一个简单做静态nat和端口控制的防火墙代码！！！！

njdaboy_cn

#!/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin

#
##tcp allow ports
#
TPORTS="80 22 21 20"

#
##udp allow ports
#
UPORTS="53 123"

#
##config out_eth interface
OUT_ETH="eth1"
OUT_ETH_IP="192.168.10.1"
##set out_eth_ip(firewall out ip) ports
OUT_ETH_IP_PORTS="22"

##config in_eth interface
IN_ETH="eth0"
IN_ETH_IP="172.18.10.37"

##internal ip range
SERVER_IP="172.18.10.0/24"

#
##disable forwarding
#
echo 0 >; /proc/sys/net/ipv4/ip_forward

#
#reset default policies
#
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

#
##del all iptables rules
#
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT

#
##clean all non-default chains
#
iptables -X
iptables -t nat -X

#
##iptables default rules
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#
##allow ping packets
#
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -m limit --limit 5/s -j ACCEPT
iptables -A FORWARD -p ICMP -j ACCEPT

#
##enable forwarding
#

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
##STATE RELATED for router
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#
##accept internal packets on the internal i/f
#
iptables -A INPUT -i $IN_ETH -s $SERVER_IP -p tcp -j ACCEPT
#iptables -A INPUT -i $IN_ETH ! -s $SERVER_IP -p tcp -j DROP

##accept firewall out eth ip ports
for OEP in $OUT_ETH_IP_PORTS
do
     iptables -A INPUT -d $OUT_ETH_IP -p tcp --destination-port $OEP -j ACCEPT
done

#
##open ports on router for server/services
#

#TCP PORTS
for ATP in $TPORTS
do
    iptables -A INPUT ! -s $SERVER_IP -d $SERVER_IP -p tcp --destination-port $ATP -j ACCEPT
    iptables -A FORWARD -p tcp --destination-port $ATP -j ACCEPT
done

#UDP PORTS
for AUP in $UPORTS
do
    iptables -A INPUT -p udp --destination-port $AUP -j ACCEPT
    iptables -A FORWARD -p udp --destination-port $AUP -j ACCEPT
done

#
##bad_packets chain
##drop INVALID packets immediately
#
iptables -A INPUT -p ALL -m state --state INVALID -j DROP

#
##limit SYN flood
#
#iptables -A INPUT -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
#iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT

##deny all ICMP packets,eth0 is external net_eth
#iptables -A INPUT -i eth0 -s  0.0.0.0/0 -p ICMP -j DROP

#
##allow loopback
#
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

#
##enable forwarding
#
echo 1 >; /proc/sys/net/ipv4/ip_forward
#
##config net-eth ip address
#
ifconfig eth0:1 172.18.10.10 netmask 255.255.255.128

#
##set static IP nat rule, POSTROUTING/PREROUTING
##(snat)iptables -t nat -A POSTROUTING -j SNAT --to 202.202.210.10
##(dnat)iptables -t nat -A PREROUTING -j DNAT --to 10.10.10.10
#
iptables -t nat -A POSTROUTING -s 172.18.10.10 -j SNAT --to 192.168.10.10
iptables -t nat -A PREROUTING -d 192.168.10.10 -j DNAT --to 172.18.10.10

以上代码请高手指点一二啊，是否还有不妥的地方啊。
跪求各位大哥的见解！！！

njdaboy_cn

各位linux专家。。。给点意见啊。。。