bin bash IPTABLES sbin iptables etc init iptables stop IPTABLES -t fil

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/bin/bash
IPTABLES="/sbin/iptables"
/etc/init.d/iptables stop
$IPTABLES -t filter -X
$IPTABLES -t filter -F
$IPTABLES -t nat -X
$IPTABLES -t nat -F
# MASQUERADING ppp0, ppp1, eth0
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o ppp9 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# FILTER LOCALHOST accept all
$IPTABLES -t filter -A INPUT -s localhost -j ACCEPT
# FORWARD ETH0 Oleg, Angela-PC, Angela-Notebook, Ajrat
#ALLOWED_MAC=( '00:17:31:0F:B8:D7' '00:11:5B:02:EF:D8' '00:1B:38:71:67:51' '00:1E:8C:40:D3:6B' )
#for mac in ${ALLOWED_MAC[@]}; do
# $IPTABLES -t filter -A FORWARD -i eth0 -o ppp0 -m mac --mac-source $mac -m state --state NEW -j ACCEPT
#done
# FORWARD ETH1 accept all, will be used DHCP
$IPTABLES -t filter -A FORWARD -i eth1 -j ACCEPT
# Accept selected ports
TCP_ALLOWED_PORTS=( 22 137 138 139 445 )
UDP_ALLOWED_PORTS=( 137 138 139 445 )
for port in ${TCP_ALLOWED_PORTS[@]}; do
$IPTABLES -t filter -A INPUT -i eth0 -p tcp --dport $port -m state --state NEW -j ACCEPT
done
for port in ${UDP_ALLOWED_PORTS[@]}; do
$IPTABLES -t filter -A INPUT -i eth0 -p udp --dport $port -m state --state NEW -j ACCEPT
done
# Accept already established connections
$IPTABLES -t filter -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 10.0.0.1 --dport 80 -j DNAT --to-destination 195.135.236.52
iptables -t nat -A POSTROUTING -p tcp -s 195.135.236.52 --sport 80 -j SNAT --to-source 10.0.0.1
$IPTABLES -t nat -A PREROUTING -p tcp -d 10.0.0.1 --dport 123 -j DNAT --to 10.0.0.1:80
$IPTABLES -A FORWARD -p tcp -d 10.0.0.1 --dport 80 -j ACCEPT
# Drop anymore FORWARD and INPUT
$IPTABLES -t filter -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
$IPTABLES -t filter -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
/etc/init.d/iptables save
/etc/init.d/iptables start