Linux代理脚本...高手请进

flyingzf

这个脚本是一个朋友所做，看看有什么不足之处，请帮忙修改一下~！
小弟在此非常感谢！




#!/bin/sh

echo "0" > /proc/sys/net/ipv4/ip_forward
#If you config you device
OUTSIDE_DEVICE=eth0
INSIDE_DEVICE=eth1
#If you config you IP address
OUTSIDE_IP=222.90.72.98
SERVER_IP=192.168.1.250
SERVER_IP1=192.168.1.253
#SERVER_IP2=192.168.0.6
#OUTSIDE_IP_GW=                              这一行是不是定义处网网关啊！
#SERVER_IP_GW=                                这一行是不是定义内网网关啊！

#If you have PC more than 255,Please use 3 C Class address
#ifconfig eth1:1 10.10.0.1 netmask 255.255.255.0 broadcast 10.10.0.255
#ifconfig eth1:2 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255
#ifconfig eth1:3 192.168.3.1 netmask 255.255.255.0 broadcast 192.168.3.255
#If you have OTHER IP ADDRESS
#ifconfig eth0:1 xxx.xxx.xxx.xxx netmask 255.255.255.x broadcast xxx.xxx.xxx.xxx

#route del -net default gw ${OUTSIDE_IP_GW} netmask 255.255.255.252 dev eth0
#route del -net default gw ${SERVER_IP_GW} netmask 255.255.255.0 dev eth1
#route add -net default gw ${OUTSIDE_IP_GW} netmask 255.255.255.252 dev eth0
#route add -net default gw ${SERVER_IP_GW} netmask 255.255.255.0 dev eth1

#
# We like ues FTP server
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

# Flushing the chains.
iptables -F
iptables -t nat -F
iptables -X
iptables -Z   # zero all counters

# Policy for chains DROP everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Good old masquerading.
iptables -t nat -A POSTROUTING -o ${OUTSIDE_DEVICE} -j MASQUERADE

# DNS Forward to ISP Dns Server
iptables -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 61.134.1.9:53
#iptables -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 61.134.1.4:53
#iptables -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 202.100.4.15:53
# SSH
iptables -A INPUT -p tcp -i ${OUTSIDE_DEVICE} --dport 22 -j ACCEPT
#iptables -A INPUT -p tcp -i ${OUTSIDE_DEVICE} --dport 9999 -j ACCEPT

#squid
#iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

# Forwarding outside ports to an internal server.
# This used to be the ipchains / ipmasqadm portfw commad.

#WINDOWS 2000 SERVER TSC
#iptables -A PREROUTING -t nat -p tcp  -d ${OUTSIDE_IP} --dport 3389 -j DNAT --to ${SERVER_IP}:3389
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 3389 -o ${INSIDE_DEVICE} -j ACCEPT

# Web:
#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j DNAT --to ${SERVER_IP1}:80
#iptables -A FORWARD -p tcp -d ${SERVER_IP1} --dport 80 -o ${INSIDE_DEVICE} -j ACCEPT
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP1} --dport 80 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}

#mir
#iptables -A PREROUTING -t nat -p tcp  -d ${OUTSIDE_IP} --dport 7000 -j DNAT --to ${SERVER_IP1}:7000
#iptables -A FORWARD -p tcp -d ${SERVER_IP1} --dport 7000 -o ${INSIDE_DEVICE} -j ACCEPT
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP1} --dport 7000 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}

#iptables -A PREROUTING -t nat -p tcp  -d ${OUTSIDE_IP} --dport 7100 -j DNAT --to ${SERVER_IP1}:7100
#iptables -A FORWARD -p tcp -d ${SERVER_IP1} --dport 7100 -o ${INSIDE_DEVICE} -j ACCEPT
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP1} --dport 7100 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}

#iptables -A PREROUTING -t nat -p tcp  -d ${OUTSIDE_IP} --dport 7200 -j DNAT --to ${SERVER_IP1}:7200
#iptables -A FORWARD -p tcp -d ${SERVER_IP1} --dport 7200 -o ${INSIDE_DEVICE} -j ACCEPT
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP1} --dport 7200 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}

#iptables -A PREROUTING -t nat -p tcp  -d ${OUTSIDE_IP} --dport 63000 -j DNAT --to ${SERVER_IP}:63000
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 63000 -o ${INSIDE_DEVICE} -j ACCEPT
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 63000 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}

# FTP:
iptables -A PREROUTING -t nat -p tcp  -d ${OUTSIDE_IP} --dport 21 -j DNAT --to ${SERVER_IP}:21
iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 21 -o ${INSIDE_DEVICE} -j ACCEPT
iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 21 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}
# 5800
#iptables -A PREROUTING -t nat -p tcp  -d ${OUTSIDE_IP} --dport 5800 -j DNAT --to ${SERVER_IP}:5800
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 5800 -o ${INSIDE_DEVICE} -j ACCEPT
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 5800 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}

# CS
#iptables -A PREROUTING -t nat -p tcp  -d ${OUTSIDE_IP} --dport 27017 -j DNAT --to ${SERVER_IP2}:27017
#iptables -A FORWARD -p tcp -d ${SERVER_IP2} --dport 27017 -o ${INSIDE_DEVICE} -j ACCEPT
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP2} --dport 27017 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}


# MAIL:
#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 25 -j DNAT --to ${SERVER_IP}:25
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 25 -o ${INSIDE_DEVICE} -j ACCEPT
#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 143 -j DNAT --to ${SERVER_IP}:110
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 110 -o ${INSIDE_DEVICE} -j ACCEPT

# Keep state.
iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP

# This is mainly for PPPoE usage but it won't hurt anyway so we'll just
# keep it here.
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# We don't like the NetBIOS and Samba leaking..
iptables -t nat -A PREROUTING -p TCP -i ${INSIDE_DEVICE} --dport 135:139 -j DROP
iptables -t nat -A PREROUTING -p UDP -i ${INSIDE_DEVICE} --dport 137:139 -j DROP

# We would like to ask for names from our floppyfw box
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Ping and friends.
iptables -A OUTPUT -p icmp -j ACCEPT # to both sides.
iptables -A INPUT  -p icmp -j ACCEPT

# And also, DHCP, but we can basically accept anything from the inside.
iptables -A INPUT -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A OUTPUT -o ${INSIDE_DEVICE} -j ACCEPT

# Finally, list what we have
#iptables -L

# If broken DNS:
iptables -L -n

# This enables dynamic IP address following
echo 7 > /proc/sys/net/ipv4/ip_dynaddr

# Rules set, we can enable forwarding in the kernel.
echo "Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward