#!/bin/sh ## VAH Server is 209.96.151.44 ## BMG Server is 209.96.151.45 ## Rea Server is 209.96.151.46 ## Executables. IPTABLES=/sbin/iptables ## Enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward ## Reduce timeouts to lower odds of DOS success. echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 1 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog echo 65535 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max ## Anti-spoofing protection and source route blocking. echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_source_route ## Configure SYN cookies. echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 1 > /proc/sys/net/ipv4/conf/all/log_martians ## Clear/reset. $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F $IPTABLES -Z $IPTABLES -t nat -Z $IPTABLES -t mangle -Z ## Hack/scan blocks. ## Syn protection. $IPTABLES -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP ## Kill fragmented packets. $IPTABLES -A INPUT -i eth0 -f -j DROP ## Stop XMAS scan. $IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP ## Block various ICMP requests. $IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 8 -j DROP $IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 13 -j DROP ## Blocks. $IPTABLES -A INPUT -s 1.80.0.0/13 -j DROP $IPTABLES -A INPUT -s 2.94.0.0/15 -j DROP $IPTABLES -A INPUT -s 4.49.108.80/32 -j DROP $IPTABLES -A INPUT -s 14.139.0.0/16 -j DROP $IPTABLES -A INPUT -s 31.8.0.0/16 -j DROP $IPTABLES -A INPUT -s 31.44.184.0/24 -j DROP $IPTABLES -A INPUT -s 38.96.220.83/32 -j DROP $IPTABLES -A INPUT -s 38.119.86.141/32 -j DROP $IPTABLES -A INPUT -s 41.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 46.17.96.0/21 -j DROP $IPTABLES -A INPUT -s 46.149.32.0/20 -j DROP $IPTABLES -A INPUT -s 46.165.192.0/21 -j DROP $IPTABLES -A INPUT -s 49.212.0.0/16 -j DROP $IPTABLES -A INPUT -s 50.30.33.90/32 -j DROP $IPTABLES -A INPUT -s 50.63.61.83/32 -j DROP $IPTABLES -A INPUT -s 58.48.0.0/13 -j DROP $IPTABLES -A INPUT -s 58.59.128.0/17 -j DROP $IPTABLES -A INPUT -s 58.248.0.0/13 -j DROP $IPTABLES -A INPUT -s 59.0.0.0/11 -j DROP $IPTABLES -A INPUT -s 60.12.152.0/24 -j DROP $IPTABLES -A INPUT -s 60.160.0.0/12 -j DROP $IPTABLES -A INPUT -s 60.217.196.0/24 -j DROP $IPTABLES -A INPUT -s 61.32.0.0/13 -j DROP $IPTABLES -A INPUT -s 61.111.0.0/18 -j DROP $IPTABLES -A INPUT -s 61.131.0.0/17 -j DROP $IPTABLES -A INPUT -s 61.147.0.0/16 -j DROP $IPTABLES -A INPUT -s 61.148.0.0/15 -j DROP $IPTABLES -A INPUT -s 61.152.175.0/24 -j DROP $IPTABLES -A INPUT -s 61.191.0.0/16 -j DROP $IPTABLES -A INPUT -s 61.236.182.0/24 -j DROP $IPTABLES -A INPUT -s 62.1.136.0/21 -j DROP $IPTABLES -A INPUT -s 63.235.155.203/32 -j DROP $IPTABLES -A INPUT -s 64.34.163.50/32 -j DROP $IPTABLES -A INPUT -s 66.85.128.0/18 -j DROP $IPTABLES -A INPUT -s 66.212.18.2 -j DROP $IPTABLES -A INPUT -s 69.25.83.15/32 -j DROP $IPTABLES -A INPUT -s 70.37.104.36/32 -j DROP $IPTABLES -A INPUT -s 70.38.78.248/32 -j DROP $IPTABLES -A INPUT -s 70.158.178.86/32 -j DROP $IPTABLES -A INPUT -s 72.232.245.82 -j DROP $IPTABLES -A INPUT -s 74.208.192.3 -j DROP $IPTABLES -A INPUT -s 74.217.149.10/32 -j DROP $IPTABLES -A INPUT -s 75.101.141.185/32 -j DROP $IPTABLES -A INPUT -s 77.38.12.98/32 -j DROP $IPTABLES -A INPUT -s 77.245.147.132/32 -j DROP $IPTABLES -A INPUT -s 78.29.0.0/19 -j DROP $IPTABLES -A INPUT -s 78.110.0.0/20 -j DROP $IPTABLES -A INPUT -s 79.143.176.0/20 -j DROP $IPTABLES -A INPUT -s 79.143.185.0/22 -j DROP $IPTABLES -A INPUT -s 79.148.0.0/17 -j DROP $IPTABLES -A INPUT -s 79.178.0.0/16 -j DROP $IPTABLES -A INPUT -s 81.3.138.118/32 -j DROP $IPTABLES -A INPUT -s 81.169.143.225/32 -j DROP $IPTABLES -A INPUT -s 85.29.182.0/24 -j DROP $IPTABLES -A INPUT -s 85.114.128.0/21 -j DROP $IPTABLES -A INPUT -s 86.55.7.62/32 -j DROP $IPTABLES -A INPUT -s 87.218.0.0/15 -j DROP $IPTABLES -A INPUT -s 89.19.4.128/29 -j DROP $IPTABLES -A INPUT -s 89.19.4.200/29 -j DROP $IPTABLES -A INPUT -s 89.19.6.42 -j DROP $IPTABLES -A INPUT -s 89.19.28.42 -j DROP $IPTABLES -A INPUT -s 91.93.181.130 -j DROP $IPTABLES -A INPUT -s 91.205.188.0/22 -j DROP $IPTABLES -A INPUT -s 91.207.4.0/22 -j DROP $IPTABLES -A INPUT -s 91.211.52.0/22 -j DROP $IPTABLES -A INPUT -s 92.241.91.0/24 -j DROP $IPTABLES -A INPUT -s 93.75.47.58 -j DROP $IPTABLES -A INPUT -s 94.23.0.0/16 -j DROP $IPTABLES -A INPUT -s 94.28.87.102 -j DROP $IPTABLES -A INPUT -s 94.51.112.0/20 -j DROP $IPTABLES -A INPUT -s 94.73.129.116 -j DROP $IPTABLES -A INPUT -s 94.102.52.0/22 -j DROP $IPTABLES -A INPUT -s 94.127.67.120/32 -j DROP $IPTABLES -A INPUT -s 94.142.134.0/24 -j DROP $IPTABLES -A INPUT -s 95.51.128.48/29 -j DROP $IPTABLES -A INPUT -s 96.17.166.181/32 -j DROP $IPTABLES -A INPUT -s 108.178.53.114/32 -j DROP $IPTABLES -A INPUT -s 109.86.146.0/24 -j DROP $IPTABLES -A INPUT -s 109.106.160.75/32 -j DROP $IPTABLES -A INPUT -s 109.106.169.3/32 -j DROP $IPTABLES -A INPUT -s 109.123.105.128/25 -j DROP $IPTABLES -A INPUT -s 109.230.246.0/24 -j DROP $IPTABLES -A INPUT -s 110.74.169.230 -j DROP $IPTABLES -A INPUT -s 111.224.0.0/14 -j DROP $IPTABLES -A INPUT -s 112.121.160.0/19 -j DROP $IPTABLES -A INPUT -s 113.1.64.10 -j DROP $IPTABLES -A INPUT -s 113.96.0.0/12 -j DROP $IPTABLES -A INPUT -s 114.24.0.0/14 -j DROP $IPTABLES -A INPUT -s 114.80.0.0/12 -j DROP $IPTABLES -A INPUT -s 114.141.0.0/19 -j DROP $IPTABLES -A INPUT -s 114.143.0.0/16 -j DROP $IPTABLES -A INPUT -s 114.207.245.190/32 -j DROP $IPTABLES -A INPUT -s 114.255.40.0/24 -j DROP $IPTABLES -A INPUT -s 115.88.0.0/13 -j DROP $IPTABLES -A INPUT -s 115.146.120.0/24 -j DROP $IPTABLES -A INPUT -s 115.178.69.254/32 -j DROP $IPTABLES -A INPUT -s 115.204.0.0/15 -j DROP $IPTABLES -A INPUT -s 116.66.38.142 -j DROP $IPTABLES -A INPUT -s 116.120.0.0/13 -j DROP $IPTABLES -A INPUT -s 116.224.0.0/12 -j DROP $IPTABLES -A INPUT -s 117.32.0.0/13 -j DROP $IPTABLES -A INPUT -s 117.226.0.0/15 -j DROP $IPTABLES -A INPUT -s 117.239.73.133 -j DROP $IPTABLES -A INPUT -s 118.224.3.0/25 -j DROP $IPTABLES -A INPUT -s 119.1.32.0/19 -j DROP $IPTABLES -A INPUT -s 119.161.128.0/17 -j DROP $IPTABLES -A INPUT -s 121.8.0.0/13 -j DROP $IPTABLES -A INPUT -s 121.254.156.165/32 -j DROP $IPTABLES -A INPUT -s 122.228.236.0/24 -j DROP $IPTABLES -A INPUT -s 122.226.102.0/24 -j DROP $IPTABLES -A INPUT -s 122.155.160.0/19 -j DROP $IPTABLES -A INPUT -s 123.117.108.169 -j DROP $IPTABLES -A INPUT -s 123.232.0.0/14 -j DROP $IPTABLES -A INPUT -s 124.30.199.118/32 -j DROP $IPTABLES -A INPUT -s 124.114.0.0/14 -j DROP $IPTABLES -A INPUT -s 124.118.0.0/15 -j DROP $IPTABLES -A INPUT -s 124.226.0.0/15 -j DROP $IPTABLES -A INPUT -s 124.127.116.138/32 -j DROP $IPTABLES -A INPUT -s 124.160.0.0/16 -j DROP $IPTABLES -A INPUT -s 124.236.0.0/14 -j DROP $IPTABLES -A INPUT -s 124.254.0.0/18 -j DROP $IPTABLES -A INPUT -s 125.162.252.0/23 -j DROP $IPTABLES -A INPUT -s 164.132.0.0/16 -j DROP $IPTABLES -A INPUT -s 166.111.0.0/16 -j DROP $IPTABLES -A INPUT -s 173.212.206.251/32 -j DROP $IPTABLES -A INPUT -s 176.9.0.0/16 -j DROP $IPTABLES -A INPUT -s 176.65.160.0/21 -j DROP $IPTABLES -A INPUT -s 177.55.252.0/22 -j DROP $IPTABLES -A INPUT -s 177.96.0.0/14 -j DROP $IPTABLES -A INPUT -s 178.18.16.0/21 -j DROP $IPTABLES -A INPUT -s 178.64.128.0/17 -j DROP $IPTABLES -A INPUT -s 178.150.38.0/24 -j DROP $IPTABLES -A INPUT -s 180.184.0.0/13 -j DROP $IPTABLES -A INPUT -s 180.210.207.96/25 -j DROP $IPTABLES -A INPUT -s 180.212.0.0/15 -j DROP $IPTABLES -A INPUT -s 182.236.128.0/17 -j DROP $IPTABLES -A INPUT -s 183.0.0.0/10 -j DROP $IPTABLES -A INPUT -s 184.105.177.173/32 -j DROP $IPTABLES -A INPUT -s 184.107.101.23/32 -j DROP $IPTABLES -A INPUT -s 184.107.105.211/32 -j DROP $IPTABLES -A INPUT -s 184.107.179.242/32 -j DROP $IPTABLES -A INPUT -s 184.167.212.106 -j DROP $IPTABLES -A INPUT -s 184.168.193.88/32 -j DROP $IPTABLES -A INPUT -s 184.170.91.188 -j DROP $IPTABLES -A INPUT -s 184.174.154.160 -j DROP $IPTABLES -A INPUT -s 184.174.175.237 -j DROP $IPTABLES -A INPUT -s 184.95.36.71/32 -j DROP $IPTABLES -A INPUT -s 184.107.105.211 -j DROP $IPTABLES -A INPUT -s 187.10.0.0/15 -j DROP $IPTABLES -A INPUT -s 187.124.0.0/14 -j DROP $IPTABLES -A INPUT -s 187.27.0.0/16 -j DROP $IPTABLES -A INPUT -s 187.28.118/24 -j DROP $IPTABLES -A INPUT -s 188.132.216.0/21 -j DROP $IPTABLES -A INPUT -s 188.143.234.0/23 -j DROP $IPTABLES -A INPUT -s 189.110.0.0/15 -j DROP $IPTABLES -A INPUT -s 189.38.90.17/32 -j DROP $IPTABLES -A INPUT -s 189.174.1.0/24 -j DROP $IPTABLES -A INPUT -s 190.3.0.0/18 -j DROP $IPTABLES -A INPUT -s 190.120.224.0/20 -j DROP $IPTABLES -A INPUT -s 190.172.0.0/15 -j DROP $IPTABLES -A INPUT -s 195.56.150.0/27 -j DROP $IPTABLES -A INPUT -s 195.117.171.157 -j DROP $IPTABLES -A INPUT -s 195.248.235.231/32 -j DROP $IPTABLES -A INPUT -s 196.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 200.40.240/20 -j DROP $IPTABLES -A INPUT -s 200.74.141.206/32 -j DROP $IPTABLES -A INPUT -s 201.64.0.0/15 -j DROP $IPTABLES -A INPUT -s 201.68.0.0/16 -j DROP $IPTABLES -A INPUT -s 202.107.232.0/22 -j DROP $IPTABLES -A INPUT -s 202.109.208.224/27 -j DROP $IPTABLES -A INPUT -s 202.111.175.0/24 -j DROP $IPTABLES -A INPUT -s 202.128.60.8/32 -j DROP $IPTABLES -A INPUT -s 202.131.96.0/19 -j DROP $IPTABLES -A INPUT -s 202.134.2.188 -j DROP $IPTABLES -A INPUT -s 202.201.152.0/21 -j DROP $IPTABLES -A INPUT -s 203.142.69.96/29 -j DROP $IPTABLES -A INPUT -s 203.189.72.194/32 -j DROP $IPTABLES -A INPUT -s 203.196.171.229/32 -j DROP $IPTABLES -A INPUT -s 206.83.86.2/32 -j DROP $IPTABLES -A INPUT -s 207.38.22.108/32 -j DROP $IPTABLES -A INPUT -s 210.212.16.0/20 -j DROP $IPTABLES -A INPUT -s 210.229.139.57/32 -j DROP $IPTABLES -A INPUT -s 211.110.0.0/16 -j DROP $IPTABLES -A INPUT -s 211.174.62.140/32 -j DROP $IPTABLES -A INPUT -s 211.216.0.0/13 -j DROP $IPTABLES -A INPUT -s 211.224.0.0/15 -j DROP $IPTABLES -A INPUT -s 212.113.32.0/21 -j DROP $IPTABLES -A INPUT -s 212.124.112.0/22 -j DROP $IPTABLES -A INPUT -s 212.124.124.0/22 -j DROP $IPTABLES -A INPUT -s 212.156.0.0/17 -j DROP $IPTABLES -A INPUT -s 212.175.12.205 -j DROP $IPTABLES -A INPUT -s 213.140.231.54/32 -j DROP $IPTABLES -A INPUT -s 213.144.108.222/32 -j DROP $IPTABLES -A INPUT -s 213.242.5.224 -j DROP $IPTABLES -A INPUT -s 216.245.215.150/32 -j DROP $IPTABLES -A INPUT -s 218.31.0.0/16 -j DROP $IPTABLES -A INPUT -s 218.24.0.0/15 -j DROP $IPTABLES -A INPUT -s 218.69.6.16/28 -j DROP $IPTABLES -A INPUT -s 218.87.0.0/16 -j DROP $IPTABLES -A INPUT -s 218.103.90.8/29 -j DROP $IPTABLES -A INPUT -s 218.108.244.0/21 -j DROP $IPTABLES -A INPUT -s 219.138.0.0/16 -j DROP $IPTABLES -A INPUT -s 219.139.0.0/16 -j DROP $IPTABLES -A INPUT -s 219.140.0.0/16 -j DROP $IPTABLES -A INPUT -s 219.148.0.0/16 -j DROP $IPTABLES -A INPUT -s 220.171.192.0/18 -j DROP $IPTABLES -A INPUT -s 220.172.0.0/16 -j DROP $IPTABLES -A INPUT -s 220.181.158.213/32 -j DROP $IPTABLES -A INPUT -s 221.207.64.0/18 -j DROP $IPTABLES -A INPUT -s 221.207.128.0/18 -j DROP $IPTABLES -A INPUT -s 221.207.192.0/18 -j DROP $IPTABLES -A INPUT -s 222.32.0.0/13 -j DROP $IPTABLES -A INPUT -s 222.172.0.0/14 -j DROP ## Pull in the emerging threats data. #/etc/emerging/emerging-rules.sh 2>/dev/null ## Allow selective, then block remaining. #$IPTABLES -A INPUT -i eth0 -p tcp --dport 7000 -j ACCEPT #$IPTABLES -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT $IPTABLES -A INPUT -i eth0 -p tcp --dport 1443 -j ACCEPT ## ownCloud. $IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT ## Route RDP sessions to appropriate hosts. $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 7000 -j DNAT --to-destination 10.0.0.2:3389 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 7001 -j DNAT --to-destination 10.0.0.3:3389 ## Route Syncrify link to the endpoint. $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 5800 -j DNAT --to-destination 10.0.0.2:5800 ## Route DNS. $IPTABLES -I FORWARD -i eth0 -p udp --dport 53 -j ACCEPT $IPTABLES -I FORWARD -i eth0 -p tcp --dport 53 -j ACCEPT $IPTABLES -t nat -A PREROUTING -i eth0 -p udp --destination 172.16.23.37 --dport 53 -j DNAT --to-destination 209.96.151.44 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.37 --dport 53 -j DNAT --to-destination 209.96.151.44 $IPTABLES -t nat -A PREROUTING -i eth0 -p udp --destination 172.16.23.38 --dport 53 -j DNAT --to-destination 209.96.151.45 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.38 --dport 53 -j DNAT --to-destination 209.96.151.45 $IPTABLES -t nat -A PREROUTING -i eth0 -p udp --destination 172.16.23.39 --dport 53 -j DNAT --to-destination 209.96.151.46 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.39 --dport 53 -j DNAT --to-destination 209.96.151.46 ## TEMP SSH. #$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.37 --dport 9999 -j DNAT --to-destination 209.96.151.44:22 ## Route mail. $IPTABLES -I FORWARD -i eth0 -p tcp --dport 25 -j ACCEPT $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.37 --dport 25 -j DNAT --to-destination 209.96.151.44:25 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.37 --dport 135 -j DNAT --to-destination 209.96.151.44:135 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.37 --dport 465 -j DNAT --to-destination 209.96.151.44:465 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.37 --dport 587 -j DNAT --to-destination 209.96.151.44:587 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.37 --dport 993 -j DNAT --to-destination 209.96.151.44:993 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.37 --dport 995 -j DNAT --to-destination 209.96.151.44:995 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.37 --dport 1024 -j DNAT --to-destination 209.96.151.44:1024 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.38 --dport 25 -j DNAT --to-destination 209.96.151.45:25 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.38 --dport 135 -j DNAT --to-destination 209.96.151.45:135 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.38 --dport 465 -j DNAT --to-destination 209.96.151.45:465 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.38 --dport 587 -j DNAT --to-destination 209.96.151.45:587 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.38 --dport 993 -j DNAT --to-destination 209.96.151.45:993 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.38 --dport 995 -j DNAT --to-destination 209.96.151.45:995 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.38 --dport 1024 -j DNAT --to-destination 209.96.151.45:1024 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.39 --dport 25 -j DNAT --to-destination 209.96.151.46:25 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.39 --dport 135 -j DNAT --to-destination 209.96.151.46:135 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.39 --dport 465 -j DNAT --to-destination 209.96.151.46:465 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.39 --dport 587 -j DNAT --to-destination 209.96.151.46:587 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.39 --dport 993 -j DNAT --to-destination 209.96.151.46:993 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.39 --dport 995 -j DNAT --to-destination 209.96.151.46:995 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.39 --dport 1024 -j DNAT --to-destination 209.96.151.46:1024 ## Route Zentyal management interface. $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.37 --dport 8443 -j DNAT --to-destination 209.96.151.44:8443 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.38 --dport 8443 -j DNAT --to-destination 209.96.151.45:8443 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.39 --dport 8443 -j DNAT --to-destination 209.96.151.46:8443 ## Route Web servers. $IPTABLES -I FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT $IPTABLES -I FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.37 --dport 80 -j DNAT --to-destination 209.96.151.44:80 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.37 --dport 443 -j DNAT --to-destination 209.96.151.44:443 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.38 --dport 80 -j DNAT --to-destination 209.96.151.45:80 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.38 --dport 443 -j DNAT --to-destination 209.96.151.45:443 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.39 --dport 80 -j DNAT --to-destination 209.96.151.46:80 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination 172.16.23.39 --dport 443 -j DNAT --to-destination 209.96.151.46:443 ## Allow established connections. $IPTABLES -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i eth0 -p udp -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED -j ACCEPT ## Allow remaining ICMP packets. $IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT ## Log and drop any others. $IPTABLES -A INPUT -i eth0 -j LOG --log-level 4 --log-prefix 'Fall-through (eth0): ' $IPTABLES -A INPUT -i eth0 -j DROP ## Internal interface (eth1). ## Accept all. $IPTABLES -A INPUT -i eth1 -j ACCEPT ## Stop SMB broadcasts. $IPTABLES -A OUTPUT -o eth0 -p tcp --dport 137 -j DROP $IPTABLES -A OUTPUT -o eth0 -p udp --dport 137 -j DROP $IPTABLES -A OUTPUT -o eth0 -p tcp --dport 138 -j DROP $IPTABLES -A OUTPUT -o eth0 -p udp --dport 138 -j DROP $IPTABLES -A OUTPUT -o eth0 -p tcp --dport 139 -j DROP $IPTABLES -A OUTPUT -o eth0 -p udp --dport 139 -j DROP ## Masquerade. $IPTABLES -A POSTROUTING -t nat -o eth0 -s 209.96.151.45 -j SNAT --to 172.16.23.38 $IPTABLES -A POSTROUTING -t nat -o eth0 -s 209.96.151.46 -j SNAT --to 172.16.23.39 $IPTABLES -A POSTROUTING -t nat -o eth0 -j SNAT --to 172.16.23.37