1 #!/bin/bash 2 3 # Name of wan and lan interface 4 wan_interface=eth1 5 lan_interface=eth0 6 vbox_int=vboxnet0 7 8 # Where is iptables 9 BIN=/sbin/iptables 10 11 $BIN -X 12 $BIN -F 13 $BIN -F -t nat 14 $BIN -F -t raw 15 16 #$BIN -P INPUT DROP 17 $BIN -P INPUT ACCEPT 18 $BIN -P OUTPUT ACCEPT 19 $BIN -P FORWARD ACCEPT 20 21 $BIN -A INPUT -p icmp --icmp-type any -j ACCEPT 22 $BIN -A INPUT -i lo -j ACCEPT 23 $BIN -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 24 $BIN -A INPUT -i $vbox_int -j ACCEPT 25 $BIN -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT 26 #$BIN -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT 27 #$BIN -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT 28 #$BIN -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT 29 $BIN -A INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT 30 $BIN -A INPUT -m state --state NEW -m tcp -p tcp --dport 10001 -j ACCEPT 31 #$BIN -A INPUT -m state --state NEW -m tcp -p tcp --dport 55555 -j ACCEPT 32 #$BIN -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -s 192.168.56.0/24 -j ACCEPT 33 #$BIN -A INPUT -m state --state NEW -m tcp -p tcp --dport 5672 -j ACCEPT 34 $BIN -A INPUT -j REJECT --reject-with icmp-host-prohibited 35 36 $BIN -t nat -A POSTROUTING -s 192.168.56.0/24 -o $wan_interface -j MASQUERADE 37 $BIN -t nat -A POSTROUTING -s 192.168.56.0/24 -o $lan_interface -j MASQUERADE 38 39 40 #$BIN -t nat -A PREROUTING -s 172.16.10.0/24 -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 41 #$BIN -t nat -A POSTROUTING -s 172.16.9.0/24 -o $wan_interface -j SNAT --to $wan_ip 42 #$BIN -t raw -A PREROUTING -s 172.16.10.0/24 -j ACCEPT 43 #$BIN -t raw -A PREROUTING -s 172.16.0.0/16 -m string --algo bm --string "youku.com" -j DROP 44 #$BIN -t raw -A PREROUTING -s 172.16.0.0/16 -m string --algo bm --string "ku6.com" -j DROP 45 #$BIN -t raw -A PREROUTING -s 172.16.0.0/16 -m string --algo bm --string "6.cn" -j DROP