iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
echo "1">/proc/sys/net/ipv4/ip_forward
# 办公室网络控制
arp -s 192.168.0.7 00:E0:4C:E4:DA:18
arp -s 192.168.0.8 00:E0:4C:E4:DA:21
arp -s 192.168.0.11 00:E0:4C:E4:DA:22
arp -s 192.168.0.5 00:E0:4C:EA:42:A9
arp -s 192.168.0.10 00:40:45:27:AC:A0
arp -s 192.168.1.2 00:13:D4:AE:44:A2
iptables -A FORWARD -s 192.168.0.7 -m mac --mac 00:E0:4C:E4:DA:18 -j ACCEPT
iptables -A FORWARD -s 192.168.0.10 -m mac --mac 00:40:45:27:AC:A0 -j ACCEPT
iptables -A FORWARD -s 192.168.0.9 -j ACCEPT
iptables -A FORWARD -s 192.168.0.13 -j ACCEPT
iptables -A FORWARD -s 192.168.0.11 -m mac --mac 00:E0:4C:E4:DA:22 -j ACCEPT
iptables -A FORWARD -s 192.168.0.5 -m mac --mac 00:E0:4C:EA:42:A9 -j ACCEPT
iptables -A FORWARD -s 192.168.0.8 -m mac --mac 00:E0:4C:E4:DA:21 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/28 -j DROP
iptables -t nat -A POSTROUTING -s 192.168.0.0/28 -o eth0 -j SNAT --to-source 58.16.172.2
# iptables -t nat -A PREROUTING -s 192.168.0.0/28 -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 7777
# 一机房网络控制
iptables -A FORWARD -s 192.168.1.2 -m mac --mac 00:13:D4:AE:44:A2 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/25 -p tcp --dport ! 80: -j DROP
iptables -A FORWARD -s 192.168.1.0/25 -p udp --dport ! 53 -j DROP
#iptables -A INPUT -s 192.168.1.0/25 -p tcp --dport ! 80 -j DROP
#iptables -A INPUT -s 192.168.1.0/25 -p udp --dport ! 53 -j DROP
iptables -t nat -A POSTROUTING -s 192.168.1.0/25 -j SNAT --to-source 58.16.172.2
iptables -t nat -A PREROUTING -s 192.168.1.0/25 -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
# 3机房
iptables -t nat -A POSTROUTING -s 192.168.2.0/25 -j SNAT --to-source 58.16.172.2
iptables -t nat -A PREROUTING -s 192.168.2.0/25 -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
# 其它外部网络控制/从外局访问的2200和2020端口自动跑到192.168.1.125上去
iptables -t nat -A PREROUTING -d 58.16.172.2 -p tcp --dport 2200 -j DNAT --to 192.168.1.125:2200
iptables -t nat -A PREROUTING -d 58.16.172.2 -p tcp --dport 2020 -j DNAT --to 192.168.1.125