#!/usr/local/bin/bash cmd="/sbin/ipfw -q" $cmd -f flush # Интерфейс, на котором слушаем WAN="igb0" IP="51.51.51.51" # IP, на который будем пробрасывать порты ToIP="163.33.33.3" # LIM="30" $cmd enable one_pass $cmd add allow all from any to any via lo0 $cmd add deny all from any to 127.0.0.0/8 $cmd add deny all from 127.0.0.0/8 to any $cmd add deny all from any to any frag #$cmd add check-state #$cmd add allow tcp from any to any established #$cmd add allow all from any to any out keep-state # table admin $cmd table admin create missing $cmd table admin add 46.160.11.11 $cmd table admin add 109.111.64.0/19 # ssh to admin $cmd add allow ip from "table(admin)" to me 22 # table bad boys $cmd table badb create missing $cmd add deny ip from "table(badb)" to me # dns DNS="8.8.8.8,1.1.1.1" $cmd add allow udp from ${DNS} to ${IP} in via ${WAN} $cmd add allow udp from ${IP} to ${DNS} out via ${WAN} # HTTP && HTTPS #$cmd add allow tcp from any to me 443 in limit src-addr 80 #$cmd add allow tcp from any to me 80 in limit src-addr 80 # Ping $cmd add allow icmp from "table(admin)" to me in icmptype 8 $cmd add allow icmp from me to "table(admin)" out icmptype 0,8 # allow ping $cmd add allow icmp from me to any out icmptype 0,8 $cmd add allow icmp from any to me in icmptype 0,8 # NAT # ssh in $cmd add nat 1 tcp from any to any 22022 in via ${WAN} # TCP 163.172.255.167:22 51.159.5.135:49795 in via igb0 $cmd add nat 1 tcp from ${ToIP} to ${IP} in via ${WAN} $cmd add nat 1 tcp from any to any 29000 in limit src-addr ${LIM} via ${WAN} $cmd add nat 1 tcp from any to any 29001 in limit src-addr ${LIM} via ${WAN} $cmd add nat 1 tcp from any to any 29002 in limit src-addr ${LIM} via ${WAN} $cmd add nat 1 tcp from any to any 29003 in limit src-addr ${LIM} via ${WAN} $cmd add nat 1 tcp from any to any 32550 in limit src-addr ${LIM} via ${WAN} # Собственно - редирект портов $cmd nat 1 config log if ${WAN} same_ports reset \ redirect_port tcp ${ToIP}:22 22022 \ redirect_port tcp ${ToIP}:29000 29000 \ redirect_port tcp ${ToIP}:29001 29001 \ redirect_port tcp ${ToIP}:29002 29002 \ redirect_port tcp ${ToIP}:29003 29003 \ redirect_port tcp ${ToIP}:32550 32550 #Deny TCP 46.160.11.108:39844 51.159.5.135:29000 in via igb0 $cmd add allow tcp from any to any 29000 in via ${WAN} # TCP 195.3.134.136:4851 163.172.255.167:31002 out via igb0 $cmd add nat 1 tcp from any to any out via ${WAN} # 188.191.23.31:49773 163.172.255.167:22 out via igb0 $cmd add nat 1 ip from any to ${ToIP} 22 out via ${WAN} # TCP 51.159.5.135:22 46.160.11.108:53529 out via igb0 $cmd add nat 1 ip from ${IP},${ToIP} 22 to any out via ${WAN} #TCP 163.172.255.167:22 188.191.23.31:49789 out via igb0 #$cmd add nat 1 ip from ${ToIP} 22 to any out via ${WAN} #--------------------------- # nat - debug # $cmd add nat 1 log tcp from any to any via ${WAN} #---------------------------