#! /bin/bash

OUT_SIDE=wlan0
SUB_NET=192.168.0.0/24

#内网服务器

_SERVICE_PORT_1=53389
_SERVER_1=192.168.0.128:3389

#本地服务

_SERVICE_PORT_2=3690
_SERVICE_PORT_3=80
_SERVICE_PORT_4=22

IPT="/sbin/iptables"

$IPT -F
$IPT -X
$IPT -F -t nat
$IPT -X -t nat
$IPT -F -t mangle
$IPT -X -t mangle

$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

$IPT -t nat -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT


$IPT -P INPUT DROP
$IPT -A INPUT -i vmnet1 -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p tcp --dport 21 -j ACCEPT
$IPT -A INPUT -p tcp --dport $_SERVICE_PORT_1 -j ACCEPT
$IPT -A INPUT -p tcp --dport $_SERVICE_PORT_2 -j ACCEPT
$IPT -A INPUT -p tcp --dport $_SERVICE_PORT_3 -j ACCEPT
$IPT -A INPUT -p tcp --dport $_SERVICE_PORT_4 -j ACCEPT


$IPT -t nat -A POSTROUTING -s $SUB_NET -j MASQUERADE

#这条规则是建立一个端口映射,将内网的192.168.0.128上的3389映射到外网的53389端口

$IPT -A PREROUTING -t nat -i $OUT_SIDE -p tcp --dport $_SERVICE_PORT_1 -j DNAT --to-destination $_SERVER_1

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses