export WAN=eth0 export LAN=eth1 # Flush Rules iptables -F iptables -t nat -F # Setup default policies to handle unmatched traffic iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # Lock our services so they only work from the LAN iptables -I INPUT 1 -i ${LAN} -j ACCEPT iptables -I INPUT 1 -i lo -j ACCEPT iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT # Allow access to our local services on WAN iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT iptables -A INPUT -p TCP --dport ftp -i ${WAN} -j ACCEPT #iptables -A INPUT -p TCP --dport http -i ${WAN} -j ACCEPT iptables -A INPUT -p TCP --dport auth -i ${WAN} -j ACCEPT iptables -A INPUT -p TCP --dport 6890:6999 -i ${WAN} -j ACCEPT iptables -A INPUT -p UDP --dport 6890:6999 -i ${WAN} -j ACCEPT # Drop TCP / UDP packets to privileged ports iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP # Finally we add the rules for NAT iptables -I FORWARD -i ${LAN} -d 10.0.0.0/255.255.255.0 -j DROP iptables -A FORWARD -i ${LAN} -s 10.0.0.0/255.255.255.0 -j ACCEPT iptables -A FORWARD -i ${WAN} -d 10.0.0.0/255.255.255.0 -j ACCEPT iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE # Tell the kernel that ip forwarding is OK echo 1 > /proc/sys/net/ipv4/ip_forward for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done # Port Forwarding #iptables -t nat -A PREROUTING -p tcp --dport 1122 -i ${WAN} -j DNAT --to 10.0.0.35:22 #iptables -t nat -A PREROUTING -p udp --dport 4444 -i ${WAN} -j DNAT --to 10.0.0.35 #iptables -t nat -A PREROUTING -p udp --dport 20800 -i ${WAN} -j DNAT --to 10.0.0.35 #iptables -t nat -A PREROUTING -p udp --dport 20810 -i ${WAN} -j DNAT --to 10.0.0.35 #iptables -t nat -A PREROUTING -p udp --dport 28960:28970 -i ${WAN} -j DNAT --to 10.0.0.35 #iptables -t nat -A PREROUTING -p udp --dport 13389 -i ${WAN} -j DNAT --to 10.0.0.171:3389 #iptables -t nat -A PREROUTING -p udp --dport 46991 -i ${WAN} -j DNAT --to 10.0.0.35:46991 #iptables -t nat -A PREROUTING -p tcp --dport 46991 -i ${WAN} -j DNAT --to 10.0.0.35:46991 iptables -t nat -A PREROUTING -p tcp --dport 8000 -i ${WAN} -j DNAT --to 10.0.0.40 iptables -t nat -A PREROUTING -p tcp --dport 4662 -i ${WAN} -j DNAT --to 10.0.0.40 iptables -t nat -A PREROUTING -p tcp --dport 5900 -i ${WAN} -j DNAT --to 10.0.0.40 iptables -t nat -A PREROUTING -p tcp --dport 59803 -i ${WAN} -j DNAT --to 10.0.0.40 iptables -t nat -A PREROUTING -p udp --dport 59803 -i ${WAN} -j DNAT --to 10.0.0.40 iptables -t nat -A PREROUTING -p tcp --dport 2222 -i ${WAN} -j DNAT --to 10.0.0.40 iptables -t nat -A PREROUTING -p tcp --dport 5901 -i ${WAN} -j DNAT --to 10.0.0.40 iptables -t nat -A PREROUTING -p tcp --dport 9090 -i ${WAN} -j DNAT --to 10.0.0.42 iptables -t nat -A PREROUTING -p tcp --dport 3389 -i ${WAN} -j DNAT --to 10.0.0.230 # WoW iptables -t nat -A PREROUTING -p tcp --dport 1119 -i ${WAN} -j DNAT --to 10.0.0.40 iptables -t nat -A PREROUTING -p tcp --dport 1120 -i ${WAN} -j DNAT --to 10.0.0.40 iptables -t nat -A PREROUTING -p udp --dport 3724 -i ${WAN} -j DNAT --to 10.0.0.40 iptables -t nat -A PREROUTING -p tcp --dport 3724 -i ${WAN} -j DNAT --to 10.0.0.40 iptables -t nat -A PREROUTING -p tcp --dport 6112 -i ${WAN} -j DNAT --to 10.0.0.40 iptables -t nat -A PREROUTING -p tcp --dport 6881:6999 -i ${WAN} -j DNAT --to 10.0.0.40 iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 10.0.0.40 iptables -t nat -A PREROUTING -p tcp --dport 443 -i ${WAN} -j DNAT --to 10.0.0.23 #playstation test iptables -t nat -A PREROUTING -p udp --dport 3074 -i ${WAN} -j DNAT --to 10.0.0.23 iptables -t nat -A PREROUTING -p udp --dport 3075 -i ${WAN} -j DNAT --to 10.0.0.23 iptables -t nat -A PREROUTING -p udp --dport 3478 -i ${WAN} -j DNAT --to 10.0.0.23 iptables -t nat -A PREROUTING -p udp --dport 3479 -i ${WAN} -j DNAT --to 10.0.0.23 iptables -t nat -A PREROUTING -p udp --dport 3658 -i ${WAN} -j DNAT --to 10.0.0.23 iptables -t nat -A PREROUTING -p udp --dport 10070 -i ${WAN} -j DNAT --to 10.0.0.23 iptables -t nat -A PREROUTING -p udp --dport 50100 -i ${WAN} -j DNAT --to 10.0.0.23 iptables -t nat -A PREROUTING -p tcp --dport 3074 -i ${WAN} -j DNAT --to 10.0.0.23 iptables -t nat -A PREROUTING -p tcp --dport 5223 -i ${WAN} -j DNAT --to 10.0.0.23 iptables -t nat -A PREROUTING -p tcp --dport 10070 -i ${WAN} -j DNAT --to 10.0.0.23 iptables -t nat -A PREROUTING -p tcp --dport 10080 -i ${WAN} -j DNAT --to 10.0.0.23 #block ID Software CD Key server #iptables -A INPUT -p all -d 192.246.40.244 -j DROP # http://www.gentoo.org/doc/en/home-router-howto.xml