#!/bin/sh
nic #
 iptables -t nat -F
nic #
 iptables -F
nic #
 # NAT
nic #
 # eth1: 192.1.2.254 - external
nic #
 # eth2: 192.1.3.254 - internal
nic #
 # iptables -t nat -A POSTROUTING --source 192.1.3.0/24 --destination 0.0.0.0/0 -j SNAT --to-source 192.1.2.254
nic #
 iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE --proto TCP --source 192.1.3.0/24 --to-port 40000-60000
nic #
 iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE --proto UDP --source 192.1.3.0/24 --to-port 40000-60000
nic #
 # make sure that we never acidentially let ESP through.
nic #
 iptables -I FORWARD 1 --proto 50 -j DROP
nic #
 #iptables -I FORWARD 2 --destination 192.0.2.0/24 -j DROP
nic #
 #iptables -I FORWARD 3 --source 192.0.2.0/24 -j DROP
nic #
 # route
nic #
 #iptables -I INPUT 1 --destination 192.0.2.0/24 -j DROP
nic #
 # Display the table, so we know it is correct.
nic #
 iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  tcp  --  192.1.3.0/24         0.0.0.0/0            masq ports: 40000-60000
MASQUERADE  udp  --  192.1.3.0/24         0.0.0.0/0            masq ports: 40000-60000
nic #
 iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       esp  --  0.0.0.0/0            0.0.0.0/0           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
nic #
 echo done.
done.
nic #
