Por muito tempo fiquei procurando scripts de firewall utilizando o Iptables para controlar uma rede corporativa. Então, hoje estou publicando um script completo utilizando o Iptables, incluindo LAN/DMZ e um excelente filtro de ataques.
Principais características deste script completo para IPtables
Após muitas pesquisas consegui finalmente criar o script abaixo, onde o administrador poderá facilmente:
- Redirecionar portas para determinados servidores em sua DMZ;
- Adicionar novas regras, pois o script está documentando;
- As regras inclusas neste script já inclui conexões do DNS SERVER, Servidor de EMAIL, VNC, SSH e outras regras que ajudaram muito a administração de tráfego de rede;
- Filtros prontos contra ataques de DDoS;
- A cada execusão do script as regras são apagadas e recriadas.
Script completo para IPtables
Este script foi desenvolvido para distribuições REDHAT/CENTOS e FEDORA, porem é facilmente adaptável a qualquer distribuição alterando a variável $IPTABLES e a localização dos MÓDULOS.
# SCRIPT FIREWALL
# Autor: Adriano Frare
# Versao 1.0
#!/bin/sh
# AUXILIA no DEGUB do script
# Remova o # abaixo para DEBUG
#set -x
lan_ip=”192.168.x.1?
lan_if=”ethX”
lan2_ip=”192.168.4.1?
lan2_if=”ethX”
wan_ip=”IP-PUBLICO-DA-REDE”
wan_if=”ethx ou ppp0?
dmz_ip=”192.168.X.1?
dmz_if=”ethX”
lo_if=”lo”
lo_ip=”127.0.0.1?
dc=”192.168.2.2?
postgresql=”192.168.2.x”
itchief=”192.168.2.10?
mail=”192.168.2.2?
srv025=”192.168.2.x”
ecm=”192.168.2.x”
zimbra=”192.168.2.x”
proxy=”192.168.2.x”
proxyport=”8080?
storage=”192.168.2.x”
vps100=”192.168.2.x”
srv039=”192.168.2.x”
IPTABLES=”/sbin/iptables”
# Module loading
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_contract_ftp
/sbin/modprobe ipt_nat_ftp
# Enable Forwarding
echo “1” > /proc/sys/net/ipv4/ip_forward
# Syn Flood Protection
echo “1” > /proc/sys/net/ipv4/tcp_syncookies
# Flush it before start
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
# Set policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
# LOG
$IPTABLES -t nat -I PREROUTING -j LOG –log-level info –log-prefix “IPTABLES PREROUTING ”
$IPTABLES -t nat -I FORWARD -j LOG –log-level info –log-prefix “IPTABLES FORWARD: ”
# PROTECT RULES
### 1: Drop invalid packets ###
$IPTABLES -t mangle -A PREROUTING -m conntrack –ctstate INVALID -j DROP
### 2: Drop TCP packets that are new and are not SYN ###
$IPTABLES -t mangle -A PREROUTING -p tcp ! –syn -m conntrack –ctstate NEW -j DROP
### 3: Drop SYN packets with suspicious MSS value ###
$IPTABLES -t mangle -A PREROUTING -p tcp -m conntrack –ctstate NEW -m tcpmss ! –mss 536:65535 -j DROP
### 4: Block packets with bogus TCP flags ###
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN FIN,SYN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags FIN,ACK FIN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,URG URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,FIN FIN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL ALL -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL NONE -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL FIN,PSH,URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL SYN,FIN,PSH,URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
### 5: Block spoofed packets ###
$IPTABLES -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
#$IPTABLES -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
#$IPTABLES -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
### 6: Drop ICMP (you usually don’t need this protocol) ###
#$IPTABLES -t mangle -A PREROUTING -p icmp -j DROP
### 7: Drop fragments in all chains ###
#$IPTABLES -t mangle -A PREROUTING -f -j DROP
### 8: Limit connections per source IP ###
$IPTABLES -A INPUT -p tcp -m connlimit –connlimit-above 111 -j REJECT –reject-with tcp-reset
### 9: Limit RST packets ###
$IPTABLES -A INPUT -p tcp –tcp-flags RST RST -m limit –limit 2/s –limit-burst 2 -j ACCEPT
$IPTABLES -A INPUT -p tcp –tcp-flags RST RST -j DROP
### 10: Limit new TCP connections per second per source IP ###
$IPTABLES -A INPUT -p tcp -m conntrack –ctstate NEW -m limit –limit 60/s –limit-burst 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m conntrack –ctstate NEW -j DROP
### 11: Use SYNPROXY on all ports (disables connection limiting rule) ###
# Hidden – unlock content above in “Mitigating SYN Floods With SYNPROXY” section
### SSH brute-force protection ###
$IPTABLES -A INPUT -p tcp –dport ssh -m conntrack –ctstate NEW -m recent –set
$IPTABLES -A INPUT -p tcp –dport ssh -m conntrack –ctstate NEW -m recent –update –seconds 60 –hitcount 10 -j DROP
### Protection against port scanning ###
$IPTABLES -N port-scanning
$IPTABLES -A port-scanning -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s –limit-burst 2 -j RETURN
$IPTABLES -A port-scanning -j DROP
############## INPUT chain ################
# Bad TCP packets we don’t want
$IPTABLES -A INPUT -p tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j REJECT –reject-with tcp-reset
$IPTABLES -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
# Loopback
$IPTABLES -A INPUT -p ALL -i $lo_if -s $lo_ip -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $lo_if -s $lan_ip -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $lo_if -s $wan_ip -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $lo_if -s $dmz_ip -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $lo_if -s $lan2_ip -j ACCEPT
# Rules for LAN
$IPTABLES -A INPUT -i $lan_if -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $lan_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $lan_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan_if –dport 123 -j ACCEPT
$IPTABLES -A INPUT -p ICMP -i $lan_if –icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $lan_ip -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -p TCP -i $lan_if –dport 80 -j ACCEPT
#$IPTABLES -A INPUT -p TCP -i $lan_if –dport 22 -j ACCEPT
#$IPTABLES -A INPUT -p TCP -i $lan_if –dport 3128 -j ACCEPT
#$IPTABLES -A INPUT -p ICMP -i $dmz_if –icmp-type echo-request -j ACCEPT
#$IPTABLES -A INPUT -p ICMP -i $lan_if -j ACCEPT
#$IPTABLES -A INPUT -p ALL -d $lan_ip -m state –state ESTABLISHED,RELATED -j ACCEPT
# Rules for LAN2
$IPTABLES -A INPUT -i $lan2_if -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $lan2_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan2_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $lan2_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan2_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan2_if –dport 123 -j ACCEPT
$IPTABLES -A INPUT -p ICMP -i $lan2_if –icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $lan2_ip -m state –state ESTABLISHED,RELATED -j ACCEPT
# Rules for DMZ
$IPTABLES -A INPUT -i $dmz_if -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $dmz_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $dmz_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $dmz_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $dmz_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $dmz_if –dport 123 -j ACCEPT
$IPTABLES -A INPUT -p ICMP -i $dmz_if –icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $dmz_ip -m state –state ESTABLISHED,RELATED -j ACCEPT
# Rules for WAN
$IPTABLES -A INPUT -p ICMP -i $wan_if –icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $wan_ip -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -p TCP -i $wan_if -s $itchief_home –dport 22 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 22 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 80 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 81 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 54322 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 445 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $wan_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $wan_if –sport 53 -j ACCEPT
# Log weird packets that don’t match the above.
$IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level info –log-prefix “IPTABLES INPUT blocked: ”
############### FORWARD chain ################
# Bad TCP packets we don’t want
$IPTABLES -A FORWARD -p tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j REJECT –reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp ! –syn -m state –state NEW -j DROP
# Rules for LAN
$IPTABLES -A FORWARD -p ALL -i $lan_if -o $lan_if -j ACCEPT
$IPTABLES -A FORWARD -i $wan_if -o $lan_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $lan_if -o $wan_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $lan_if -o $dmz_if -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -p ICMP -i $lan_if -j ACCEPT
#$IPTABLES -A FORWARD -p ALL -i $lan_if -o $lan_if -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 110 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 143 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 25 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 80 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 22 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p UDP -i $lan_if -o $dmz_if –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p ICMP -i $lan_if -o $dmz_if -j ACCEPT
##$IPTABLES -A FORWARD -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if –dport 5190 -j ACCEPT
#$IPTABLES -A FORWARD -p ALL -s $itchief -i $lan_if -j ACCEPT
#$IPTABLES -A FORWARD -p UDP -s $dc -i $lan_if –dport 123 -j ACCEPT
# Rules for LAN2
$IPTABLES -A FORWARD -p ALL -i $lan2_if -o $lan2_if -j ACCEPT
$IPTABLES -A FORWARD -i $wan_if -o $lan2_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $lan2_if -o $wan_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $lan2_if -o $dmz_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
# Rules for DMZ
$IPTABLES -A FORWARD -p ALL -i $dmz_if -o $dmz_if -j ACCEPT
$IPTABLES -A FORWARD -i $wan_if -o $dmz_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $dmz_if -o $wan_if -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $dmz_if -o $dmz_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -p UDP -i $dmz_if -o $lan_if -s $mail –dport 123 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $dmz_if -o $lan_if -s $mail –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p UDP -i $dmz_if -o $lan_if -s $mail –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $dmz_if -o $lan_if -s $mail –sport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p UDP -i $dmz_if -o $lan_if -s $mail –sport 53 -j ACCEPT
# Rules for WAN
#VPS100 – VNC
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $unraid –dport 5908 -j ACCEPT
#VPS100 – RDP
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $vps100 –dport 3389 -j ACCEPT
# ANDROID
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $unraid –dport 5909 -j ACCEPT
# SSH ZIMBRA
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $unraid –dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $srv025 –dport 21 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $srv025 –dport 20 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $srv025 –dport 1024: -j ACCEPT
$IPTABLES -A FORWARD -p TCP -m tcp -d $dmz_ip –dport 445 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -m tcp -d $postgresql –dport 22 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $wan_if -d $postgresql –dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $postgresql –dport 5432 -j ACCEPT
$IPTABLES -A FORWARD -p UDP -i $wan_if -d $postgresql –dport 5432 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $srv025 –dport 9001 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $srv039 –dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 8080 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 8009 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 8000 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 8443 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 8005 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $zimbra –dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $zimbra –dport 7071 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $wan_if -d $dc –dport 3389 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $wan_if -d $mail –dport 25 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $wan_if -d $mail –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p UDP -i $wan_if -d $mail –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $wan_if -d $mail –dport 80 -j ACCEPT
$IPTABLES -A FORWARD -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
# Log weird packets that don’t match the above.
$IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level info –log-prefix “IPTABLES FORWARD blocked: ”
############### NAT table ################
# PROXY HTTP – LAN2
#$IPTABLES -t nat -A PREROUTING -i $lan2_if -p tcp –dport 80 -j DNAT –to-destination $proxy:$proxyport
# HTTPS – LAN2
#$IPTABLES -t nat -A PREROUTING -i $lan2_if -p tcp –dport 443 -j DNAT –to-destination $proxy:$proxyport
#$IPTABLES -t nat -A POSTROUTING -s 192.168.2.1/24 -o $wan_if -j SNAT –to-source $wan_ip
$IPTABLES -t nat -A POSTROUTING -o $wan_if -j MASQUERADE
# VPS100 – VNC
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 5908 -j DNAT –to-destination $unraid:5908
# VPS100 – RDP
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 4389 -j DNAT –to-destination $vps100:3389
# ANDROID
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 5909 -j DNAT –to-destination $unraid:5909
# SSH – UNRAID
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 224 -j DNAT –to-destination $unraid:22
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 443 -j DNAT –to-destination $dmz_ip:445
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 222 -j DNAT –to-destination $postgresql:22
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 5432 -j DNAT –to-destination $postgresql:5432
$IPTABLES -t nat -A PREROUTING -p UDP -m udp -d $wan_ip –dport 5432 -j DNAT –to-destination $postgresql:5432
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 2525 -j DNAT –to-destination $zimbra:25
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 7071 -j DNAT –to-destination $zimbra:7071
#$IPTABLES -t nat -A PREROUTING -p TCP -i $wan_if –dport 223 -j DNAT –to-destination $ecm:22
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 225 -j DNAT –to-destination $srv039:22
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 223 -j DNAT –to-destination $ecm:22
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 8080 -j DNAT –to-destination $ecm:8080
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 8009 -j DNAT –to-destination $ecm:8009
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 8443 -j DNAT –to-destination $ecm:8443
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 8005 -j DNAT –to-destination $ecm:8005
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 8000 -j DNAT –to-destination $ecm:8000
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 2121 -j DNAT –to-destination $srv025:21
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 2120 -j DNAT –to-destination $srv025:20
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 1024:65535 -j DNAT –to-destination $srv025:1024-65535
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 9001 -j DNAT –to-destination $srv025:9001
#$IPTABLES -t nat -A PREROUTING -p TCP -i $wan_if –dport 3777 -j DNAT –to-destination $dc:3389
#$IPTABLES -t nat -A PREROUTING -p TCP -i $wan_if –dport 25 -j DNAT –to-destination $mail
#$IPTABLES -t nat -A PREROUTING -p TCP -i $wan_if –dport 53 -j DNAT –to-destination $mail
#$IPTABLES -t nat -A PREROUTING -p UDP -i $wan_if –dport 53 -j DNAT –to-destination $mail
#$IPTABLES -t nat -A PREROUTING -p TCP -i $wan_if –dport 80 -j DNAT –to-destination $mail
#$IPTABLES -t nat -A PREROUTING -p TCP -i $lan_if -d $wan_ip -j DNAT –to-destination $mail
#$IPTABLES -t nat -A OUTPUT -p TCP -d $wan_ip -j DNAT –to-destination $mail
echo “Iptables rules have been reloaded!”
AJUDA
Caso tenha dificuldade com o IPTABLES, abaixo estou incluindo alguns artigos do site SEMPREUPDATE para ajudar na comprensão do script.