[iptables] internetshare - firewall script

[internet] <-> win2kserver <|->  192.168.0.2 (mandrake 9.0)
                                             |->  192.168.0.3 (win98se)

#!/bin/sh

# Set some vars
EXTIP=`ifconfig eth0 | grep inet | tr -s " " | cut -d " " -f 3 | cut -d ":" -f 2`

# Load the NAT module (this pulls in all the others).
modprobe iptable_nat

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

#Flush rules
iptables -t nat -F PREROUTING

# In the NAT table (-t nat), Append a rule (-A) after routing (POSTROUTING)
# which says to MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

# Allows forwarding specifically to our LAN
iptables -A FORWARD -s 193.168.0.0/24 -j ACCEPT

# Enable IP-spoofing beveiliging
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 1 > $f
done


# Zet 22 tot 80 binnekomend voor de buitenwereld
iptables -A INPUT -p tcp --dport 22:80 -j ACCEPT
iptables -A INPUT -p udp --dport 22:80 -j ACCEPT

# Allow dhcp requests
iptables -A INPUT -i eth1 -p udp --sport bootpc --dport bootps -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --sport bootpc --dport bootps -j ACCEPT
iptables -A INPUT -i eth1 -p udp --sport bootps --dport bootpc -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --sport bootps --dport bootpc -j ACCEPT

# Allow dns requests
iptables -A INPUT -i eth1 -p udp --dport domain -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport domain -j ACCEPT

# Forward some ports
iptables -t nat -A PREROUTING -p tcp --dport 7000 -i eth0 -j DNAT --to 192.168.0.2:7000
iptables -t nat -A PREROUTING -p tcp --dport 7000 -i eth0 -j DNAT --to 192.168.0.3:7000
iptables -t nat -A PREROUTING -p tcp --dport 5000 -i eth0 -j DNAT --to 192.168.0.2:5000
iptables -t nat -A PREROUTING -p tcp --dport 5000 -i eth0 -j DNAT --to 192.168.0.3:5000
iptables -t nat -A PREROUTING -p tcp --dport 3389 -i eth0 -j DNAT --to 192.168.0.2:3389
iptables -t nat -A PREROUTING -p tcp --dport 3389 -i eth0 -j DNAT --to 192.168.0.3:3389
iptables -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 192.168.0.2:443
iptables -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 192.168.0.3:443

iptables -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 192.168.0.2:443
iptables -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 192.168.0.3:443

#msn porten
iptables -t nat -A PREROUTING -p tcp --dport 6891 -i eth0 -j DNAT --to 192.168.0.2:6891
iptables -t nat -A PREROUTING -p tcp --dport 6892 -i eth0 -j DNAT --to 192.168.0.2:6892
iptables -t nat -A PREROUTING -p tcp --dport 6893 -i eth0 -j DNAT --to 192.168.0.2:6893
iptables -t nat -A PREROUTING -p tcp --dport 6894 -i eth0 -j DNAT --to 192.168.0.2:6894
iptables -t nat -A PREROUTING -p tcp --dport 6895 -i eth0 -j DNAT --to 192.168.0.2:6895
iptables -t nat -A PREROUTING -p tcp --dport 6896 -i eth0 -j DNAT --to 192.168.0.2:6896
iptables -t nat -A PREROUTING -p tcp --dport 6897 -i eth0 -j DNAT --to 192.168.0.2:6897
iptables -t nat -A PREROUTING -p tcp --dport 6898 -i eth0 -j DNAT --to 192.168.0.2:6898
iptables -t nat -A PREROUTING -p tcp --dport 6899 -i eth0 -j DNAT --to 192.168.0.2:6899
iptables -t nat -A PREROUTING -p tcp --dport 6900 -i eth0 -j DNAT --to 192.168.0.2:6900
iptables -t nat -A PREROUTING -p udp --dport 6901 -i eth0 -j DNAT --to 192.168.0.2:6901
echo $EXTIP