echo "Enable IP Forwarding..."
echo "1">/proc/sys/net/ipv4/ip_forward
echo "Starting /sbin/iptables rules..."
/sbin/modprobe iptable_filter
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
#Refresh all chains
/sbin/iptables -F -t nat
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
# WAN is INTERNET_IFACE, ETH0,2,3 are LAN_IFACE
LAN="eth0"
WAN="eth0"
#Open Web POrts And Squid Http Ports
#/sbin/iptables -A INPUT -i $WAN -s 61.175.192.117 -j DROP
/sbin/iptables -A INPUT -i $WAN -p tcp -m multiport --sport 80,21,20 -j ACCEPT
/sbin/iptables -A INPUT -i $WAN -p tcp -m multiport --dport 80,21,20 -j ACCEPT
#/sbin/iptables -A INPUT -i $WAN -p tcp -m multiport --dport 3128 -j DROP
#/sbin/iptables -A INPUT -i $WAN -p tcp -m multiport --sport 3128 -j DROP
/sbin/iptables -A INPUT -i $WAN -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i $LAN -s 192.168.11.0/24 -p icmp -j ACCEPT
# enable DNS PORT 53
/sbin/iptables -A INPUT -i $WAN -p udp --sport 53 -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $WAN -s 192.168.18.157 -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -i $WAN -s 192.168.18.199 -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m multiport --ports 3128 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $LAN -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
/sbin/iptables -t nat -A POSTROUTING -s 192.168.11.0/24 -o $WAN -j SNAT --to 192.168.18.198
########### #LAN 192.168.11.X
/sbin/iptables -A FORWARD -d 192.168.11.0/24 -p tcp -m multiport --sport 8000,80,1080,443,25,110,8001,3128,8081,8888,22221,22223,22224,22225,6666 -j ACCEPT
/sbin/iptables -A FORWARD -s 192.168.11.0/24 -p tcp -m multiport --dport 8000,80,1080,443,25,110,8001,3128,8081,8888,22221,22223,22224,22225,6666 -j ACCEPT
/sbin/iptables -A FORWARD -s 192.168.11.0/24 -p tcp -m multiport --dport 6668,8002,8601,3389,21,8003,8008,9008,1863,10037,10041,7001,4439,188,8222 -j ACCEPT
/sbin/iptables -A FORWARD -d 192.168.11.0/24 -p tcp -m multiport --sport 6668,8002,8601,3389,21,8003,8008,9008,1863,10037,10041,7001,4439,188,8222 -j ACCEPT
/sbin/iptables -A FORWARD -d 192.168.11.0/24 -p udp -m multiport --sport 8000,53,1701,1702,1703,1704 -j ACCEPT
/sbin/iptables -A FORWARD -s 192.168.11.0/24 -p udp -m multiport --dport 8000,53,1701,1702,1703,1704 -j ACCEPT
/sbin/iptables -A FORWARD -s 192.168.11.0/24 -d 61.175.192.117 -p tcp --sport 1025:65523 -j ACCEPT
/sbin/iptables -A FORWARD -d 192.168.11.0/24 -s 61.175.192.117 -p tcp --dport 1025:65523 -j ACCEPT
/sbin/iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
/sbin/iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
echo "1">/proc/sys/net/ipv4/ip_forward
echo "Starting /sbin/iptables rules..."
/sbin/modprobe iptable_filter
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
#Refresh all chains
/sbin/iptables -F -t nat
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
# WAN is INTERNET_IFACE, ETH0,2,3 are LAN_IFACE
LAN="eth0"
WAN="eth0"
#Open Web POrts And Squid Http Ports
#/sbin/iptables -A INPUT -i $WAN -s 61.175.192.117 -j DROP
/sbin/iptables -A INPUT -i $WAN -p tcp -m multiport --sport 80,21,20 -j ACCEPT
/sbin/iptables -A INPUT -i $WAN -p tcp -m multiport --dport 80,21,20 -j ACCEPT
#/sbin/iptables -A INPUT -i $WAN -p tcp -m multiport --dport 3128 -j DROP
#/sbin/iptables -A INPUT -i $WAN -p tcp -m multiport --sport 3128 -j DROP
/sbin/iptables -A INPUT -i $WAN -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i $LAN -s 192.168.11.0/24 -p icmp -j ACCEPT
# enable DNS PORT 53
/sbin/iptables -A INPUT -i $WAN -p udp --sport 53 -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $WAN -s 192.168.18.157 -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -i $WAN -s 192.168.18.199 -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m multiport --ports 3128 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $LAN -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
/sbin/iptables -t nat -A POSTROUTING -s 192.168.11.0/24 -o $WAN -j SNAT --to 192.168.18.198
########### #LAN 192.168.11.X
/sbin/iptables -A FORWARD -d 192.168.11.0/24 -p tcp -m multiport --sport 8000,80,1080,443,25,110,8001,3128,8081,8888,22221,22223,22224,22225,6666 -j ACCEPT
/sbin/iptables -A FORWARD -s 192.168.11.0/24 -p tcp -m multiport --dport 8000,80,1080,443,25,110,8001,3128,8081,8888,22221,22223,22224,22225,6666 -j ACCEPT
/sbin/iptables -A FORWARD -s 192.168.11.0/24 -p tcp -m multiport --dport 6668,8002,8601,3389,21,8003,8008,9008,1863,10037,10041,7001,4439,188,8222 -j ACCEPT
/sbin/iptables -A FORWARD -d 192.168.11.0/24 -p tcp -m multiport --sport 6668,8002,8601,3389,21,8003,8008,9008,1863,10037,10041,7001,4439,188,8222 -j ACCEPT
/sbin/iptables -A FORWARD -d 192.168.11.0/24 -p udp -m multiport --sport 8000,53,1701,1702,1703,1704 -j ACCEPT
/sbin/iptables -A FORWARD -s 192.168.11.0/24 -p udp -m multiport --dport 8000,53,1701,1702,1703,1704 -j ACCEPT
/sbin/iptables -A FORWARD -s 192.168.11.0/24 -d 61.175.192.117 -p tcp --sport 1025:65523 -j ACCEPT
/sbin/iptables -A FORWARD -d 192.168.11.0/24 -s 61.175.192.117 -p tcp --dport 1025:65523 -j ACCEPT
/sbin/iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
/sbin/iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
评论