scumola/rc.iptables

## rc.iptables
#!/bin/sh
LOCALNET="10.0.0.0/255.255.255.0"
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
# setting default policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT
# flush
iptables -t filter -F
iptables -t mangle -F
iptables -t nat -F
iptables -t raw -F      # (optional)
# masq
iptables -t nat -A POSTROUTING -s 10.0.0.0/0 -o eth1 -j MASQUERADE
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d $LOCALNET -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --destination-port 8080 -j ACCEPT #java
iptables -A INPUT -i eth1 -p tcp --destination-port 3306 -j ACCEPT #mysql
iptables -A INPUT -i eth1 -p tcp --destination-port 2401 -j ACCEPT #cvs
iptables -A INPUT -i eth1 -p tcp --destination-port 443 -j ACCEPT #https
#iptables -A INPUT -i eth1 -p tcp --destination-port 143 -j ACCEPT #imap
#iptables -A INPUT -i eth1 -p tcp --destination-port 110 -j ACCEPT #pop3
iptables -A INPUT -i eth1 -p tcp --destination-port 80 -j ACCEPT #https
iptables -A INPUT -i eth1 -p udp --destination-port 67 -j ACCEPT #https
iptables -A INPUT -i eth1 -p udp --destination-port 68 -j ACCEPT #https
#iptables -A INPUT -i eth1 -p tcp --source-port 53 -j ACCEPT #dns resolve
#iptables -A INPUT -i eth1 -p tcp --destination-port 53 -j ACCEPT #dns resolve
#iptables -A INPUT -i eth0 -p tcp --destination-port 53 -j ACCEPT #dns resolve
#iptables -A INPUT -i eth1 -p tcp --destination-port 25 -j ACCEPT #smtp
iptables -A INPUT -i eth1 -p tcp --destination-port 22 -j ACCEPT #sshd
iptables -A INPUT -i eth1 -p icmp -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

# tunnels
#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 67.165.219.126 --dport 8081 -j DNAT --to 10.0.0.223:8081
#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 67.165.219.126 --dport 8082 -j DNAT --to 10.0.0.59:80
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8083 -j DNAT --to 10.0.0.208:80
#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 67.165.219.126 --dport 8084 -j DNAT --to 10.0.0.110:8080

# tivo tunnel
#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 67.165.219.126 --dport 9032 -j DNAT --to 10.0.0.208:9032
#iptables -t nat -A PREROUTING -p udp -i eth1 -d 67.165.219.126 --dport 32936 -j DNAT --to 10.0.0.208:32936

# mysql
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8085 -j DNAT --to 10.0.0.208:3306

# transparent squid proxy
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

# transparent squid proxy for just 'desktop' machines
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.33 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.39 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.46 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.68 --dport 80 -j REDIRECT --to-port 3128

# upstairs computer
#iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.81 --dport 80 -j REDIRECT --to-port 3128

iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.86 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.88 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.90 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.65 --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.208 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.210 --dport 80 -j REDIRECT --to-port 3128

# go through the load-balancer
#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8005 -j DNAT --to 10.0.0.15:81

# outside turk access
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8007 -j DNAT --to 10.0.0.208:22

# outside ssh to images server
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8008 -j DNAT --to 10.0.0.14:22

# outside backups via chrashplan can sync to images server
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 4242 -j DNAT --to 10.0.0.14:4242

# heritrix
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 9003 -j DNAT --to 10.0.0.14:8080
#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 9004 -j DNAT --to 10.0.0.211:8080

# heritrix on heritrix VM
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 9004 -j DNAT --to 10.0.0.70:8080

# apache on images
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 9005 -j DNAT --to 10.0.0.14:80

# rsyncd on images
#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 9999 -j DNAT --to 10.0.0.14:9999

# dad's machine - flashrip2 images
#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8086 -j DNAT --to 10.0.0.210:80
	#!/bin/sh
	LOCALNET="10.0.0.0/255.255.255.0"
	iptables -F
	iptables -X
	iptables -F -t nat
	iptables -X -t nat
	# setting default policy
	iptables -P INPUT DROP
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -t nat -P POSTROUTING ACCEPT
	iptables -t nat -P PREROUTING ACCEPT
	# flush
	iptables -t filter -F
	iptables -t mangle -F
	iptables -t nat -F
	iptables -t raw -F # (optional)
	# masq
	iptables -t nat -A POSTROUTING -s 10.0.0.0/0 -o eth1 -j MASQUERADE
	iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A FORWARD -d $LOCALNET -m state --state ESTABLISHED,RELATED -j ACCEPT

	iptables -A INPUT -i lo -j ACCEPT
	iptables -A INPUT -i eth0 -j ACCEPT
	iptables -A INPUT -i eth1 -p tcp --destination-port 8080 -j ACCEPT #java
	iptables -A INPUT -i eth1 -p tcp --destination-port 3306 -j ACCEPT #mysql
	iptables -A INPUT -i eth1 -p tcp --destination-port 2401 -j ACCEPT #cvs
	iptables -A INPUT -i eth1 -p tcp --destination-port 443 -j ACCEPT #https
	#iptables -A INPUT -i eth1 -p tcp --destination-port 143 -j ACCEPT #imap
	#iptables -A INPUT -i eth1 -p tcp --destination-port 110 -j ACCEPT #pop3
	iptables -A INPUT -i eth1 -p tcp --destination-port 80 -j ACCEPT #https
	iptables -A INPUT -i eth1 -p udp --destination-port 67 -j ACCEPT #https
	iptables -A INPUT -i eth1 -p udp --destination-port 68 -j ACCEPT #https
	#iptables -A INPUT -i eth1 -p tcp --source-port 53 -j ACCEPT #dns resolve
	#iptables -A INPUT -i eth1 -p tcp --destination-port 53 -j ACCEPT #dns resolve
	#iptables -A INPUT -i eth0 -p tcp --destination-port 53 -j ACCEPT #dns resolve
	#iptables -A INPUT -i eth1 -p tcp --destination-port 25 -j ACCEPT #smtp
	iptables -A INPUT -i eth1 -p tcp --destination-port 22 -j ACCEPT #sshd
	iptables -A INPUT -i eth1 -p icmp -j ACCEPT
	iptables -A INPUT -i eth0 -p icmp -j ACCEPT
	echo 1 > /proc/sys/net/ipv4/ip_forward

	# tunnels
	#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 67.165.219.126 --dport 8081 -j DNAT --to 10.0.0.223:8081
	#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 67.165.219.126 --dport 8082 -j DNAT --to 10.0.0.59:80
	iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8083 -j DNAT --to 10.0.0.208:80
	#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 67.165.219.126 --dport 8084 -j DNAT --to 10.0.0.110:8080

	# tivo tunnel
	#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 67.165.219.126 --dport 9032 -j DNAT --to 10.0.0.208:9032
	#iptables -t nat -A PREROUTING -p udp -i eth1 -d 67.165.219.126 --dport 32936 -j DNAT --to 10.0.0.208:32936

	# mysql
	iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8085 -j DNAT --to 10.0.0.208:3306

	# transparent squid proxy
	#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

	# transparent squid proxy for just 'desktop' machines
	iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.33 --dport 80 -j REDIRECT --to-port 3128
	iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.39 --dport 80 -j REDIRECT --to-port 3128
	iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.46 --dport 80 -j REDIRECT --to-port 3128
	iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.68 --dport 80 -j REDIRECT --to-port 3128

	# upstairs computer
	#iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.81 --dport 80 -j REDIRECT --to-port 3128

	iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.86 --dport 80 -j REDIRECT --to-port 3128
	iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.88 --dport 80 -j REDIRECT --to-port 3128
	iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.90 --dport 80 -j REDIRECT --to-port 3128
	iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.65 --dport 80 -j REDIRECT --to-port 3128
	#iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.208 --dport 80 -j REDIRECT --to-port 3128
	iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.210 --dport 80 -j REDIRECT --to-port 3128

	# go through the load-balancer
	#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8005 -j DNAT --to 10.0.0.15:81

	# outside turk access
	iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8007 -j DNAT --to 10.0.0.208:22

	# outside ssh to images server
	iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8008 -j DNAT --to 10.0.0.14:22

	# outside backups via chrashplan can sync to images server
	iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 4242 -j DNAT --to 10.0.0.14:4242

	# heritrix
	iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 9003 -j DNAT --to 10.0.0.14:8080
	#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 9004 -j DNAT --to 10.0.0.211:8080

	# heritrix on heritrix VM
	iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 9004 -j DNAT --to 10.0.0.70:8080

	# apache on images
	iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 9005 -j DNAT --to 10.0.0.14:80

	# rsyncd on images
	#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 9999 -j DNAT --to 10.0.0.14:9999

	# dad's machine - flashrip2 images
	#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8086 -j DNAT --to 10.0.0.210:80