[root@localhost ~]# vi /usr/local/bin/firewall.sh
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
iptables -F INPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.168.0/24 -j MASQUERADE
iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 192.168.168.0/24 -j ACCEPT
# eth1 为外网,3389转发到内网192.168.168.23
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3389 -j DNAT --to 192.168.168.23:3389
iptables -A FORWARD -i eth1 -p tcp --dport 3389 -d 192.168.168.23 -j ACCEPT
[root@localhost ~]# echo "/usr/local/bin/firewall.sh" >> /etc/rc.local
