#!bin/sh
IFCONFIG=/sbin/ifconfig
IP=/sbin/ip
IPTABLES=/sbin/iptables
if [ ! -x $IFCONFIG ]; then
echo "$IFCONFIG does not exist."
exit 1
fi
if [ ! -x $IP ]; then
echo "$IP does not exist."
exit 1
fi
if [ ! -x $IPTABLES ]; then
echo "$IPTABLES does not exist."
exit 1
fi
# BASE is the lowest IP address your server is allowed
# to hand out.
LOCT=`ifconfig eth0|grep 'inet addr:'|awk -F: '{print $2}'|awk '{print $1}'`
# NAT is the set of addresses which your server will
# NAT behind it. Other addresses behind your server
# WILL NOT be NATed.
NAT=`ip route list|grep 'dev eth0'|awk '{print $1}'`
# MYIP is the public IP address of this server.
MYIP=`ifconfig eth1|grep 'inet addr:'|awk -F: '{print $2}'|awk '{print $1}'`
#clear firewall rule
$IPTABLES -t filter -F
$IPTABLES -t mangle -F
$IPTABLES -t nat -F
$IPTABLES -t raw -F
#mangle PREROUTING
$IPTABLES -t mangle -P PREROUTING ACCEPT
#nat PREROUTING
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -m mark ! --mark 0x8 -j DNAT --to-destination $LOCT:80
#filter FORWARD
$IPTABLES -P FORWARD DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p icmp -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 22 -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp --sport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 68 -j ACCEPT
$IPTABLES -A FORWARD -p udp --sport 68 -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 1812 -j ACCEPT
$IPTABLES -A FORWARD -p udp --sport 1812 -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 1813 -j ACCEPT
$IPTABLES -A FORWARD -p udp --sport 1813 -j ACCEPT
$IPTABLES -A FORWARD -s $LOCT -j ACCEPT
$IPTABLES -A FORWARD -d $LOCT -j ACCEPT
#nat POSTROUTING
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $NAT -j SNAT --to-source $MYIP
扫一扫
867
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
