#!/bin/bash
EXTIF="eth0"
INIF="eth1"
INNET="10.10.10.0/24,10.10.20.0/24"
PORT="20,21,53,80,110"
export EXTIF INIF INNET PORT
#MMM
#MMM
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $i
done
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
echo "1" > $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo "0" > $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" > $i
done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo "0" > $i
done
#deafult
PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP

AICMP="0 3 3/4 4 11 12 14 16 18"
  for tyicmp in $AICMP
  do
#    iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT  本机不允许ping
iptables -A FORWARD -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
  done
#SERVICES
iptables -A INPUT -p TCP -i $EXTIF --dport  22  -j ACCEPT   
# SSH
iptables -A INPUT -p TCP -i $EXTIF --dport  25  -j ACCEPT   
# SMTP
iptables -A INPUT -p UDP -i $EXTIF --sport  53  -j ACCEPT   
# DNS
iptables -A INPUT -p TCP -i $EXTIF --sport  53  -j ACCEPT   
# DNS
iptables -A INPUT -p TCP -i $EXTIF --dport  80  -j ACCEPT   
# WWW
iptables -A INPUT -p TCP -i $EXTIF --dport 110  -j ACCEPT   
# POP3
iptables -A INPUT -p TCP -i $EXTIF --dport 443  -j ACCEPT   
# HTTPS

#ROUTER
 if [ "$INIF" != "" ]; then
    iptables -A INPUT -i $INIF -j ACCEPT
    echo "1" > /proc/sys/net/ipv4/ip_forward
    if [ "$INNET" != "" ]; then
      for innet in $INNET
      do
        iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
      done
    fi
  fi

iptables -A FORWARD -m multiport -s $INNET -o $EXTIF -p tcp --dport $PORT -j ACCEPT