双线网络问题.请指正..

flyingzf

默认为电信．．．．
拒绝ICMP协议．．．封杀一些IP 禁止网吧收费机上网．．．
装内网的ＦＴＰ服务器端口影射到外网．．．

以下为iptables正文．．．

[code:1]
TEL_IP="222.90.20.2"
CNC_IP="210.83.2.209"
LAN_IP="192.168.0.0/24"
FTP_IP="192.168.1.252"
NATBAR_IP="192.168.1.253" #网吧收费机IP

modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "200    CNC_IP" >;>; /etc/iproute2/rt_table
ip route replace default via 210.83.2.209 table DIANXIN
ip rule add fwmark 1 table CNC_IP
iptables -t nat -F
iptables -t mangle -F
iptables -t mangle -A PREROUTING -i eth0 -s 192.168.0.0/24 -d 58.14.0.0/15 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth0 -s 192.168.0.0/24 -d 58.16.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth0 -s 192.168.0.0/24 -d 58.17.0.0/17 -j MARK --set-mark 1
．．．
．．．
．．．．．．略

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 58.14.0.0/15 -j SNAT --to $CNC_IP
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 58.16.0.0/16 -j SNAT --to $CNC_IP
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 58.17.0.0/17 -j SNAT --to $CNC_IP
．．．
．．．
．．．．．．略

#iptables -t nat -A POSTROUTING -s $LAN_IP -j SNAT --to $TEL_IP
iptables -t nat -A POSTROUTING -s $LAN_IP -j SNAT --to MASQUERADE
ip route flush cache

iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT

iptables -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 218.30.19.40:53
iptables -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 61.134.1.4:53
iptables -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 202.100.4.15:53
iptables -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 202.100.0.68:53

iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp -j DROP

#iptables -I FORWARD -d 58.240.222.242 -j DROP
#iptables -I FORWARD -d 58.240.222.244 -j DROP
#iptables -I FORWARD -d 211.144.69.35 -j DROP
#iptables -I FORWARD -d 211.144.69.36 -j DROP
#iptables -I FORWARD -d 211.144.69.37 -j DROP
iptables -I FORWARD -s $NATBAR -p tcp --dport 80 -j DROP

iptables -t nat -A PREROUTING -d $TEL_IP -p tcp --dport 2100 -j DNAT --to-destination $FTP_IP:21
iptables -t nat -A POSTROUTING -d $FTP_IP -p tcp --dport 21 -j SNAT --to-source 192.168.1.254

#iptables -t nat -A PREROUTING -d $TEL_IP -p tcp --dport 21 -j DNAT --to-destination 192.168.1.6:21
#iptables -t nat -A POSTROUTING -d 192.168.1.6 -p tcp --dport 21 -j SNAT --to-source 192.168.1.254

#echo 3600 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
echo 20480 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 40960 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 81920 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
echo "1"> /proc/sys/net/ipv4/conf/eth1/proxy_arp
iptables -L -n
echo "Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward
[/code:1]

未知这样是否能成功．．．．请各位前辈指教一二．．．
还有．我收集的网通ＩＰ段．．．有问题．．．
比如．．
210.82.0.0/16而有些网站则是210.82.0.0/15