echo "firewall start! let us go!"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 0 > /proc/sys/net/ipv4/tcp_ecn
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#start kernel modules
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_state
/sbin/modprobe ipt_multiport

#clear chains rules
/sbin/iptables -F
/sbin/iptables -t nat -F

#clear packets counts
/sbin/iptables -Z
/sbin/iptables -t nat -Z

#set default methods:DROP
#/sbin/iptables -P INPUT DROP
#/sbin/iptables -P FORWARD DROP
#/sbin/iptables -P OUTPUT DROP

#allow local connect
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

#allow outgoing
/sbin/iptables -A OUTPUT -o eth1 -p tcp -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT

#允许来自防火墙的包传到专用网
/sbin/iptables -A OUTPUT -o eth0 -d $PRIV -j ACCEPT

#接受来自专用网络到达专用网络接口的所有流量
/sbin/iptables -A INUPUT -i eth0 -p tcp -s $PRIV -j ACCEPT

#检查到达外部网络接口的每个包的状态,属于已经存在的TCP连接的包都允许通过
iptables -A INPUT -i eth1 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow ping proxy
/sbin/iptables -A INPUT -p icmp --icmp-tye echo-request -m limit --limit 1/s --limit-burst 10 -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

#allow DNS
/sbin/iptables -A OUTPUT --dport 53 -j ACCEPT
/sbin/iptables -A INPUT --sport 53 -j ACCEPT

#let us begin forward rules
/sbin/iptables -A FORWARD -p tcp -m multiport --dport 135,137,138,139,445 -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 120 -j LOG --log-level DEBUG

#let us begin NAT rules
#NAT for HTTP
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 221.226.x.x --dport 80-j DNAT --to-destination 192.168.5.16:80
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 192.168.5.16 --sport 80-j SNAT --to-source 221.226.x.x

#NAT for FTP
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 221.226.x.x --dport 21 -j DNAT --to-destination 192.168.5.16:21
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 192.168.5.16 --sport 21-j SNAT --to-source 221.226.x.x:21
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 221.226.x.x --dport 20-j DNAT --to-destination 192.168.5.16:20
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 192.168.5.16 --sport 20-j SNAT --to-source 221.226.x.x:20

#NAT for HTTPS
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 221.226.x.x --dport 443 -j DNAT --to-destination 192.168.5.16:443
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 192.168.5.16 --dport 443 -j SNAT --to-source 221.226.x.x:443

#NAT for SMTP and POP3
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 221.226.x.x --dport 25-j --to-destination 192.168.5.16:25
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 192.168.5.16 --sport 25-j --to-source 221.226.x.x:25
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 221.226.x.x --dport 110 -j --to-destination 192.168.5.16:110
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 192.168.5.16 --sport 110 -j --to-source 221.226.x.x:110
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 221.226.x.x --dport 143 -j --to-destination 192.168.5.16:143
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 192.168.5.16 --sport 143 -j --to-source 221.226.x.x:143

#NAT for TELNET
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 221.226.x.x --dport 23-j --to-destination 192.168.5.16:23
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 192.168.5.16 --sport 23-j --to-source 221.226.x.x:23

#NAT for SSH
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 221.226.x.x --dport 22-j --to-destination 192.168.5.16:22
/sbin/iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 192.168.5.16 --sport 22-j --to-source 221.226.x.x:22

#IP MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
------------------------------------------------------------------------------
对防火墙脚本的改进
使用自己定义链
/sbin/iptables -N priv
/sbin/iptables -A priv -m state --state ESTABLISHED,RELATED -j ACCEPT
#允许进入防火墙的SSH包
/sbin/iptables -A priv -p tcp -s $PRIV --dport 22 -d 192.168.5.16 -j ACCEPT
#允许发往外网的FTP SSH HTTP包
/sbin/iptables -A priv -p tcp -d 0/0 --dport 21 -j ACCEPT
/sbin/iptables -A priv -p tcp -d 0/0 --dport 22 -j ACCEPT
/sbin/iptables -A priv -p tcp -d 0/0 --dport 80 -j ACCEPT
/sbin/iptables -A priv -p tcp -d 0/0 --dport 8080 -j ACCEPT

如果有DMZ的话,可以定义一个链丢弃来自专用网(IP欺骗)和DMZ源地址的所有的包
/sbin/iptables -N ext
/sbin/iptables -A ext -s 192.168.5.0/24 -j DROP
/sbin/iptables -A ext -s DMZ的IP/24 -j DROP
#接受发到外网的包
/sbin/iptables -A ext -s 0/0 --dport 1024:65535 -j ACCEPT
#接受来自自己已有的连接
/sbin/iptables -A ext -s 0/0 -d 221.226.x.x -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -j priv
/sbin/iptables -A INPUT -i eth1 -j ext