Psst.. new poll here.
Psst.. new forums here.
Microsoft is blocking us again (TY IP Reputation!) so just use oauth login instead. :)
Paste
Pasted as Plain Text by azcapone ( 16 years ago )
#!/bin/sh
# Включаем ip форвардинг в ядре
echo "1" > /proc/sys/net/ipv4/ip_forward
# Алиасы
IPTABLES=/sbin/iptables
local=192.168.0.0/24
vpn=192.168.128.0/24
gate=192.168.0.200
outer=83.219.159.206
az=83.219.150.29
web=192.168.0.101
# Очистка таблиц
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
# Стандартные правила
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
# Пропускаем ответы
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -s $local -d $gate -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH connection attempt: " --log-level debug
$IPTABLES -A INPUT -p tcp --dport 22 -s $az -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -s $local -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -s 192.168.128.6 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j REJECT # ssh
#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT # ssh
$IPTABLES -A INPUT -p udp --dport 25 -j ACCEPT # SMTP
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT # SMTP
$IPTABLES -A INPUT -p tcp --dport 53 -s $local -j ACCEPT # DNS
$IPTABLES -A INPUT -p udp --dport 53 -s $local -j ACCEPT # DNS
$IPTABLES -A INPUT -s $local -p udp --dport 67 -j ACCEPT #dhcpd
$IPTABLES -A INPUT -p udp -d $outer --dport 67 -j ACCEPT #dhcpd
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT # http
$IPTABLES -A INPUT -p udp --dport 110 -j ACCEPT # POP3
$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT # POP3
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 465 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 587 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 995 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT # OpenVPN
$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT # Macmini pptp
$IPTABLES -A INPUT -p tcp --dport 5222 -j ACCEPT # Jabber
$IPTABLES -A INPUT -p tcp --dport 5223 -j ACCEPT # Jabber
$IPTABLES -A INPUT -p tcp --dport 5269 -j ACCEPT # Jabber
$IPTABLES -A INPUT -p tcp --dport 5280 -j ACCEPT # Jabber
$IPTABLES -A INPUT -p tcp --dport 5432 -j ACCEPT # PostgreSQL
$IPTABLES -A INPUT -p tcp --dport 3283 -j ACCEPT # remote macmini
$IPTABLES -A INPUT -p tcp --dport 5900 -j ACCEPT # remote macmini
$IPTABLES -A INPUT -p tcp --dport 8080 -j ACCEPT # innotech 101
$IPTABLES -A INPUT -p tcp --dport 10022 -j ACCEPT # 101 ssh
$IPTABLES -A INPUT -p tcp --dport 10080 -s $az -j ACCEPT #Nagios remote
$IPTABLES -A INPUT -i tap+ -j ACCEPT
$IPTABLES -A FORWARD -i tap+ -j ACCEPT
$IPTABLES -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # PMTU blackhole detection
$IPTABLES -A INPUT -s 94.103.229.76 -j REJECT # Borman ban
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.200:3128
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p ICMP -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#$IPTABLES -t nat -A PREROUTING -p tcp -d 83.219.159.206 --dport 5432 -j DNAT --to-destination 192.168.0.101
$IPTABLES -t nat -A PREROUTING -p tcp -d 83.219.159.206 --dport 8080 -j DNAT --to-destination 192.168.0.101
$IPTABLES -t nat -A PREROUTING -p tcp -d 83.219.159.206 --dport 1723 -j DNAT --to-destination 192.168.0.38
$IPTABLES -t nat -A PREROUTING -p tcp -d 83.219.159.206 --dport 3283 -j DNAT --to-destination 192.168.0.38
$IPTABLES -t nat -A PREROUTING -p tcp -d 83.219.159.206 --dport 5900 -j DNAT --to-destination 192.168.0.38
Revise this Paste