1. 程式人生 > >iptables規則使用案例

iptables規則使用案例

and ports cmp 1.10 tput limit 0.11 red www.

Generated by iptables-save v1.4.7 on Wed Jun 11 01:06:48 2014

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -s 192.168.20.0/24 -j LOG --log-prefix "Pre20 "
-A PREROUTING -s 172.18.50.0/24 -d 1.1.1.1 -p udp -m udp --dport 123 -j REDIRECT --to-ports 123
-A PREROUTING -m iprange --src-range 172.18.70.30-172.18.70.40 -d 172.18.20.11 -p tcp -j ACCEPT

-A PREROUTING -m iprange --src-range 172.18.70.30-172.18.70.40 -d 172.18.10.11 -p tcp -j ACCEPT
-A PREROUTING -m iprange --src-range 172.18.70.30-172.18.70.40 -p tcp -j REDIRECT --to-ports 3344
#-A PREROUTING -m iprange --src-range 172.18.20.20-172.18.20.22 -p tcp --dport 80 -j REDIRECT --to-ports 3344
#-A PREROUTING -s 172.18.70.0/24 -d 172.18.30.0/24 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 172.18.20.1:3344
#-A PREROUTING -m iprange --src-range 172.18.20.1-172.18.20.3 -p tcp --dport 80 -j REDIRECT --to-ports 3344
#-A PREROUTING -m iprange --src-range 172.18.20.114-172.18.20.115 -p tcp --dport 80 -j REDIRECT --to-ports 3344
#-A PREROUTING -s 172.18.70.0/24 -d mail.buyforyou.cn -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8558

#-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 3311 -j DNAT --to-destination 172.18.20.52:3389
#-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8550 -j DNAT --to-destination 192.168.2.22:80
#-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8543 -j DNAT --to-destination 192.168.2.24:443
#-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8525 -j DNAT --to-destination 172.16.30.36:8080
#-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8526 -j DNAT --to-destination 172.16.30.36:8444
#-A PREROUTING -d 118.244.194.198/32 -p tcp -m tcp --dport 3311 -j DNAT --to-destination 172.18.20.51:3389
#-A PREROUTING -d 118.244.194.198/32 -p tcp -m tcp --dport 3312 -j DNAT --to-destination 172.18.20.50:3389
#-A PREROUTING -d 118.244.194.199/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.18.20.114:8083
#-A PREROUTING -d 118.244.194.205/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.19.80.30:2324
-A PREROUTING -d 118.244.194.199/32 -p tcp -m tcp --dport 3312 -j DNAT --to-destination 172.18.10.12:3389
-A PREROUTING -d 118.244.194.199/32 -p tcp -m tcp --dport 3311 -j DNAT --to-destination 172.18.10.11:3389
-A PREROUTING -d 118.244.194.199/32 -p tcp -m tcp --dport 3312 -j DNAT --to-destination 172.18.10.12:3319
-A PREROUTING -d 118.244.194.199/32 -p tcp -m tcp --dport 3311 -j DNAT --to-destination 172.18.10.11:3319
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8552 -j DNAT --to-destination 192.168.2.48:8552
-A PREROUTING -d 118.244.194.198/32 -p tcp -m tcp --dport 3329 -j DNAT --to-destination 172.18.0.15:3389
-A PREROUTING -d 118.244.194.198/32 -p tcp -m tcp --dport 8083 -j DNAT --to-destination 172.18.20.125:3389
#-A PREROUTING -d 118.244.194.203/32 -p tcp -m tcp --dport 8122 -j DNAT --to-destination 172.18.60.10:22
#-A PREROUTING -d 118.244.194.203/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.18.60.10:80
#-A PREROUTING -d 118.244.194.203/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination 172.18.60.10:3311
#-A PREROUTING -i eth1 -d 118.244.194.203/32 -p tcp -j DNAT --to-destination 172.18.60.10
#-A PREROUTING -d 118.244.194.198/32 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.16.30.32:8080
#-A PREROUTING -d 118.244.194.198/32 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 172.16.30.33:8080
#-A PREROUTING -d 118.244.194.198/32 -p tcp -m tcp --dport 8082 -j DNAT --to-destination 172.16.30.34:8080
-A PREROUTING -d 118.244.194.198/32 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.18.120.50:25
-A PREROUTING -d 118.244.194.198/32 -p tcp -m tcp --dport 110 -j DNAT --to-destination 172.18.120.50:110
-A PREROUTING -d 118.244.194.198/32 -p tcp -m tcp --dport 8522 -j DNAT --to-destination 172.18.120.50:22
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8500 -j DNAT --to-destination 192.168.2.90:80
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8503 -j DNAT --to-destination 192.168.2.93:80
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8504 -j DNAT --to-destination 192.168.2.94:80
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8505 -j DNAT --to-destination 192.168.2.95:80
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8506 -j DNAT --to-destination 192.168.2.96:80
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8507 -j DNAT --to-destination 192.168.2.97:80
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8508 -j DNAT --to-destination 192.168.2.98:80
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8509 -j DNAT --to-destination 192.168.2.99:80
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8510 -j DNAT --to-destination 192.168.2.100:80
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8511 -j DNAT --to-destination 192.168.2.101:80
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8512 -j DNAT --to-destination 192.168.2.102:80
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8513 -j DNAT --to-destination 192.168.2.103:80
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8514 -j DNAT --to-destination 192.168.2.104:80
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8515 -j DNAT --to-destination 192.168.2.105:80
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8516 -j DNAT --to-destination 192.168.2.106:80
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8517 -j DNAT --to-destination 192.168.2.107:80
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8518 -j DNAT --to-destination 192.168.2.108:80
-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8519 -j DNAT --to-destination 192.168.2.109:80
#-A PREROUTING -d 118.244.194.197/32 -p tcp -m tcp --dport 8550 -j DNAT --to-destination 192.168.2.22:80
-A PREROUTING -s 172.18.50.0/24 -d 224.0.0.0/24 -j ACCEPT
#-A PREROUTING -d 172.16.30.0/24 -p tcp -j DNAT --to-destination 10.10.10.27
#----------------------------------------------------------------------------------------------------
#LOG-3
-A POSTROUTING -m iprange --src-range 172.18.100.1-172.18.100.1 -d 172.18.100.100 -j ACCEPT
-A POSTROUTING -m iprange --src-range 172.18.20.15-172.18.20.15 -o eth1 -j ACCEPT
-A POSTROUTING -m iprange --src-range 192.168.0.1-192.168.0.254 -p udp --dport 53 -o eth1 -j SNAT --to 118.244.194.205
-A POSTROUTING -m iprange --src-range 192.168.0.2-192.168.0.2 -p tcp --dport 443 -o eth1 -j SNAT --to 118.244.194.205
-A POSTROUTING -m iprange --src-range 172.18.20.15-172.18.20.22 -o eth1 -j SNAT --to 118.244.194.205
-A POSTROUTING -m iprange --src-range 172.18.20.1-172.18.20.3 -o eth1 -j SNAT --to 118.244.194.205
-A POSTROUTING -m iprange --src-range 172.18.20.125-172.18.20.125 -o eth1 -j SNAT --to 118.244.194.205
-A POSTROUTING -m iprange --src-range 172.18.20.31-172.18.20.34 -o eth1 -j SNAT --to 118.244.194.188
-A POSTROUTING -m iprange --src-range 172.18.0.105-172.18.0.106 -d 172.18.0.0/16 -j ACCEPT
-A POSTROUTING -m iprange --src-range 10.10.10.11-10.10.10.11 -d 172.18.20.20 -j ACCEPT
-A POSTROUTING -m iprange --src-range 10.10.10.11-10.10.10.11 -d 172.18.20.15 -j ACCEPT
-A POSTROUTING -s 172.18.70.32 -j ACCEPT
-A POSTROUTING -s 172.18.70.31 -j ACCEPT
-A POSTROUTING -s 192.168.20.131 -d 172.18.100.100 -j ACCEPT
-A POSTROUTING -s 172.18.70.33 -j ACCEPT
-A POSTROUTING -s 172.18.70.21 -j ACCEPT
-A POSTROUTING -s 172.18.10.11 -d 172.16.30.39 -j ACCEPT
-A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
-A POSTROUTING -s 172.18.70.22 -j ACCEPT
-A POSTROUTING -s 172.18.20.125 -j ACCEPT

-A POSTROUTING -s 172.18.30.0/24 -o eth1 -j LOG --log-prefix "POST30: "
-A POSTROUTING -s 172.18.0.0/24 -o eth1 -j LOG --log-prefix "POST0: "
-A POSTROUTING -s 172.18.10.0/24 -o eth1 -j LOG --log-prefix "POST10: "
-A POSTROUTING -s 172.18.20.0/24 -o eth1 -j LOG --log-prefix "POST20: "
-A POSTROUTING -s 172.18.50.0/24 -o eth1 -j LOG --log-prefix "POST50: "
-A POSTROUTING -s 172.18.70.0/24 -o eth1 -j LOG --log-prefix "POST70: "
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j LOG --log-prefix "POST1920: "
-A POSTROUTING -s 192.168.100.0/24 -o eth1 -j LOG --log-prefix "POSTa100: "
#LOG-4
-A POSTROUTING -o eth1 -p tcp --dport 123 -j SNAT --to 118.244.194.199
-A POSTROUTING -o eth1 -p udp -m udp --dport 123 -j SNAT --to-source 118.244.194.199
-A POSTROUTING -p udp --dport 53 -o eth1 -j SNAT --to 118.244.194.199
-A POSTROUTING -s 172.18.0.0/16 -d 218.241.140.80/27 -o eth1 -j SNAT --to-source 118.244.194.198
-A POSTROUTING -s 172.18.0.0/16 -d 118.244.194.192/27 -o eth1 -j SNAT --to-source 118.244.194.198
-A POSTROUTING -d 58.250.61.160/32 -o eth1 -j SNAT --to-source 118.244.194.198
-A POSTROUTING -d 211.147.7.47 -o eth1 -j SNAT --to-source 118.244.194.198
-A POSTROUTING -d 111.205.207.145 -o eth1 -j SNAT --to-source 118.244.194.198
-A POSTROUTING -d 113.106.85.42/32 -o eth1 -j SNAT --to-source 118.244.194.198
-A POSTROUTING -d 58.250.61.160/32 -o eth1 -j SNAT --to-source 118.244.194.198
-A POSTROUTING -o eth1 -d mail.buyforyou.cn -j SNAT --to-source 118.244.194.198
-A POSTROUTING -o eth1 -p tcp --dport 194 -j SNAT --to-source 118.244.194.198
-A POSTROUTING -o eth1 -p tcp --dport 8311 -j SNAT --to-source 118.244.194.198

#Mail operation
-A POSTROUTING -m iprange --src-range 172.18.0.1-172.18.0.200 -p tcp --dport 25 -o eth1 -j SNAT --to 118.244.194.205
-A POSTROUTING -m iprange --src-range 172.18.0.1-172.18.0.200 -p tcp --dport 110 -o eth1 -j SNAT --to 118.244.194.205
-A POSTROUTING -m iprange --src-range 172.18.10.1-172.18.10.200 -p tcp --dport 25 -o eth1 -j SNAT --to 118.244.194.205
-A POSTROUTING -m iprange --src-range 172.18.10.1-172.18.10.200 -p tcp --dport 110 -o eth1 -j SNAT --to 118.244.194.205
-A POSTROUTING -m iprange --src-range 172.18.20.1-172.18.20.200 -p tcp --dport 25 -o eth1 -j SNAT --to 118.244.194.205
-A POSTROUTING -m iprange --src-range 172.18.20.1-172.18.20.200 -p tcp --dport 110 -o eth1 -j SNAT --to 118.244.194.205
-A POSTROUTING -m iprange --src-range 172.18.30.1-172.18.30.200 -p tcp --dport 25 -o eth1 -j SNAT --to 118.244.194.205
-A POSTROUTING -m iprange --src-range 172.18.30.1-172.18.30.200 -p tcp --dport 110 -o eth1 -j SNAT --to 118.244.194.205
-A POSTROUTING -m iprange --src-range 172.18.50.1-172.18.50.200 -p tcp --dport 25 -o eth1 -j SNAT --to 118.244.194.205
-A POSTROUTING -m iprange --src-range 172.18.50.1-172.18.50.200 -p tcp --dport 110 -o eth1 -j SNAT --to 118.244.194.205
-A POSTROUTING -m iprange --src-range 172.18.70.1-172.18.70.200 -p tcp --dport 25 -o eth1 -j SNAT --to 118.244.194.205
-A POSTROUTING -m iprange --src-range 172.18.70.1-172.18.70.200 -p tcp --dport 110 -o eth1 -j SNAT --to 118.244.194.205
#end of Mail.
#20.3 and 20.2 and 20.20 and 20.21
-A POSTROUTING -m iprange --src-range 172.18.20.1-172.18.20.3 -m limit --limit-burst 30 --limit 15/s -o eth1 -j SNAT --to 172.18.20.4
-A POSTROUTING -m iprange --src-range 172.18.20.114-172.18.20.114 -o eth1 -j SNAT --to 118.244.194.197
-A POSTROUTING -m iprange --src-range 172.18.20.1-172.18.20.100 -d mail.buyforyou.cn -o eth1 -j SNAT --to 118.244.194.197
-A POSTROUTING -m iprange --src-range 172.18.0.1-172.18.0.9 -o eth1 -j SNAT --to 118.244.194.197
-A POSTROUTING -m iprange --src-range 172.18.0.16-172.18.0.16 -o eth1 -j SNAT --to 172.18.20.4
-A POSTROUTING -m iprange --src-range 172.18.50.1-172.18.50.5 -o eth1 -j SNAT --to 118.244.194.197
-A POSTROUTING -m iprange --src-range 172.18.50.19-172.18.50.20 -o eth1 -j SNAT --to 118.244.194.197
-A POSTROUTING -m iprange --src-range 172.18.50.50-172.18.50.50 -o eth1 -j SNAT --to 118.244.194.197
-A POSTROUTING -m iprange --src-range 172.18.70.1-172.18.70.9 -o eth1 -j SNAT --to 118.244.194.197
-A POSTROUTING -m iprange --src-range 172.18.70.23-172.18.70.25 -o eth1 -j SNAT --to 118.244.194.197
-A POSTROUTING -m iprange --src-range 172.18.30.1-172.18.30.9 -o eth1 -j SNAT --to 118.244.194.197
-A POSTROUTING -m iprange --src-range 172.18.10.1-172.18.10.9 -o eth1 -j SNAT --to 118.244.194.197
-A POSTROUTING -m iprange --src-range 192.168.0.2-192.168.0.2 -o eth1 -j SNAT --to 118.244.194.197
-A POSTROUTING -m iprange --src-range 192.168.0.126-192.168.0.127 -o eth1 -j SNAT --to 118.244.194.197
-A POSTROUTING -m iprange --src-range 172.18.30.64-172.18.30.65 -o eth1 -j SNAT --to 118.244.194.197
-A POSTROUTING -m iprange --src-range 172.18.10.10-172.18.10.12 -o eth1 -j SNAT --to 118.244.194.197
#-A POSTROUTING -s 192.168.100.0/24 -o eth1 -j SNAT --to 118.244.194.198
#to pay.cmbc.com.cn
-A POSTROUTING -s 172.18.0.0/16 -d 223.71.169.67 -o eth1 -j SNAT --to-source 118.244.194.198
-A POSTROUTING -s 172.18.0.0/16 -d 124.127.181.67 -o eth1 -j SNAT --to-source 118.244.194.198
-A POSTROUTING -s 172.18.0.0/16 -d 219.142.89.183 -o eth1 -j SNAT --to-source 118.244.194.198
-A POSTROUTING -s 172.18.0.0/16 -d 218.205.136.67 -o eth1 -j SNAT --to-source 118.244.194.198
-A POSTROUTING -s 172.18.0.0/16 -d 123.127.113.173 -o eth1 -j SNAT --to-source 118.244.194.198
-A POSTROUTING -s 172.18.0.0/16 -d 114.255.210.67 -o eth1 -j SNAT --to-source 118.244.194.198

-A POSTROUTING -s 172.18.30.48 -o eth1 -j LOG --log-prefix "PST48: "
-A POSTROUTING -s 172.18.30.48 -o eth1 -j SNAT --to 118.244.194.198

-A POSTROUTING -s 172.18.50.0/24 -j ACCEPT
-A POSTROUTING -s 172.18.0.1 -j ACCEPT
-A POSTROUTING -s 172.18.10.11 -d 172.16.30.38 -j ACCEPT
-A POSTROUTING -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A POSTROUTING -s 172.18.20.3 -d 172.18.0.0/16 -j ACCEPT
-A POSTROUTING -s 172.18.10.12 -d 172.18.20.55 -j ACCEPT
-A POSTROUTING -s 10.10.10.41 -d 172.18.10.11 -j ACCEPT
-A POSTROUTING -s 172.18.70.0/24 -d 172.18.0.0/16 -j ACCEPT
-A POSTROUTING -s 172.19.80.1 -d 172.18.70.0/24 -j ACCEPT
-A POSTROUTING -s 172.18.20.2/24 -d 172.18.10.11 -j ACCEPT
-A POSTROUTING -s 172.18.10.11 -d 172.18.0.0/16 -j ACCEPT
-A POSTROUTING -s 172.18.20.3 -d 172.18.10.12 -j ACCEPT
-A POSTROUTING -s 172.18.70.1 -d 172.18.70.0/24 -j ACCEPT
-A POSTROUTING -s 172.20.1.14 -d 172.18.100.100 -j ACCEPT
-A POSTROUTING -s 10.10.10.54 -d 172.18.100.100 -j ACCEPT
-A POSTROUTING -s 10.10.10.53 -d 172.18.100.100 -j ACCEPT
-A POSTROUTING -s 10.10.10.80 -d 172.18.100.100 -j ACCEPT
-A POSTROUTING -m iprange --src-range 192.168.20.111-192.168.20.120 -d 172.18.100.100 -j ACCEPT
-A POSTROUTING -s 192.168.20.1 -d 172.18.100.100 -j ACCEPT
-A POSTROUTING -s 192.168.20.0/24 -d 172.18.100.100 -p icmp -j ACCEPT
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j ACCEPT
-A POSTROUTING -s 172.19.80.1 -d 172.18.20.11 -j ACCEPT
-A POSTROUTING -s 172.18.20.2 -d 172.18.30.4 -j ACCEPT
-A POSTROUTING -s 172.19.80.1 -d 172.18.30.0/24 -j ACCEPT
-A POSTROUTING -s 172.18.70.0/24 -d 172.18.50.0/24 -j ACCEPT

-A POSTROUTING -s 172.18.30.211 -d pan.baidu.com -o eth1 -j SNAT --to 118.244.194.197
-A POSTROUTING -s 172.18.30.27 -o eth1 -j LOG --log-prefix "PST27: "
-A POSTROUTING -s 172.18.30.27 -o eth1 -j ACCEPT
-A POSTROUTING -s 172.18.70.22 -o eth1 -j ACCEPT
-A POSTROUTING -s 172.18.20.3 -o eth1 -j ACCEPT
-A POSTROUTING -s 172.18.20.115 -o eth1 -j ACCEPT
-A POSTROUTING -s 172.18.20.115 -d 192.168.0.0/24 -j ACCEPT
-A POSTROUTING -m iprange --src-range 172.18.70.30-172.18.70.39 -j ACCEPT
-A POSTROUTING -s 172.18.20.114 -o eth1 -j ACCEPT
-A POSTROUTING -s 172.18.20.125 -o eth1 -j ACCEPT
#LOG-1
#LOG-2
-A POSTROUTING -s 192.168.0.26/32 -o eth1 -j SNAT --to-source 118.244.194.198
-A POSTROUTING -s 192.168.100.0/24 -d smtp.163.com -o eth1 -j SNAT --to-source 118.244.194.199
-A POSTROUTING -s 192.168.2.22 -p tcp --dport 25 -o eth1 -j SNAT --to-source 118.244.194.199
-A POSTROUTING -s 172.18.10.0/24 -p tcp --dport 25 -o eth1 -j SNAT --to 118.244.194.211
-A POSTROUTING -s 172.18.20.0/24 -p tcp --dport 25 -o eth1 -j SNAT --to 118.244.194.211
-A POSTROUTING -s 172.18.30.0/24 -p tcp --dport 25 -o eth1 -j SNAT --to 118.244.194.211
-A POSTROUTING -s 172.18.50.0/24 -p tcp --dport 25 -o eth1 -j SNAT --to 118.244.194.211
-A POSTROUTING -s 172.18.60.0/24 -p tcp --dport 25 -o eth1 -j SNAT --to 118.244.194.211
-A POSTROUTING -s 172.18.70.0/24 -p tcp --dport 25 -o eth1 -j SNAT --to 118.244.194.211

-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j SNAT --to 118.244.194.199
#-A POSTROUTING -s 192.168.20.0/24 -o eth1 -j SNAT --to 118.244.194.198
-A POSTROUTING -s 172.18.30.0/24 -d www.tftpay.com -o eth1 -j SNAT --to 118.244.194.198

-A POSTROUTING -s 172.18.50.0/24 -o eth1 -d ***.linux-oracle.win -j SNAT --to-source 118.244.194.198
-A POSTROUTING -s 172.18.60.10 -o eth1 -j SNAT --to-source 118.244.194.198

-A POSTROUTING -s 172.18.70.24 -o eth1 -j SNAT --to 118.244.194.111
-A POSTROUTING -s 172.18.70.25 -o eth1 -j SNAT --to 118.244.194.111
-A POSTROUTING -s 172.18.70.21 -o eth1 -j SNAT --to 118.244.194.111
-A POSTROUTING -s 172.18.70.22 -o eth1 -j SNAT --to 118.244.194.111
-A POSTROUTING -s 172.18.70.23 -o eth1 -j SNAT --to 118.244.194.111
-A POSTROUTING -s 172.18.70.25 -o eth1 -j SNAT --to 118.244.194.111
-A POSTROUTING -s 172.18.70.11 -o eth1 -j SNAT --to 118.244.194.111
-A POSTROUTING -s 172.18.70.12 -o eth1 -j SNAT --to 118.244.194.111
-A POSTROUTING -s 172.18.70.0/24 -o eth1 -j SNAT --to 118.244.194.111
#-A POSTROUTING -s 0.0.0.0/0 -o eth1 -j SNAT --to 118.244.194.111

-A POSTROUTING -s 172.18.20.1 -j ACCEPT
-A POSTROUTING -s 172.18.0.14 -j ACCEPT
-A POSTROUTING -d 172.18.20.2 -j ACCEPT
-A POSTROUTING -d 172.18.20.3 -j ACCEPT
-A POSTROUTING -d 172.16.30.36 -j ACCEPT
-A POSTROUTING -d 192.168.2.22 -j ACCEPT
-A POSTROUTING -d 192.168.2.24 -j ACCEPT
-A POSTROUTING -s 172.18.20.125 -j ACCEPT
-A POSTROUTING -s 118.244.194.199 -j ACCEPT
-A POSTROUTING -s 10.10.10.12 -d 172.18.100.100 -j ACCEPT
-A POSTROUTING -s 192.168.20.13 -d 172.18.100.100 -j ACCEPT
-A POSTROUTING -s 172.18.100.100 -j ACCEPT
-A POSTROUTING -s 172.18.30.1 -j ACCEPT
-A POSTROUTING -s 172.18.30.0/24 -d 172.18.0.0/16 -j ACCEPT
-A POSTROUTING -s 172.18.20.0/24 -d 172.18.0.0/16 -j ACCEPT
-A POSTROUTING -s 172.18.10.0/24 -d 172.18.0.0/16 -j ACCEPT

-A POSTROUTING -s 172.18.0.16/32 -d 192.168.0.0/24 -j ACCEPT
-A POSTROUTING -s 172.18.0.15/32 -o eth1 -j SNAT --to-source 172.18.0.15
-A POSTROUTING -s 172.18.10.0/24 -o eth1 -j SNAT --to-source 118.244.194.111
-A POSTROUTING -s 172.18.100.100 -d 172.18.20.28 -j SNAT --to-source 172.18.100.100
-A POSTROUTING -s 192.168.100.0/24 -o eth1 -j SNAT --to-source 192.168.100.1
-A POSTROUTING -s 172.18.60.11 -d 172.16.30.0/24 -j SNAT --to-source 10.10.10.27
-A POSTROUTING -s 172.18.70.0/24 -d 172.18.50.0/24 -j ACCEPT
-A POSTROUTING -d 172.18.70.0/24 -s 172.18.50.0/24 -j ACCEPT
-A POSTROUTING -s 172.19.0.0/16 -d 172.18.0.0/16 -j ACCEPT
-A POSTROUTING -s 172.18.0.0/16 -d 172.19.0.0/16 -j ACCEPT
-A POSTROUTING -s 192.168.20.13 -d 172.18.20.15 -j ACCEPT
-A POSTROUTING -s 10.10.10.54 -d 172.18.30.211 -j ACCEPT
-A POSTROUTING -s 172.16.30.51 -d 172.18.30.211 -j ACCEPT
-A POSTROUTING -s 10.10.0.0/16 -j LOG --log-prefix "***10_POST "
-A POSTROUTING -s 10.10.0.0/24 -j LOG --log-prefix "***0_POST "
-A POSTROUTING -j LOG --log-prefix "Total_POST "
#-A PREROUTING -j LOG --log-prefix "Idcgw_Pre "

#Handawei-sit-LAB
#-A POSTROUTING -d 172.16.30.32/32 -j SNAT --to-source 10.10.10.27
#-A POSTROUTING -d 172.16.30.33/32 -j SNAT --to-source 10.10.10.27
#-A POSTROUTING -d 172.16.30.34/32 -j SNAT --to-source 10.10.10.27
#-A POSTROUTING -d 192.168.2.0/24 -j SNAT --to-source 172.18.20.28
#-A POSTROUTING -d 192.168.6.0/24 -j SNAT --to-source 172.18.20.25

COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 219.142.89.183 -j ACCEPT
-A FORWARD -d 124.127.181.67 -j ACCEPT
-A FORWARD -s 172.18.70.0/24 -d 172.18.0.0/16 -j ACCEPT
-A FORWARD -s 172.18.70.0/24 -d 172.20.0/16 -j ACCEPT

-A FORWARD -s 172.18.70.0/24 -p tcp --sport 3389 -j ACCEPT
-A FORWARD -s 172.18.70.23 -j ACCEPT
-A FORWARD -s 172.18.70.24 -j ACCEPT
-A FORWARD -s 172.18.70.25 -j ACCEPT
-A FORWARD -s 172.18.70.26 -j ACCEPT
-A FORWARD -s 172.18.70.41 -j ACCEPT
-A FORWARD -s 172.18.70.42 -j ACCEPT
-A FORWARD -s 172.18.0.15 -o eth1 -j ACCEPT
-A FORWARD -s 172.18.20.125 -o eth1 -j ACCEPT
-A FORWARD -s 172.18.10.11 -o eth1 -j ACCEPT
-A FORWARD -s 172.18.70.0/24 -p tcp --dport 25 -j ACCEPT
-A FORWARD -s 172.18.70.0/24 -j DROP
-A FORWARD -s 172.18.70.0/24 -d 172.18.70.255 -j DROP
-A FORWARD -s 172.16.3.0/24 -d 172.18.20.11 -j ACCEPT
-A FORWARD -s 172.16.3.0/24 -d 172.18.100.100 -j ACCEPT
-A FORWARD -m iprange --src-range 172.18.70.30-172.18.70.39 -o eth1 -j DROP
-A FORWARD -s 172.18.10.11 -d 172.16.30.38 -j ACCEPT
-A FORWARD -s 172.18.0.0/16 -d 172.18.0.0/16 -j ACCEPT
-A FORWARD -m iprange --src-range 172.18.20.1-172.18.20.30 -j ACCEPT
-A FORWARD -m iprange --src-range 172.18.30.98-172.18.30.100 -j ACCEPT
-A FORWARD -s 172.18.0.16 -j DROP
-A FORWARD -s 172.18.0.0/16 -j LOG --log-prefix "gwFORs18: "
-A FORWARD -d 172.16.30.0/24 -s 172.18.100.100 -j ACCEPT
-A FORWARD -d 192.168.2.0/24 -s 172.18.100.100 -j ACCEPT
#-A FORWARD -d 172.18.70.0/24 -j LOG --log-prefix "gwFORd70: "
-A FORWARD -s 172.18.30.0/24 -p udp -m udp --dport 445 -j DROP
-A FORWARD -s 172.18.30.0/24 -p udp -m udp --dport 138 -j DROP
-A FORWARD -s 172.18.30.0/24 -p udp -m udp --dport 135 -j DROP
-A FORWARD -s 172.18.30.0/24 -p udp -m udp --dport 137 -j DROP
-A FORWARD -s 172.18.30.0/24 -p tcp -m tcp --dport 445 -j DROP
-A FORWARD -s 172.18.30.0/24 -p tcp -m tcp --dport 138 -j DROP
-A FORWARD -s 172.18.30.0/24 -p tcp -m tcp --dport 135 -j DROP
-A FORWARD -s 172.18.30.0/24 -p tcp -m tcp --dport 137 -j DROP
-A FORWARD -s 192.168.20.13 -d 172.18.20.15 -j ACCEPT
-A FORWARD -d 192.168.2.22 -j ACCEPT
-A FORWARD -d 192.168.2.24 -j ACCEPT
-A FORWARD -d 172.16.30.36 -j ACCEPT
-A FORWARD -d 118.244.194.192/27 -j ACCEPT
-A FORWARD -m iprange --dst-range 218.241.140.80-218.241.140.88 -j ACCEPT
-A FORWARD -d 58.250.61.160 -j ACCEPT
-A FORWARD -d 211.147.7.47 -j ACCEPT
-A FORWARD -d 113.106.85.42 -j ACCEPT
-A FORWARD -d 117.121.10.135 -j ACCEPT
-A FORWARD -d mail.buyforyou.cn -j ACCEPT
-A FORWARD -s 172.18.0.0/16 -d 118.244.194.192/27 -j ACCEPT
-A FORWARD -s 172.18.20.0/24 -j ACCEPT
-A FORWARD -s 10.10.10.41 -j ACCEPT
-A FORWARD -s 0.0.0.0/0 -d mx1.mail.139.com -o eth1 -p tcp --dport 25 -j ACCEPT
-A FORWARD -s 0.0.0.0/0 -d mx2.mail.139.com -o eth1 -p tcp --dport 25 -j ACCEPT
-A FORWARD -s 0.0.0.0/0 -d mx3.mail.139.com -o eth1 -p tcp --dport 25 -j ACCEPT
-A FORWARD -s 0.0.0.0/0 -d freemx1.sinamail.sina.com.cn -o eth1 -p tcp --dport 25 -j ACCEPT
-A FORWARD -s 0.0.0.0/0 -d freemx2.sinamail.sina.com.cn -o eth1 -p tcp --dport 25 -j ACCEPT
-A FORWARD -s 0.0.0.0/0 -d freemx3.sinamail.sina.com.cn -o eth1 -p tcp --dport 25 -j ACCEPT
-A FORWARD -s 0.0.0.0/0 -d 220.181.15.144 -o eth1 -p tcp --dport 25 -j ACCEPT
-A FORWARD -s 0.0.0.0/0 -d 220.181.15.195 -o eth1 -p tcp --dport 25 -j ACCEPT
-A FORWARD -s 0.0.0.0/0 -d 220.181.15.143 -o eth1 -p tcp --dport 25 -j ACCEPT
-A FORWARD -s 0.0.0.0/0 -d 220.181.15.151 -o eth1 -p tcp --dport 25 -j ACCEPT
-A FORWARD -s 0.0.0.0/0 -d 220.181.15.135 -o eth1 -p tcp --dport 25 -j ACCEPT

-A FORWARD -s 172.18.70.0/24 -o eth1 -p tcp --dport 25 -j DROP
-A FORWARD -s 172.18.50.0/24 -o eth1 -p tcp --dport 25 -j DROP
-A FORWARD -s 192.168.20.115 -d 172.18.100.100 -j ACCEPT
-A FORWARD -s 192.168.20.13 -d 172.18.100.100 -j ACCEPT
-A FORWARD -s 10.10.10.11 -d 172.18.20.15 -j ACCEPT
-A FORWARD -s 10.10.10.11 -d 172.18.100.100 -j ACCEPT
-A FORWARD -s 10.10.10.54 -d 172.18.100.100 -j ACCEPT
-A FORWARD -s 10.10.10.53 -d 172.18.100.100 -j ACCEPT
-A FORWARD -s 192.168.20.131 -d 172.18.100.100 -j ACCEPT
-A FORWARD -m iprange --src-range 172.18.0.1-172.18.0.12 -j ACCEPT
-A FORWARD -m iprange --src-range 172.18.70.1-172.18.70.50 -j ACCEPT
-A FORWARD -m iprange --src-range 172.18.70.1-172.18.70.255 -d 172.16.30.3 -j ACCEPT

-A FORWARD -s 172.18.0.15 -o eth1 -j DROP
-A FORWARD -s 172.18.0.14 -o eth1 -j DROP
-A FORWARD -s 172.18.10.11 -o eth1 -j ACCEPT
-A FORWARD -s 10.10.10.11 -d 172.18.20.20 -j ACCEPT
-A FORWARD -s 172.16.30.0/24 -d 172.18.30.211 -j ACCEPT
-A FORWARD -s 172.18.30.64 -o eth1 -j ACCEPT
-A FORWARD -s 172.18.0.16 -o eth1 -j DROP
-A FORWARD -s 172.18.30.211 -o eth1 -j DROP
-A FORWARD -s 172.19.0.0/16 -o eth1 -j LOG --log-prefix "gwFOR19: "
-A FORWARD -s 172.18.0.0/16 -o eth1 -j LOG --log-prefix "gwFOR18: "
-A FORWARD -s 192.168.100.122 -o eth1 -j DROP
-A FORWARD -s 192.168.100.0/24 -o eth1 -j LOG --log-prefix "gwFOR100: "
-A FORWARD -s 172.18.20.13 -d 172.18.20.15 -j ACCEPT
-A FORWARD -s 192.168.20.0/24 -j LOG --log-prefix "gwFORwgc192: "
-A FORWARD -s 172.20.0.0/16 -j LOG --log-prefix "gwFORwgc172: "
-A FORWARD -s 192.168.2.0/24 -j LOG --log-prefix "gwFORgu192: "
-A FORWARD -s 172.16.0.0/16 -j LOG --log-prefix "gwFORgu172: "
-A FORWARD -s 10.10.10.80 -j ACCEPT
-A FORWARD -s 10.10.10.12 -j ACCEPT
-A FORWARD -s 10.10.10.54 -d 172.18.30.211 -j ACCEPT
-A FORWARD -s 10.10.10.0/24 -j LOG --log-prefix "FOR***10: "
-A FORWARD -s 192.168.0.0/24 -j ACCEPT
-A FORWARD -s 10.10.10.20 -j ACCEPT
-A FORWARD -s 10.10.10.21 -j ACCEPT
-A FORWARD -s 10.10.10.65 -j ACCEPT
-A FORWARD -s 10.10.10.11 -j ACCEPT
-A FORWARD -s 10.10.10.11 -d 172.18.20.11 -j ACCEPT
-A FORWARD -s 10.10.10.41 -d 172.18.10.11 -j ACCEPT
-A FORWARD -d 192.168.2.48 -j ACCEPT
-A FORWARD -d 192.168.2.0/24 -j ACCEPT
-A FORWARD -d 61.240.136.201 -j ACCEPT
-A FORWARD -s 172.18.100.100 -j ACCEPT
-A FORWARD -s 172.18.100.100 -d 172.18.0.0/16 -j ACCEPT
-A FORWARD -s 172.18.0.0/16 -d 172.19.0.0/16 -j ACCEPT
-A FORWARD -d 172.18.0.0/16 -s 172.19.0.0/16 -j ACCEPT
-A FORWARD -s 172.18.0.0/24 -j ACCEPT
-A FORWARD -d 172.18.0.0/24 -j ACCEPT
-A FORWARD -s 172.18.10.0/24 -j ACCEPT
-A FORWARD -s 172.18.20.0/24 -j ACCEPT
-A FORWARD -s 172.18.0.0/16 -o eth1 -p udp --dport 123 -j ACCEPT
-A FORWARD -s 172.18.0.0/16 -o eth1 -p tcp --dport 123 -j ACCEPT
-A FORWARD -s 172.18.0.0/16 -o eth1 -p udp --dport 161 -j ACCEPT
-A FORWARD -s 192.168.20.131 -d 172.18.20.2 -j ACCEPT
-A FORWARD -s 172.18.20.28 -d 172.18.100.100 -j ACCEPT
-A FORWARD -s 172.18.30.0/24 -j ACCEPT
-A FORWARD -s 172.18.40.0/24 -j ACCEPT
-A FORWARD -s 172.18.50.0/24 -d 172.18.70.0/24 -j ACCEPT
-A FORWARD -s 172.18.50.0/24 -j ACCEPT
-A FORWARD -s 172.18.60.0/24 -j ACCEPT
-A FORWARD -s 172.18.70.0/24 -j ACCEPT
-A FORWARD -d 172.18.70.0/24 -j ACCEPT
-A FORWARD -s 172.18.70.0/24 -d 172.18.50.0/24 -j ACCEPT
-A FORWARD -s 172.18.80.0/24 -j ACCEPT
-A FORWARD -s 172.18.0.0/16 -d 172.19.0.0/16 -j ACCEPT
-A FORWARD -d 172.18.0.0/16 -s 172.19.0.0/16 -j ACCEPT
-A FORWARD -s 172.18.90.0/24 -j ACCEPT
-A FORWARD -s 172.18.100.0/24 -j ACCEPT
-A FORWARD -s 172.18.0.15 -d 172.20.1.14 -j ACCEPT
-A FORWARD -s 172.18.50.0/24 -d 172.20.1.14 -j ACCEPT
-A FORWARD -s 172.18.70.0/24 -d 172.20.1.14 -j ACCEPT
-A FORWARD -s 172.18.20.0/24 -d 172.20.1.14 -j ACCEPT
-A FORWARD -i eth1 -s 192.168.100.121 -j ACCEPT
-A FORWARD -i eth1 -s 192.168.100.0/24 -j DROP
-A FORWARD -i eth0 -s 192.168.100.0/24 -j DROP
-A FORWARD -s 172.18.50.0/24 -d 224.0.0.0/8 -j ACCEPT
-A FORWARD -s 172.18.100.100 -j ACCEPT
-A FORWARD -d 172.18.100.100 -j ACCEPT
-A FORWARD -d 172.18.20.50 -j ACCEPT
-A FORWARD -d 172.18.20.51 -j ACCEPT
-A FORWARD -d 172.18.20.52 -j ACCEPT
-A FORWARD -d 172.16.30.36 -j ACCEPT
-A FORWARD -d 172.18.20.53 -j ACCEPT
-A FORWARD -d 172.18.20.114 -j ACCEPT
-A FORWARD -d 172.18.20.125 -j ACCEPT
-A FORWARD -s 172.18.20.0/24 -d 172.18.30.0/24 -j ACCEPT
-A FORWARD -s 172.18.30.0/24 -d 172.18.20.0/24 -j ACCEPT
-A FORWARD -i eth1 -p tcp --dport 194 -j ACCEPT
-A FORWARD -i eth1 -p icmp -j DROP
-A FORWARD -j LOG --log-prefix "gwTotal_for "
#-A FORWARD -j DROP
#------------------------------------------------------------------------
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 194 -j ACCEPT
-A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp --dport 123 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 123 -j ACCEPT
-A INPUT -s 172.18.70.0/24 -d 172.18.70.255 -j DROP
-A INPUT -s 172.18.70.0/24 -d 172.18.70.1 -p tcp --dport 3344 -j ACCEPT
-A INPUT -s 172.18.0.16/32 -d 172.18.20.1 -p tcp --dport 3344 -j ACCEPT
-A INPUT -s 172.18.70.0/24 -j LOG --log-prefix "gw70_in "
-A INPUT -s 172.18.70.0/24 -j ACCEPT
-A INPUT -p udp --dport 137 -j DROP
-A INPUT -p udp --dport 138 -j DROP
-A INPUT -i eth1 -p udp --dport 5900 -j DROP
-A INPUT -i eth1 -p tcp --dport 5900 -j DROP
-A INPUT -i eth1 -s 60.173.9.247 -p tcp --dport 9922 -j DROP
-A INPUT -p udp --dport 67 -j DROP
-A INPUT -p udp --dport 68 -j DROP
-A INPUT -p tcp --dport 139 -j DROP
-A INPUT -p tcp --dport 137 -j DROP
-A INPUT -p tcp --dport 138 -j DROP
-A INPUT -p udp --dport 139 -j DROP
-A INPUT -p udp --dport 137 -j DROP
-A INPUT -p udp --dport 138 -j DROP
-A INPUT -p tcp --dport 445 -j DROP
-A INPUT -p udp --dport 445 -j DROP
-A INPUT -i eth1 -p tcp --dport 53 -j DROP
-A INPUT -i eth1 -p udp --dport 53 -j DROP
-A INPUT -i eth1 -p udp --dport 123 -j DROP
-A INPUT -i eth1 -p tcp --dport 123 -j DROP
-A INPUT -s 172.18.0.0/16 -d 118.244.194.192/27 -j ACCEPT
#-A INPUT -i eth1 -j LOG --log-prefix "WAN_in "
-A INPUT -s 172.18.10.11 -j ACCEPT
-A INPUT -s 172.18.10.12 -j ACCEPT
-A INPUT -s 172.18.0.14 -j ACCEPT
-A INPUT -s 172.18.0.15 -j ACCEPT
-A INPUT -s 172.18.30.211 -j ACCEPT
-A INPUT -s 172.18.30.11 -j ACCEPT
-A INPUT -s 172.18.30.100 -d 172.18.30.1 -j ACCEPT
-A INPUT -s 172.18.30.12 -j ACCEPT
-A INPUT -s 172.18.20.20 -j ACCEPT
-A INPUT -s 172.18.20.4 -j ACCEPT
-A INPUT -s 172.18.20.5 -j ACCEPT
-A INPUT -s 172.18.20.6 -j ACCEPT
-A INPUT -s 172.18.20.7 -j ACCEPT
-A INPUT -s 172.18.20.0/24 -j ACCEPT
-A INPUT -s 172.18.20.21 -j ACCEPT
-A INPUT -s 172.18.20.29 -j ACCEPT
-A INPUT -s 172.18.20.125 -j ACCEPT
-A INPUT -s 172.18.20.115 -j ACCEPT
-A INPUT -s 172.18.20.114 -j ACCEPT
-A INPUT -s 172.18.20.125 -j ACCEPT
-A INPUT -s 172.18.20.55 -j ACCEPT
-A INPUT -s 172.18.20.50 -j ACCEPT
-A INPUT -s 172.18.20.52 -j ACCEPT
-A INPUT -s 172.18.20.2 -j ACCEPT
-A INPUT -s 172.18.0.20 -j ACCEPT
-A INPUT -s 172.18.50.20 -j ACCEPT
-A INPUT -s 172.18.50.50 -j ACCEPT
-A INPUT -s 172.18.50.0/24 -j ACCEPT
-A INPUT -s 172.18.60.2 -p udp --dport 514 -j ACCEPT
-A INPUT -s 172.18.60.2 -p icmp -j ACCEPT
-A INPUT -s 172.18.70.11 -j ACCEPT
-A INPUT -s 172.18.70.12 -j ACCEPT
-A INPUT -s 172.18.70.24 -j ACCEPT
-A INPUT -s 172.18.70.25 -j ACCEPT
-A INPUT -s 172.18.70.22 -j ACCEPT
-A INPUT -s 172.18.70.21 -j ACCEPT
-A INPUT -s 172.18.70.23 -j ACCEPT
-A INPUT -s 172.18.70.30 -j ACCEPT
-A INPUT -s 172.18.70.31 -j ACCEPT
-A INPUT -s 172.18.70.32 -j ACCEPT
-A INPUT -s 172.18.70.25 -j ACCEPT
-A INPUT -s 172.18.70.51 -j ACCEPT
-A INPUT -s 172.18.70.52 -j ACCEPT
-A INPUT -s 172.16.30.50 -j ACCEPT
-A INPUT -s 172.16.30.51 -j ACCEPT
-A INPUT -s 172.16.30.52 -j ACCEPT
-A INPUT -s 172.16.0.16 -p tcp --dport 3344 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -j ACCEPT
-A INPUT -s 192.168.100.0/24 -j ACCEPT
-A INPUT -s 10.10.10.54 -j ACCEPT
-A INPUT -s 10.10.10.11 -d 172.18.20.11 -j ACCEPT
-A INPUT -s 10.10.10.11 -d 172.18.20.20 -j ACCEPT
-A INPUT -d 10.10.255.255 -j ACCEPT
-A INPUT -d 118.244.194.198 -p tcp --dport 8083 -j ACCEPT
-A INPUT -s 218.241.140.82 -d 118.244.194.197 -p tcp --dport 8558 -j ACCEPT
-A INPUT -s 223.72.70.125 -d 118.244.194.197 -p tcp --dport 8558 -j ACCEPT
-A INPUT -s 218.241.140.86 -d 118.244.194.211 -p tcp --dport 8080 -j ACCEPT
-A INPUT -s 101.226.125.104 -d 118.244.194.211 -p tcp --dport 8080 -j ACCEPT
-A INPUT -d 118.244.194.211 -p tcp --dport 80 -j DROP

-A INPUT -d 118.244.194.211 -p tcp --dport 8560 -m hashlimit --hashlimit-upto 300/sec --hashlimit-burst 512 --hashlimit-mode srcip --hashlimit-name T8560 -j ACCEPT
-A INPUT -d 118.244.194.211 -p tcp --dport 6580 -m hashlimit --hashlimit-upto 300/sec --hashlimit-burst 512 --hashlimit-mode srcip --hashlimit-name T6580 -j ACCEPT
-A INPUT -i eth1 -d 118.244.194.211 -p tcp -m tcp -m state --state NEW -m recent --set --name wt211 --rsource
-A INPUT -i eth1 -d 118.244.194.211 -p tcp -m tcp -m state --state NEW -m recent --update --seconds 30 --hitcount 90 --name wt211 --rsource -j DROP
-A INPUT -i eth1 -d 118.244.194.211 -p tcp -m tcp -m state --state NEW -m limit --limit-burst 20 --limit 10/s -j ACCEPT
-A INPUT -i eth1 -d 118.244.194.211 -p tcp -m tcp -m connlimit ! --connlimit-above 32 -j ACCEPT
#-A INPUT -i eth1 -d 118.244.194.211 -p tcp -m tcp -j DROP

-A INPUT -i eth1 -d 118.244.194.198 -p tcp --dport 8081 -m hashlimit --hashlimit-upto 300/sec --hashlimit-burst 512 --hashlimit-mode srcip --hashlimit-name W9981 -j ACCEPT
-A INPUT -i eth1 -d 118.244.194.198 -p tcp -m tcp -m state --state NEW -m recent --set --name wt198 --rsource
-A INPUT -i eth1 -d 118.244.194.198 -p tcp -m tcp -m state --state NEW -m recent --update --seconds 30 --hitcount 90 --name wt198 --rsource -j DROP
-A INPUT -i eth1 -d 118.244.194.198 -p tcp -m tcp -m state --state NEW -m limit --limit-burst 20 --limit 10/s -j ACCEPT
-A INPUT -i eth1 -d 118.244.194.198 -p tcp -m tcp -m connlimit ! --connlimit-above 32 -j ACCEPT
#-A INPUT -i eth1 -d 118.244.194.211 -p tcp -m tcp -j DROP

-A INPUT -d 118.244.194.197 -p tcp -m tcp --dport 8558 -j LOG --log-prefix "gwSQ8558: "
-A INPUT -d 118.244.194.197 -p tcp -m tcp --dport 8558 -j ACCEPT
#-A INPUT -i eth1 ! -d 118.244.194.197 -p tcp -m tcp --dport 8558 -j LOG --log-prefix "gwETH1_in "
-A INPUT -i eth1 -m state --state NEW -j LOG --log-prefix "gwETH1_in "
-A INPUT -d 118.244.194.199 -p tcp -m tcp --dport 9922 -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j LOG --log-prefix "gwETH0_in "
-A INPUT -i tap0 -j LOG --log-prefix "gwTAP0_in "
-A INPUT -i eth1 -d 118.244.194.211 -p tcp -m tcp -m state --state NEW -j DROP
-A INPUT -d 118.244.194.211 -p tcp -j DROP

-A INPUT -s 118.244.194.192/27 -j ACCEPT
-A INPUT -s 10.10.10.0/24 -j ACCEPT
-A INPUT -s 10.20.20.0/24 -j ACCEPT
-A INPUT -s 118.244.194.0/24 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 118.244.194.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -s 118.244.194.0/24 -p tcp -m tcp --dport 445 -j ACCEPT

-A INPUT -i eth1 -s 218.241.140.82 -d 118.244.194.197 -p tcp -m tcp --dport 8558 -m connlimit ! --connlimit-above 16 -j ACCEPT
-A INPUT -i eth1 -s 218.241.140.82 -d 118.244.194.197 -p tcp -m tcp --dport 8558 -m hashlimit --hashlimit-upto 64/sec --hashlimit-burst 80 --hashlimit-mode srcip --hashlimit-name SRC82 -j ACCEPT
-A INPUT -i eth1 -d 118.244.194.197 -p tcp -m tcp --dport 8558 -m state --state NEW -m recent --set --name w8 --rsource
-A INPUT -i eth1 -d 118.244.194.197 -p tcp -m tcp --dport 8558 -m state --state NEW -m recent --update --seconds 30 --hitcount 90 --name w8 --rsource -j DROP
-A INPUT -i eth1 -d 118.244.194.197 -p tcp -m tcp --dport 8558 -m state --state NEW -m limit --limit-burst 90 --limit 90/s -j ACCEPT
-A INPUT -i eth1 -d 118.244.194.197 -p tcp -m tcp --dport 8558 -m connlimit ! --connlimit-above 256 -j ACCEPT
-A INPUT -i eth1 -d 118.244.194.197 -p tcp -m tcp --dport 8558 -m state --state NEW -j DROP
-A INPUT -i eth1 -d 118.244.194.197 -p tcp -m tcp --dport 8558 -j DROP

-A INPUT -d 118.244.194.205 -p tcp -m tcp --dport 8549 -j ACCEPT
-A INPUT -d 118.244.194.205 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -d 118.244.194.205 -p tcp -m tcp --dport 7001 -j ACCEPT
-A INPUT -d 118.244.194.205 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -d 118.244.194.199 -p tcp -m tcp --dport 8083 -j ACCEPT
-A INPUT -s 192.168.2.24 -p tcp -j ACCEPT
-A INPUT -d 118.244.194.197 -p tcp -m tcp --dport 8543 -j ACCEPT
-A INPUT -d 118.244.194.197 -p tcp -m tcp --dport 8550 -j ACCEPT
-A INPUT -d 118.244.194.197 -p tcp -m tcp --dport 8525 -j ACCEPT
-A INPUT -d 118.244.194.197 -p tcp -m tcp --dport 8526 -j ACCEPT
-A INPUT -d 118.244.194.197 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -d 118.244.194.197 -p tcp -m tcp --dport 8082 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2121 -j ACCEPT
-A INPUT -d 118.244.194.0/24 -p tcp -m tcp --dport 21 -j DROP
-A INPUT -d 118.244.194.0/24 -p tcp -m tcp --dport 20 -j DROP
-A INPUT -d 118.244.194.0/24 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 118.244.194.0/24 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 118.244.194.0/24 -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -s 118.244.194.0/24 -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUT -i eth1 -p udp --dport 123 -j DROP
#-A INPUT -i eth1 -s 221.179.168.178 -p tcp -m tcp --dport 9922 -j ACCEPT
#-A INPUT -i eth1 -s 221.179.168.251 -p tcp -m tcp --dport 9922 -j ACCEPT
#-A INPUT -i eth1 -s 221.179.168.0/24 -p tcp -m tcp --dport 9922 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9922 -m state --state NEW -m recent --set --name sshlimit --rsource
-A INPUT -i eth1 -p tcp -m tcp --dport 9922 -m state --state NEW -m recent --update --seconds 160 --hitcount 2 --name sshlimit --rsource -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 9922 -m state --state NEW -m limit --limit-burst 2 --limit 1 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9922 -m state --state NEW -j DROP

-A INPUT -i eth1 -p tcp -m tcp -m state --state NEW -m recent --set --name tcplimit --rsource
-A INPUT -i eth1 -p tcp -m tcp -m state --state NEW -m recent --update --seconds 90 --hitcount 30 --name tcplimit --rsource -j DROP
-A INPUT -i eth1 -p tcp -m tcp -m state --state NEW -m limit --limit-burst 4 --limit 2 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp -m state --state NEW -j DROP

-A INPUT -i eth1 -p udp -m udp -m state --state NEW -m recent --set --name udplimit --rsource
-A INPUT -i eth1 -p udp -m udp -m state --state NEW -m recent --update --seconds 90 --hitcount 3 --name udplimit --rsource -j DROP
-A INPUT -i eth1 -p udp -m udp -m state --state NEW -m limit --limit-burst 4 --limit 2 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp -m state --state NEW -j DROP
-A INPUT -i eth1 -p udp -m udp -j DROP
-A INPUT -i eth1 -p udp -m udp -m limit --limit-burst 4 --limit 2 -j ACCEPT

-A INPUT -s 192.168.0.0/24 -j ACCEPT
-A INPUT -s 192.168.100.0/24 -j ACCEPT
-A INPUT -s 172.18.0.0/24 -j ACCEPT
-A INPUT -s 172.19.0.0/16 -j ACCEPT
-A INPUT -i eth0 -j LOG --log-prefix "gwETH0_in "
#-A INPUT -i eth1 -j LOG --log-prefix "ETH1end_in "
-A INPUT -i tap0 -j LOG --log-prefix "gwTAP0_in "
-A INPUT -j DROP

COMMIT

Completed on Wed Jun 11 01:06:48 2014

iptables規則使用案例