Код: Выделить всё
#!/bin/sh
IPTABLES="/usr/sbin/iptables"
rules() {
. /etc/rc.d/rc.inet1.conf
INET_BROADCAST=`/bin/ipmask ${NETMASK[0]} ${IPADDR[0]}|cut -f1 -d' '`
INET_IFACE="eth0"
LAN_IFACE="eth1"
LAN_IP_RANGE=`/bin/ipmask ${NETMASK[1]} ${IPADDR[1]}|cut -f2 -d' '`
myip="1.2.3.4"
LO_IFACE="lo"
LO_IP="127.0.0.1"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -N bad_tcp_packets
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#$IPTABLES -A tcp_packets -p TCP -s 192.168.2.122/32 --dport 22 -j allowed # SSH
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 4022 -j allowed # SSH
$IPTABLES -A tcp_packets -p TCP -s 85.115.200.176/29 --dport 8887 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 85.115.200.176/29 --dport 8888 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 85.115.200.176/29 --dport 8889 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 8989 -j allowed #proxy
#$IPTABLES -A tcp_packets -p TCP -s 77.235.26.50/32 --dport 22 -j DROP # SSH
#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -i ${IFNAME[0]} -d $INET_BROADCAST --destination-port 135:139 -j DROP
$IPTABLES -A udp_packets -p UDP -i ${IFNAME[0]} -d 255.255.255.255 --destination-port 67:68 -j DROP
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
$IPTABLES -A INPUT -p ALL -i ${IFNAME[1]} -s $LAN_IP_RANGE/${NETMASK[1]} -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s ${IPADDR[1]} -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s ${IPADDR[0]} -j ACCEPT
#$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $VPN_IP -j ACCEPT
$IPTABLES -A INPUT -p UDP -i ${IFNAME[1]} --dport 67 --sport 68 -j ACCEPT
$IPTABLES -A INPUT -p ALL -d ${IPADDR[0]} -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i ${IFNAME[0]} -j tcp_packets
$IPTABLES -A INPUT -p UDP -i ${IFNAME[0]} -j udp_packets
$IPTABLES -A INPUT -p ICMP -i ${IFNAME[0]} -j icmp_packets
#$IPTABLES -A INPUT -p ALL -d $VPN_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -p ALL -d $TUN_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -i ${IFNAME[0]} -d 224.0.0.0/8 -j DROP
#$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
$IPTABLES -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
$IPTABLES -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
$IPTABLES -A FORWARD -p tcp --dport 4899 -j ACCEPT
#$IPTABLES -A FORWARD -p tcp --dport 6129 -j ACCEPT
$IPTABLES -A FORWARD -i ${IFNAME[1]} -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s ${IPADDR[1]} -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s ${IPADDR[0]} -j ACCEPT
#$IPTABLES -A OUTPUT -p ALL -s $VPN_IP -j ACCEPT
#$IPTABLES -A OUTPUT -p ALL -s $TUN_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
#########################################################################################################################################
########################################################### REMOTE RADMIN ####################################################
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 92.245.*.* -d $myip -p tcp --dport 22233 -j DNAT --to-destination 192.168.2.129:4899
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 217.29.*.* -d $myip -p tcp --dport 22222 -j DNAT --to-destination 192.168.2.129:4899
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 92.245.*.* -d $myip -p tcp --dport 33333 -j DNAT --to-destination 192.168.2.122:4899
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 194.152.*.* -d $myip -p tcp --dport 55555 -j DNAT --to-destination 192.168.2.129:4899
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 85.115.*.* -d $myip -p tcp --dport 44444 -j DNAT --to-destination 192.168.2.129:4899
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 77.235.*.* -d $myip -p tcp --dport 44441 -j DNAT --to-destination 192.168.2.122:4899
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 92.245.*.* -d $myip -p tcp --dport 22255 -j DNAT --to-destination 192.168.2.122:4899
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 77.235.*.* -d $myip -p tcp --dport 44442 -j DNAT --to-destination 192.168.2.129:4899
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 212.97.0.0/19 -d $myip -p tcp --dport 33355 -j DNAT --to-destination 192.168.2.122:4899
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 212.97.0.0/19 -d $myip -p tcp --dport 33356 -j DNAT --to-destination 192.168.2.129:4899
$IPTABLES -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#$IPTABLES -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to-source ${IPADDR[0]}
#$IPTABLES -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $VPN_IP
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE/${NETMASK[1]} -d ! ${IPADDR[1]} -j SNAT --to-source ${IPADDR[0]}
}
flush() {
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
}
case "$1" in
'flush')
flush
;;
*)
rules
esac