#! /bin/bash
modprobe ip_nat_ftp
iptables -F -t filter
iptables -F -t nat
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# ALLOW ALL in PRIVATE NET
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -m limit --limit 5/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j MIRROR
# NAT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
# DNAT RADMIN to PRIVATE
iptables -A PREROUTING -t nat -i ppp0 --dport 4899 -j DNAT --to 192.168.0.2
iptables -A PREROUTING -t nat -i ppp0 --dport 5000 -j DNAT --to 192.168.0.3:4899
# SQUID
iptables -A PREROUTING -t nat -i eth1 -p tcp -s 192.168.0.0/24 --dport 80 -j REDIRECT --to 3128
# FORWARD edit by Platinum
iptables -A FORWARD -p tcp --dport 21 -j ACCEPT # FTP
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT # SSH
iptables -A FORWARD -p tcp --dport 23 -j ACCEPT # TELNET
iptables -A FORWARD -p udp --dport 53 -j ACCEPT # DNS
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT # HTTP
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT # HTTPS
iptables -A FORWARD -p udp --dport 8000 -j ACCEPT # QQ
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT # SMTP
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT # POP3
iptables -A FORWARD -p tcp --dport 4899 -j ACCEPT # RADMIN
iptables -A FORWARD -p tcp --dport 1863 -j ACCEPT # MSN (you must allow port 443)
iptables -A FORWARD -p icmp -j ACCEPT
# KEEP ON CONNECTIONS
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# exchange the "SOURCE" and "DESTINATION" of other packets, and SEND it out !!!
iptables -A INPUT -j MIRROR
阅读(601) | 评论(0) | 转发(0) |
