*mangle
-A FORWARD -i eth0 -j CONNMARK --set-mark 0xe0
COMMIT
*nat
-A POSTROUTING -o eth0 -j MASQUERADE
#Hairpin NAT
-A POSTROUTING -o br-lan -m connmark ! --mark 0xe0 -m conntrack --ctstate DNAT -j MASQUERADE
-A PREROUTING -p tcp -m multiport --dports 21,22,23,25,110,3445,3389 -i eth0 -j DNAT --to-destination 172.16.0.5
-A PREROUTING -p tcp --dport 22000 -j REDIRECT --to-port 22
-A PREROUTING -p tcp --dport 8081 -j DNAT --to-destination 10.0.0.99:80
-A PREROUTING -p tcp --dport 8082 -j DNAT --to-destination 10.0.0.99:443
-A PREROUTING -p tcp --dport 22001 -j DNAT --to-destination 10.0.0.99:22
-A PREROUTING -p tcp --dport 51000 -j DNAT --to-destination 10.0.0.99
COMMIT
*filter
#for SSH Dictionary attacks#
#-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set
#-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 2 --hitcount 1 -j DROP
#end-dict-atack-rules
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --dports 22,8081 -j ACCEPT
-A INPUT -i eth0 -j DROP
#-A FORWARD -d 10.0.0.0/24 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
| Posted by unknown on Wed 24 Feb 2010 6:47 | 248 views
- Syntax: None
- Expires: never
- Report
- IMG
- Download
- 
|