# clear iptables rules
for tb in filter nat mangle
do
iptables -t $tb -F
iptables -t $tb -X
iptables -t $tb -Z
done
# policy set and lo set
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow ip forward
sed -i "s/\#net\.ipv4\.ip_forward=1/net\.ipv4\.ip_forward=1/g" /etc/sysctl.conf
echo "1" > /proc/sys/net/ipv4/ip_forward
# allow who can use these port on this host and icmp
for ip in $VPNIP1 $VPNIP2 $VPNIP3
do
iptables -A INPUT -s $ip -p icmp -j ACCEPT
iptables -A INPUT -s $ip -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s $ip -p tcp --dport 5900:5990 -j ACCEPT
done
# kvm_servcie port
iptables -A INPUT -p tcp --dport 50120 -j ACCEPT
# data segment out wrap 、MASQUERADE
iptables -t nat -A POSTROUTING -s $INNET -o $IF0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $INNET -o $IF1 -j MASQUERADE
# vm 3389、22、20、21、1433、3306、80 port and ftp pasv ports range
for i in `seq 2 $ENDIP`
do
[ "$i" == "26" ] && continue
for j in 20 21 22 80 1433 3306 3389
do
DPORT=$((1000*$i+$j))
iptables -t nat -A PREROUTING -i $IF0 -p tcp -m tcp --dport $DPORT \
-j DNAT --to-destination ${INIP}$i:$j
iptables -t nat -A PREROUTING -i $IF1 -p tcp -m tcp --dport $DPORT \
-j DNAT --to-destination ${INIP}$i:$j
done