#!/usr/bin/perl /root/confread mport multiport policy INPUT ACCEPT FORWARD ACCEPT OUTPUT ACCEPT function dnats { my $e = '-j DNAT'; $e .= " --to-destination $_" for split /,/, shift @{+shift}; $e } define psrv 130.73.244 pwlan 130.73.254 proxy 199.100.16.100 pdns $psrv.1 pwww $psrv.2 pwww1 $psrv.21 pwww2 $psrv.22 pmail $psrv.3 pssh $psrv.4 pftp $psrv.5 psqrl $psrv.6 psnat $psrv.44-$psrv.198 vmail 10.1.0.4 dwww $dwww1 dwww1 10.0.1.2:8000 dsqrl 10.0.1.2:9000 ddns 10.0.1.2 dmail 10.0.2.2 dssh 10.0.4.2 dftp 10.0.5.2 dwww2 10.0.6.2 dhoney 10.10.0.5 mangle PREROUTING src 0.0.0.255/0.0.0.255 DROP src 0.0.0.0/0.0.0.255 DROP dst 0.0.0.255/0.0.0.255 DROP dst 0.0.0.0/0.0.0.255 DROP in srv src 10.10.0.0/24 ACCEPT dst 10.0.1.2 src 10.0.2.2 ACCEPT dst 10.0.0.0/16 log mangle_drop dst 10.0.0.0/16 DROP nat PREROUTING in srv servers in wlan inwless in kiosk inwless servs in iseage inbound servs udp 53 dst $pdns dnats $ddns tcp www dst $pwww dnats $dwww tcp www dst $psqrl dnats $dsqrl tcp 25,110,995,993,143 dst $pmail dnats $dmail tcp ssh dst $pssh dnats $dssh tcp ftp dst $pftp dnats $dftp inbound prot tcp dnats $dhoney prot udp dnats $dhoney # tcp 222 REDIRECT '--to-port 22' # log to_honey # prot tcp REDIRECT '--to-port 9' # prot udp REDIRECT '--to-port 9' inwless tcp 445,139 dst $pftp dnats $dftp udp 137,138 dst $pftp dnats $dftp servers tcp 25,143 dst $vmail dnats $dmail ACCEPT POSTROUTING out iseage src 10.0.0.2/255.255.0.255 outgoing out iseage src 10.1.0.0/24 outgoing out iseage src 10.2.0.0/24 outgoing out iseage src 10.10.0.0/24 outgoing out iseage log out_unk out iseage snat $psrv.252 outgoing snat $psnat filter FORWARD state n src ! 10.0.0.0/8 dst ! 10.10.0.5 log I in srv out srv internal internal src 10.0.1.2 dst 10.0.2.2 tcp 25,143 ACCEPT src 10.0.2.2 dst 10.0.1.2 tcp_s 25,143 state e ACCEPT src 10.10.0.0/24 dst 10.0.0.2/255.255.0.255 ACCEPT dst 10.0.0.2/255.255.0.255 src 10.10.0.0/24 state e ACCEPT log internal DROP