138,139,445 -j DROP
############
iptables -A INPUT  -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT


############
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -s 192.168.1.0/24 -p tcp --sport 3128 -m state --state ESTABLISHED -j ACCEPT
############下面两句是允许squid访问外网的私有端口
iptables -A INPUT -i eth1 -p tcp --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 32768:61000 -m state --state NEW,ESTABLISHED -j ACCEPT
############
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
                                                                                   

service iptables stop
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j SNAT --to 172.22.45.224
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.20.0.15
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0.0.0.0/0  -j MASQUERADE