#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#网卡:上外、下内
#上外 192.168.0.100
#下内 172.16.0.254
#INET_IF="ppp0"
INET_IF="enp13s0"
LAN_IF="b.ctrl0net.6a"
#INET_IP="192.168.0.100"
INET_IP="10.108.162.164"
LAN_IP="172.16.0.254"
LAN_IP_RANGE="172.16.0.0/24"
#LAN_WWW="172.16.0.6"
IPT="/sbin/iptables"
#TC="/sbin/tc"
MODPROBE="/sbin/modprobe"
$MODPROBE ip_tables
$MODPROBE iptable_nat
$MODPROBE ip_nat_ftp
$MODPROBE ip_nat_irc
$MODPROBE ipt_mark
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_conntrack_irc
$MODPROBE ipt_MASQUERADE
for TABLE in filter nat mangle ; do
$IPT -t $TABLE -F
$IPT -t $TABLE -X
$IPT -t $TABLE -Z
done
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
# 拒绝INTERNET客户访问
#$IPT -A INPUT -i $INET_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT -A INPUT -i $INET_IF -p tcp -s 123.5.0.0/16 --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i $INET_IF -m state --state NEW,INVALID -j DROP
for DNS in $(grep ^n /etc/resolv.conf|awk '{print $2}'); do
$IPT -A INPUT -p tcp -s $DNS --sport domain -j ACCEPT
$IPT -A INPUT -p udp -s $DNS --sport domain -j ACCEPT
done
# anti bad scaning
$IPT -A INPUT -i $INET_IF -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -i $INET_IF -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -i $INET_IF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A INPUT -i $INET_IF -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -i $INET_IF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i $INET_IF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#$IPT -t nat -A PREROUTING -d $INET_IP -p tcp --dport 8008 -j DNAT --to-destination $LAN_WWW:8008
#$IPT -t nat -A PREROUTING -d $INET_IP -p tcp --dport 22 -j DNAT --to-destination $LAN_WWW:22
if [ $INET_IF = "ppp0" ] ; then
$IPT -t nat -A POSTROUTING -o $INET_IF -s $LAN_IP_RANGE -j MASQUERADE
else
$IPT -t nat -A POSTROUTING -o $INET_IF -s $LAN_IP_RANGE -j SNAT --to-source $INET_IP
fi
#no limit
#$IPT -A FORWARD -s 192.168.1.216 -m mac --mac-source 00:15:17:F7:AB:84 -j ACCEPT
#$IPT -A FORWARD -d 192.168.1.216 -j ACCEPT
#$IPT -A FORWARD -p tcp -d ! $LAN_IP_RANGE -m multiport --dports ! 20,21,22,25,53,80,110,443,8080 -j DROP
#$IPT -A FORWARD -p udp -d ! $LAN_IP_RANGE -m multiport --dports ! 20,21,22,25,53,80,110,443,8080 -j DROP
#MAC、IP地址绑定
#$IPT -A FORWARD -s 192.168.1.11 -m mac --mac-source 44-87-FC-44-B9-6E -j ACCEPT
$IPT -A FORWARD -s 172.16.0.1 -j ACCEPT
$IPT -A FORWARD -s 172.16.0.2 -j ACCEPT
$IPT -A FORWARD -s 172.16.0.3 -j ACCEPT
$IPT -A FORWARD -s 172.16.0.4 -j ACCEPT
$IPT -A FORWARD -s 172.16.0.5 -j ACCEPT
$IPT -A FORWARD -s 172.16.0.6 -j ACCEPT
$IPT -A FORWARD -s 172.16.0.7 -j ACCEPT
$IPT -A FORWARD -s 172.16.0.8 -j ACCEPT
$IPT -A FORWARD -s 172.16.0.9 -j ACCEPT
$IPT -A FORWARD -s 172.16.0.10 -j ACCEPT
$IPT -A FORWARD -s 172.16.0.11 -j ACCEPT
$IPT -A FORWARD -s 172.16.0.12 -j ACCEPT
$IPT -A FORWARD -d 172.16.0.1 -j ACCEPT
$IPT -A FORWARD -d 172.16.0.2 -j ACCEPT
$IPT -A FORWARD -d 172.16.0.3 -j ACCEPT
$IPT -A FORWARD -d 172.16.0.4 -j ACCEPT
$IPT -A FORWARD -d 172.16.0.5 -j ACCEPT
$IPT -A FORWARD -d 172.16.0.6 -j ACCEPT
$IPT -A FORWARD -d 172.16.0.7 -j ACCEPT
$IPT -A FORWARD -d 172.16.0.8 -j ACCEPT
$IPT -A FORWARD -d 172.16.0.9 -j ACCEPT
$IPT -A FORWARD -d 172.16.0.10 -j ACCEPT
$IPT -A FORWARD -d 172.16.0.11 -j ACCEPT
$IPT -A FORWARD -d 172.16.0.12 -j ACCEPT