#!/bin/bash GW1=192.168.16.2 GW2=192.168.17.2 NE1=192.168.16.0/28 NE2=192.168.17.0/28 NLOCAL=192.168.0.0/20 IPE1=192.168.16.1 IPE2=192.168.17.1 IPTABLES="/sbin/iptables" $IPTABLES -t nat -F PREROUTING $IPTABLES -t nat -F POSTROUTING $IPTABLES -t nat -F OUTPUT $IPTABLES -t filter -F INPUT $IPTABLES -t filter -F FORWARD $IPTABLES -t filter -F OUTPUT $IPTABLES -t filter -F keep_state >&/dev/null $IPTABLES -t filter -X keep_state >&/dev/null $IPTABLES -t nat -F keep_state >&/dev/null $IPTABLES -t nat -X keep_state >&/dev/null $IPTABLES -t filter -N keep_state $IPTABLES -t filter -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -t filter -A keep_state -j RETURN $IPTABLES -t nat -N keep_state $IPTABLES -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -t nat -A keep_state -j RETURN $IPTABLES -t nat -A PREROUTING -j keep_state $IPTABLES -t nat -A POSTROUTING -j keep_state $IPTABLES -t nat -A OUTPUT -j keep_state $IPTABLES -t filter -A INPUT -j keep_state $IPTABLES -t filter -A FORWARD -j keep_state $IPTABLES -t filter -A OUTPUT -j keep_state $IPTABLES -t nat -A POSTROUTING -o eth1 -s $NLOCAL -j SNAT --to $IPE1 $IPTABLES -t nat -A POSTROUTING -o eth2 -s $NLOCAL -j SNAT --to $IPE2 #$IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE #$IPTABLES -t nat -A POSTROUTING -o eth2 -j MASQUERADE # Accés web a en filemon per thecrow:2000 $IPTABLES -t nat -A PREROUTING --protocol tcp \ --destination-port 2000 -s 192.168.0.0/20 -j DNAT\ --to-destination 192.168.17.2:80 # Accés telnet a en filemon per thecrow:2001 $IPTABLES -t nat -A PREROUTING --protocol tcp \ --destination-port 2001 -s 192.168.0.0/20 -j DNAT\ --to-destination 192.168.17.2:23 # Accés telnet a en mortadelo per thecrow:2002 $IPTABLES -t nat -A PREROUTING --protocol tcp \ --destination-port 2002 -s 192.168.0.0/20 -j DNAT\ --to-destination 192.168.16.2:23 # Accés a l'AS400 per telnet, des d'ordinadors concrets $IPTABLES -t nat -A PREROUTING --protocol tcp \ --destination-port 23 -s 80.32.29.234 \ -d 80.24.26.25 -j DNAT --to-destination 192.168.1.7:23 # Accés al DNS secundari (per filemon, a Anubis) $IPTABLES -t nat -A PREROUTING --protocol udp \ --destination-port 53 -s 0.0.0.0/0 -d 192.168.17.1 \ -j DNAT --to-destination 192.168.1.4:53 # Accés al DNS primari (per mortadelo, a Anubis) $IPTABLES -t nat -A PREROUTING --protocol udp \ --destination-port 53 -s 0.0.0.0/0 -d 192.168.16.1 \ -j DNAT --to-destination 192.168.1.3:53 # Accés al SMTP (per mortadelo, a Spawn) $IPTABLES -t nat -A PREROUTING --protocol tcp \ --destination-port 25 -s 0.0.0.0/0 -d 192.168.16.1 \ -j DNAT --to-destination 192.168.1.1:25 # Accés al POP3 (per mortadelo, a Spawn) $IPTABLES -t nat -A PREROUTING --protocol tcp \ --destination-port 110 -s 0.0.0.0/0 -d 192.168.16.1 \ -j DNAT --to-destination 192.168.1.1:110 # Accés al WEB (per mortadelo, a Spawn) $IPTABLES -t nat -A PREROUTING --protocol tcp \ --destination-port 80 -s 0.0.0.0/0 -d 192.168.16.1 \ -j DNAT --to-destination 192.168.1.1:80 # Accés al WEB HTTPS (per mortadelo, a Spawn) $IPTABLES -t nat -A PREROUTING --protocol tcp \ --destination-port 443 -s 0.0.0.0/0 -d 192.168.16.1 \ -j DNAT --to-destination 192.168.1.1:443 # Accés al SSH (per mortadelo, a dns) $IPTABLES -t nat -A PREROUTING --protocol tcp \ --destination-port 22 -s 0.0.0.0/0 -d 192.168.16.1 \ -j DNAT --to-destination 192.168.1.3:22 # Accés al SSH (per mortadelo, a dns) $IPTABLES -t nat -A PREROUTING --protocol tcp \ --destination-port 50 -s 0.0.0.0/0 -d 192.168.16.1 \ -j DNAT --to-destination 192.168.1.3:22 # LOG de paquets erronis iptables -t mangle -F POSTROUTING iptables -t mangle -A POSTROUTING -j LOG --log-prefix "WRONG IFACE: " --log-ip-options -s 192.168.17.1 -o eth1 iptables -t mangle -A POSTROUTING -j LOG --log-prefix "WRONG IFACE: " --log-ip-options -s 192.168.16.1 -o eth2