Red Hat Linux iptables实现NAT firewall

今天早上早早起来更新了我的Blog，把以前写的这个脚本放了上来，要去上班了，脚本的详细解释以后有时间的时候再说吧:)

#!/bin/bash

echo "1" > /proc/sys/net/ipv4/ip_forward

INET_IFACE="eth0"
INET_IP="111.222.333.444"

LAN_IFACE="eth1"
LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.0/24"

IPT="/sbin/iptables"

WWW_IP_RANGE="192.168.0.3"
BQQ_SERVER_IP="192.168.0.3"
HTTP="80"
SSH="22"
BQQ="8000 8010 8002 8003 8102"
REMOTE_DESKTOP_WINDOWS="192.168.0.3"
REMOTE_DESKTOP_PORT="3389"

/sbin/depmod -a

#/sbin/modprobe iptables
#/sbin/modprobe iptables_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

#$IPT -P INPUT DROP
#$IPT -P FORWARD DROP
#$IPT -P OUTPUT DROP
#$IPT -t nat -P PREROUTING DROP
#$IPT -t nat -P POSTROUTING DROP
#$IPT -t nat -P OUTPUT DROP

for TABLE in filter nat mangle ; do
$IPT -t $TABLE -F
$IPT -t $TABLE -X
done

#$IPT -A INPUT -i $INET_IFACE -p icmp -j ACCEPT
$IPT -A INPUT -i $LAN_IFACE -p icmp -j ACCEPT

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

for DNS in $(grep ^n /etc/resolv.conf|awk '{print $2}');do
$IPT -A INPUT -p udp -s $DNS --sport domain -j ACCEPT
done

$IPT -A INPUT -p tcp --sport $HTTP -j ACCEPT

#$IPT -A INPUT -p tcp --sport $SSH -j ACCEPT
#$IPT -A INPUT -p udp --sport $SSH -j ACCEPT
$IPT -A INPUT -i $INET_IFACE -p tcp --dport $SSH -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INET_IFACE -p udp --dport $SSH -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $LAN_IFACE -p tcp --dport $SSH -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $LAN_IFACE -p udp --dport $SSH -m state --state NEW -j ACCEPT

#telnet
#$IPT -A INPUT -i $LAN_IFACE -p tcp --dport 23 -m state --state NEW -j ACCEPT
#$IPT -A INPUT -i $LAN_IFACE -p udp --dport 23 -m state --state NEW -j ACCEPT

$IPT -N LOGDENY
#$IPT -A LOGDENY -j LOG --log-prefix "iptables:"
$IPT -A LOGDENY -j DROP
$IPT -A LOGDENY -j DROP
$IPT -A INPUT -i ! lo -m state --state NEW,INVALID -j LOGDENY

#if [ "$INET_IFACE" = ppp0 ] ; then
#$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
#else
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $INET_IP
#fi

$IPT -t nat -A PREROUTING -p tcp -d $INET_IP --dport $HTTP -j DNAT --to $WWW_IP_RANGE:$HTTP

for PORT in $BQQ; do
$IPT -A INPUT -p tcp --sport $PORT -j ACCEPT
$IPT -A INPUT -p udp --sport $PORT -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -d $INET_IP --dport $PORT -j DNAT --to $BQQ_SERVER_IP:$PORT
$IPT -t nat -A PREROUTING -p udp -d $INET_IP --dport $PORT -j DNAT --to $BQQ_SERVER_IP:$PORT
$IPT -t nat -A POSTROUTING -s $LAN_IP_RANGE -d $BQQ_SERVER_IP -p tcp --dport $PORT -j SNAT --to-source $LAN_IP
$IPT -t nat -A POSTROUTING -s $LAN_IP_RANGE -d $BQQ_SERVER_IP -p udp --dport $PORT -j SNAT --to-source $LAN_IP
#echo $PORT
done

$IPT -t nat -A POSTROUTING -s $LAN_IP_RANGE -d $WWW_IP_RANGE -p tcp --dport $HTTP -j SNAT --to-source $LAN_IP

$IPT -A INPUT -p tcp --sport $REMOTE_DESKTOP_PORT -j ACCEPT
$IPT -A INPUT -p udp --sport $REMOTE_DESKTOP_PORT -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -d $INET_IP --dport $REMOTE_DESKTOP_PORT -j DNAT --to $REMOTE_DESKTOP_WINDOWS:$REMOTE_DESKTOP_PORT
$IPT -t nat -A PREROUTING -p udp -d $INET_IP --dport $REMOTE_DESKTOP_PORT -j DNAT --to $REMOTE_DESKTOP_WINDOWS:$REMOTE_DESKTOP_PORT

#MSN
/sbin/iptables -I FORWARD -d gateway.messenger.hotmail.com -j DROP
/sbin/iptables -I FORWARD -p tcp --dport 1863 -j DROP

#/sbin/iptables -I FORWARD -s 192.168.0.187 -d gateway.messenger.hotmail.com -j ACCEPT
#/sbin/iptables -I FORWARD -s 192.168.0.187 -p tcp --dport 1863 -j ACCEPT

#aa:bb:cc:dd:ee:ff
/sbin/iptables -I FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -d gateway.messenger.hotmail.com -j ACCEPT
/sbin/iptables -I FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -p tcp --dport 1863 -j ACCEPT

#QQ
/sbin/iptables -A FORWARD -p tcp -d tcpconn.tencent.com --dport 80 -j DROP
/sbin/iptables -A FORWARD -p tcp -d tcpconn.tencent.com --dport 443 -j DROP
/sbin/iptables -A FORWARD -p tcp -d tcpconn2.tencent.com -j DROP
/sbin/iptables -A FORWARD -p tcp -d tcpconn4.tencent.com --dport 80 -j DROP
/sbin/iptables -A FORWARD -p tcp -d tcpconn4.tencent.com --dport 443 -j DROP
/sbin/iptables -A FORWARD -i eth0 -p udp --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d 61.141.194.233 --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d 61.141.194.231 --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d 61.141.194.204 --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p tcp -d 218.18.95.166 --dport 80 -j DROP
/sbin/iptables -A FORWARD -p tcp -d 218.18.95.166 --dport 443 -j DROP
/sbin/iptables -A FORWARD -p tcp -d 218.18.95.135 --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d 61.141.194.223 --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d 61.141.238.150 --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d 61.144.238.150 --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d 61.141.194.224 --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p tcp -d 218.18.95.135 --dport 80 -j DROP
/sbin/iptables -A FORWARD -p tcp -d 218.18.95.135 --dport 443 -j DROP
/sbin/iptables -A FORWARD -p udp -d 61.144.238.151 --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d 61.141.194.200 --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d 61.144.238.156 --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d sz2.tencent.com --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d sz4.tencent.com --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d 202.104.129.253 --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d 202.96.170.163 --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d sz5.tencent.com --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d sz.tencent.com --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d sz3.tencent.com --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d 202.104.129.252 --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p udp -d 218.18.95.236 --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p tcp -d 218.18.95.236 --dport 80 -j DROP
/sbin/iptables -A FORWARD -p tcp -d 218.18.95.236 --dport 443 -j DROP
/sbin/iptables -A FORWARD -p udp -d 202.104.129.254 --dport 8000 -j DROP
/sbin/iptables -A FORWARD -p tcp -d 218.18.95.165 --dport 443 -j DROP

/sbin/iptables -A FORWARD -s 0/0 -d 202.96.170.164 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 202.96.170.165 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 202.96.170.175 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 202.96.170.188 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 61.135.131.240 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 61.141.194.203 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 61.141.194.231 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 61.141.194.224 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 218.18.95.165 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 219.133.40.15 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 61.144.238.137 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 61.144.238.145 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 61.144.238.146 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 61.144.238.150 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 61.144.238.151 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 202.104.129.254 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 202.104.129.252 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 202.104.129.253 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 202.104.129.251 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 202.104.129.242 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 202.104.129.246 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 202.103.190.61 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 202.103.149.40 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 218.18.95.165 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 218.18.95.140 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 218.18.95.153 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 218.17.209.23 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 218.17.217.103 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 218.17.209.42 -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d 218.18.95.166 -j DROP

#aa:bb:cc:dd:ee:ff
/sbin/iptables -I FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -d 218.17.209.23 -j ACCEPT
/sbin/iptables -I FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -d 218.18.95.166 -j ACCEPT

#ftp services on 192.168.0.3
#$IPT -A INPUT -p tcp --sport 21 -j ACCEPT
#$IPT -t nat -A PREROUTING -p tcp -d $INET_IP --dport 21 -j DNAT --to 192.168.0.3:21