Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- root@AP66:~# cat /etc/firewall_MK
- #!/bin/sh
- LAN="br-lan"
- WAN="eth0"
- echo 1 > /proc/sys/net/ipv4/ip_forward
- iptables -F
- iptables -t nat -F
- iptables -t mangle -F
- iptables -P INPUT DROP
- iptables -P OUTPUT ACCEPT
- iptables -P FORWARD DROP
- iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to 77.78.90.200
- iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -I INPUT -i $LAN -p tcp --dport 22 -j ACCEPT
- iptables -I INPUT -p tcp --dport 80 -j ACCEPT
- iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 80 -j DNAT --to-destination 10.123.1.1
- iptables -A FORWARD -p tcp --dport 80 -d 10.123.1.1 -j ACCEPT
- iptables -A INPUT -i $LAN -j ACCEPT
- iptables -A FORWARD -i $LAN -j ACCEPT
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A OUTPUT -o lo -j ACCEPT
- iptables -A INPUT -p icmp -j ACCEPT
- iptables -A OUTPUT -p icmp -j ACCEPT
- iptables -A FORWARD -p icmp -j ACCEPT
- iptables -A INPUT -i $WAN -j REJECT
- iptables -A INPUT -m state --state INVALID -j DROP
- iptables -A INPUT -j REJECT --reject-with icmp-admin-prohibited
- root@AP66:~#
- root@AP66:~# ip a s
- 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- inet 77.78.90.200/32 brd 255.255.255.255 scope global lo
- valid_lft forever preferred_lft forever
- 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
- link/ether 00:15:6d:c3:7f:c1 brd ff:ff:ff:ff:ff:ff
- inet 172.16.14.13/29 brd 172.16.14.15 scope global eth0
- valid_lft forever preferred_lft forever
- 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
- link/ether 02:15:6d:c3:7f:c1 brd ff:ff:ff:ff:ff:ff
- 4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
- link/ether 02:15:6d:c3:7f:c1 brd ff:ff:ff:ff:ff:ff
- inet 10.123.1.2/24 brd 10.123.1.255 scope global br-lan
- valid_lft forever preferred_lft forever
- root@AP66:~#
- root@AP66:~# ip r s
- default via 172.16.14.9 dev eth0 proto static
- 10.123.1.0/24 dev br-lan proto kernel scope link src 10.123.1.2
- 172.16.14.8/29 dev eth0 proto kernel scope link src 172.16.14.13
- root@AP66:~#
- root@AP66:~# iptables -t nat -nvL
- Chain PREROUTING (policy ACCEPT 77 packets, 11687 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.123.1.1
- Chain INPUT (policy ACCEPT 1 packets, 78 bytes)
- pkts bytes target prot opt in out source destination
- Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 74 11294 SNAT all -- * eth0 0.0.0.0/0 0.0.0.0/0 to:77.78.90.200
- root@AP66:~#
- root@AP66:~# iptables -nvL
- Chain INPUT (policy DROP 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
- 169 12376 ACCEPT tcp -- br-lan * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
- 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 6 1358 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
- 2 315 rejectLog all -- eth0 * 0.0.0.0/0 0.0.0.0/0
- 0 0 dropLog all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
- 2 315 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-admin-prohibited
- Chain FORWARD (policy DROP 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 1727 377K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 0 0 ACCEPT tcp -- lo * 0.0.0.0/0 10.123.1.1 tcp dpt:80
- 115 18637 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
- Chain OUTPUT (policy ACCEPT 103 packets, 14900 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
- Chain dropLog (1 references)
- pkts bytes target prot opt in out source destination
- Chain rejectLog (1 references)
- pkts bytes target prot opt in out source destination
- Chain syn_flood (0 references)
- pkts bytes target prot opt in out source destination
- root@AP66:~#
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement