Я использую firewall builder, чтобы собрать шаблон iptables с NAT для вас.
Шлюзовая машина
- Внешний интерфейс: eth0 (IP: 50.0.2.4)
Внутренний интерфейс: eth1 (IP: 192.168.1.1
Службы пересылки на 192.168.1.10: imap, imaps, pop, pops, smtp, smtps
- Услуги пересылать на 192.168.1.20: http, https
Внутренняя машина 1
- Интерфейс: eth0 (IP: 192.168.1.10)
Внутренняя машина 2
- Интерфейс: eth0 (IP: 192.168.1.20)
IPTABLES="/sbin/iptables"
# ================ Table 'filter', automatic rules
# accept established sessions
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# ================ Table 'nat', rule set NAT
#
# Rule 0 (NAT)
#
echo "Rule 0 (NAT)"
#
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 50.0.2.4 --dports 143,993,110,995,25,465 -j DNAT --to-destination 192.168.1.10
#
# Rule 1 (NAT)
#
echo "Rule 1 (NAT)"
#
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 50.0.2.4 --dports 80,443 -j DNAT --to-destination 192.168.1.20
#
# Rule 2 (NAT)
#
echo "Rule 2 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 50.0.2.4
# ================ Table 'filter', rule set Policy
#
# Rule 0 (eth0)
#
echo "Rule 0 (eth0)"
#
# anti spoofing rule
$IPTABLES -N In_RULE_0
$IPTABLES -A INPUT -i eth0 -s 50.0.2.4 -j In_RULE_0
$IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -j In_RULE_0
$IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -j In_RULE_0
$IPTABLES -A FORWARD -i eth0 -s 50.0.2.4 -j In_RULE_0
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -j In_RULE_0
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -j In_RULE_0
$IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
$IPTABLES -A In_RULE_0 -j DROP
#
# Rule 1 (lo)
#
echo "Rule 1 (lo)"
#
$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
#
# Rule 2 (global)
#
echo "Rule 2 (global)"
#
# SSH Access to firewall is permitted
$IPTABLES -N Cid4216X2697.0
$IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443,143,993,110,995,25,465,22 -m state --state NEW -j Cid4216X2697.0
$IPTABLES -A Cid4216X2697.0 -d 50.0.2.4 -j ACCEPT
$IPTABLES -A Cid4216X2697.0 -d 192.168.1.1 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp -m multiport --dports 80,443,143,993,110,995,25,465,22 -m state --state NEW -j ACCEPT
#
# Rule 3 (global)
#
echo "Rule 3 (global)"
#
# Firewall can connect to anything
$IPTABLES -A INPUT -s 50.0.2.4 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -s 192.168.1.1 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
#
# Rule 4 (global)
#
echo "Rule 4 (global)"
#
# All other attempts to connect to
# the firewall are denied and logged
$IPTABLES -N RULE_4
$IPTABLES -A OUTPUT -d 50.0.2.4 -j RULE_4
$IPTABLES -A OUTPUT -d 192.168.1.1 -j RULE_4
$IPTABLES -A INPUT -j RULE_4
$IPTABLES -A RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY "
$IPTABLES -A RULE_4 -j DROP
#
# Rule 5 (global)
#
echo "Rule 5 (global)"
#
$IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
#
# Rule 6 (global)
#
echo "Rule 6 (global)"
#
$IPTABLES -N RULE_6
$IPTABLES -A OUTPUT -j RULE_6
$IPTABLES -A INPUT -j RULE_6
$IPTABLES -A FORWARD -j RULE_6
$IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY "
$IPTABLES -A RULE_6 -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward