Утилита командной строки iptables используется для настройки брандмауэра netfilter, встроенного в систему на базе ядра Linux.
#!/bin/bash
# vars
ipt="iptables"
ext_if="enp3s0"
ext_ipaddr="1.2.3.4"
int_if="enp4s2"
int_net="192.168.55.0/24"
dmz_if="cni-podman0"
dmz_net="10.90.0.0/24"
# flush rules
$ipt -F
$ipt -F -t nat
$ipt -F -t mangle
$ipt -X
$ipt -X -t nat
$ipt -X -t mangle
# default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
# accept established and related connections
$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow icmp traffic
$ipt -A INPUT -p icmp -j ACCEPT
# allow traffic to loopback
$ipt -A INPUT -i lo -j ACCEPT
# allow ssh connections to host machine
$ipt -A INPUT -i $int_if -p tcp -m state --state NEW --dport 22 -j ACCEPT
# allow traffic from LAN to DMZ network
$ipt -A FORWARD -i $int_if -o $dmz_if -j ACCEPT
# allow traffic from WAN to DMZ network
$ipt -A FORWARD -i $ext_if -o $dmz_if -j ACCEPT
# source nat
$ipt -t nat -A POSTROUTING -o $ext_if -s $int_net -j SNAT --to $ext_ipaddr
$ipt -t nat -A POSTROUTING -o $ext_if -s $dmz_net -j SNAT --to $ext_ipaddr
$ipt -A FORWARD -o $ext_if -s $int_net -j ACCEPT
$ipt -A FORWARD -o $ext_if -s $dmz_net -j ACCEPT
# destination nat
$ipt -t nat -A PREROUTING -i $ext_if -p tcp --dport 8090 -j DNAT --to 10.90.0.2:3128
$ipt -t nat -A PREROUTING -i $ext_if -p tcp -m multiport --dports 80,443 -j DNAT --to 10.90.0.3
$ipt -t nat -A PREROUTING -i $ext_if -p tcp --dport 53389 -j DNAT --to 192.168.55.3:3389
$ipt -A FORWARD -i $ext_if -d 192.168.55.3 -p tcp --dport 3389 -j ACCEPT
# show rules
$ipt -S