Here are some examples of netfilter port forwarding and some other parts of a firewall script. Please try to understand this before using it blindly. There are many documents on iptables.
#!/bin/sh
LAN1_IP_RANGE="192.168.0.0/24"
LAN1_IP="192.168.0.1/32"
LAN1_BCAST_ADRESS="192.168.0.255/32"
WLAN_IP_RANGE="192.168.1.0/24"
WLAN_IP="192.168.1.1/32"
WLAN_BCAST_ADRESS="192.168.1.255/32"
WLAN2_IP="10.1.0.0/24"
LOCALHOST_IP="127.0.0.1/32"
INET_IFACE="eth1"
LAN1_IFACE="eth0"
WLAN_IFACE="eth2"
DIALUP_IFACE="ppp+"
IPTABLES="/sbin/iptables"
INET_IFACE_IP="www.dcphillips.net"
DIALUP_IP="192.168.0.201"
GAME_HOST_IP="192.168.0.2" #firedragon
/sbin/depmod -a
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Policy
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
# Tables
$IPTABLES -N tcp_packets
$IPTABLES -N icmp_packets
$IPTABLES -N udpincoming_packets
$IPTABLES -N nat
$IPTABLES -N wlan_packets
# IP Masquerade
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
# Forward
$IPTABLES -A FORWARD -i $LAN1_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $WLAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DIALUP_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i lo -j ACCEPT
# Squid transparent proxy
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -A PREROUTING -t nat -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -A PREROUTING -t nat -i ppp0 -p tcp --dport 80 -j REDIRECT --to-port 3128
# Input
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ALL -i $LAN1_IFACE -d $LAN1_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $WLAN_IFACE -j wlan_packets
$IPTABLES -A INPUT -p ALL -i $DIALUP_IFACE -d $LAN1_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $DIALUP_IFACE -d $WLAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i lo -j ACCEPT
# Output
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN1_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $WLAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $WLAN2_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $DIALUP_IP -j ACCEPT
# Servers
# ssh
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j ACCEPT
# smtp
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j ACCEPT
# www
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j ACCEPT
# https
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 443 -j ACCEPT
# mail
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 465 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 993 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 995 -j ACCEPT
# wlan vpn
$IPTABLES -A wlan_packets -p UDP -s 0/0 --dport 5000 -j ACCEPT
$IPTABLES -A wlan_packets -p ALL -j DROP
# icmp
$IPTABLES -A icmp_packets -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -j DROP
# Half-Life
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5273 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 7002 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 27015 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 27010 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 27012 -j ACCEPT
# Nascar Heat
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2001:2025 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d 0/0 -p udp --destination-port 2001:2025 -i $INET_IFACE -j DNAT --to $GAME_HOST_IP
# Nascar 4
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 32766:32809 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d 0/0 -p udp --destination-port 32766:32809 -i $INET_IFACE -j DNAT --to $GAME_HOST_IP
# MS Gaming Zone
# DirectX 7
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 2300:2400 -j DNAT --to $GAME_HOST_IP:2300-2400
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 2300:2400 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 2300:2400 -j DNAT --to $GAME_HOST_IP:2300-2400
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 2300:2400 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 47624 -j DNAT --to $GAME_HOST_IP:47624
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 47624 -j ACCEPT
# DirectX 8
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 2302:2400 -j DNAT --to $GAME_HOST_IP:2300-2400
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 2302:2400 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 6073 -j DNAT --to $GAME_HOST_IP:47624
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 6073 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 6667 -j DNAT --to $GAME_HOST_IP:6667
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 6667 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 28800:29000 -j DNAT --to $GAME_HOST_IP:28800-29000
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 28800:29000 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 28800:29000 -j DNAT --to $GAME_HOST_IP:28800-29000
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 28800:29000 -j ACCEPT
# CLOSE INCOMING TCP
$IPTABLES -A tcp_packets -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 -j DROP
# CLOSE INCOMING UDP
$IPTABLES -A udpincoming_packets -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -j DROP
# CLOSE FORWARD
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
$IPTABLES -A FORWARD -j DROP
# LOG OTHER INPUT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
منبع:
http://www.linuxquestions.org/questions/showthread.php?p=1464066#post1464066
كدام موضوع لينوكس شما را بيشتر جذب ميكند؟ 