- #!/bin/bash
- export IF_INET="enp1s0"
- export IF_LAN="enp3s0"
- export IP_LAN=192.168.99.0
- export IP_LAN_BITS=24
- # restart network:
- #
- # systemctl restart networking.service
- ##############################################################################
- function ip_forward ()
- {
- INET_PORT="$1"
- DEST_IP="$2"
- DEST_PORT="$3"
- iptables -A PREROUTING -t nat \
- -i "$IF_INET" -p tcp \
- --dport "$INET_PORT" -j DNAT \
- --to-destination "$DEST_IP":"$DEST_PORT"
- iptables -A FORWARD -p tcp \
- -d "$DEST_IP" \
- --dport "$DEST_PORT" -j ACCEPT
- }
- function ip_block_incoming ()
- {
- # dest port can be 22, 80, or range like 20:200
- DEST_PORT="$1"
- iptables -A INPUT -i "$IF_INET" -p tcp \
- --destination-port $DEST_PORT -j DROP
- iptables -A INPUT -i "$IF_INET" -p udp \
- --destination-port $DEST_PORT -j DROP
- }
- function ip_block_incoming_udp ()
- {
- # dest port can be 22, 80, or range like 20:200
- DEST_PORT="$1"
- iptables -A INPUT -i "$IF_INET" -p udp \
- --destination-port $DEST_PORT -j DROP
- }
- ##############################################################################
- # cleaning iptables
- iptables -F
- iptables -t nat -F
- iptables -t mangle -F
- # set up masquerading
- iptables -t nat -A POSTROUTING -o $IF_INET -j MASQUERADE
- # allow forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
- ##############################################################################
- # block incoming traffic we don't want
- ip_block_incoming_udp 1:1024
- # block up to 80
- ip_block_incoming 1:79
- # gap for port 80
- ip_block_incoming 81:98
- # gap for port 99
- ip_block_incoming 100:442
- # gap for port 443
- ip_block_incoming 444:1024
- # ...
- ##############################################################################
- # port forward
- # send port 80 to this host's port 80
- ip_forward 80 192.168.99.99 80
- # send port 99 to this host's port 10
- ip_forward 99 192.168.99.98 10
Raw Paste