脚本

编程技术频道资讯:

#!/bin/sh

EXT_IF="eth0"

INT_IF="eth1"


EXT_IP="61.156.35.114"

INT_IP="192.168.100.254"


LAN="192.168.100.0/24"


# ssh dns

TRUSTED_LOCAL_TCP_PORT="22"

TRUSTED_LOCAL_UDP_PORT="22"


# smtp http pop3

FWD_TCP_PORT="25 80 110"

FWD_UDP_PORT="25 80 110"

SERVER_IP1="192.168.100.1"


# load any special modules

modprobe ip_nat_ftp

modprobe ip_conntrack_ftp

modprobe ip_nat_irc

modprobe ip_conntrack_irc


# turn off ip forwarding

echo "0" > /proc/sys/net/ipv4/ip_forward


# delete any existing chains

iptables -F -t filter

iptables -X -t filter

iptables -Z -t filter

iptables -F -t nat

iptables -X -t nat

iptables -Z -t nat

 

# setting up default policies

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -t nat -P PREROUTING ACCEPT

iptables -t nat -P POSTROUTING ACCEPT

iptables -t nat -P OUTPUT ACCEPT


#---------------------- filter ---------------------


# allow ping from internet

iptables -A INPUT -i $EXT_IF -p icmp -j ACCEPT


# enable local traffic

iptables -N allowed

iptables -A allowed ! -i $EXT_IF -m state --state NEW -j ACCEPT

iptables -A allowed -m state --state ESTABLISHED,RELATED -j ACCEPT


iptables -A INPUT -j allowed

iptables -A FORWARD -j allowed


for PORT in $TRUSTED_LOCAL_TCP_PORT; do

   iptables -A INPUT -i $EXT_IF -p tcp --dport $PORT -m state --state NEW -j ACCEPT

done

 for PORT in $TRUSTED_LOCAL_UDP_PORT; do

        iptables -A INPUT -i $EXT_IF -p udp --dport $PORT -m state --state NEW -j ACCEPT

done

 #---------------------- nat ---------------------

 # port forwarding

for PORT in $FWD_TCP_PORT; do

    iptables -A FORWARD -i $EXT_IF -o $INT_IF -d $SERVER_IP \

        -p tcp --dport $PORT -m state --state NEW -j ACCEPT

    iptables -t nat -A PREROUTING -d $EXT_IP \

        -p tcp --dport $PORT -j DNAT --to-destination $SERVER_IP

    iptables -t nat -A POSTROUTING -s $LAN -d $SERVER_IP \

        -p tcp --dport $PORT -j SNAT --to-source $INT_IP

done

 for PORT in $FWD_UDP_PORT; do

    iptables -A FORWARD -i $EXT_IF -o $INT_IF -d $SERVER_IP \

        -p udp --dport $PORT -m state  --state NEW -j ACCEPT

    iptables -t nat -A PREROUTING -d $EXT_IP \

        -p udp --dport $PORT -j DNAT --to-destination $SERVER_IP

    iptables -t nat -A POSTROUTING -s $LAN -d $SERVER_IP \

        -p udp --dport $PORT -j SNAT --to-source $INT_IP

done

 # Transparent Proxy

iptables -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128

 # MASQUERADE

iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

 #------------------------------------------------------------------------

 # turn on ip forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

 # setting up ip spoofing protection

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

        echo 1 > $f

done

(来源:hengheng的BLOG)