用Linux实现Internet冗余连接（下） （3）

# ACCEPT inbound TCP connections for various 
# services found in /etc/services 
for service in ftp ssh smtp domain 
http auth ldap https; do 
iptables -t filter INPUT -m state 
--state NEW,ESTABLISHED -i $EXT_IFACE 
-p tcp -d $IP --dport $service -j ACCEPT 
done

# ACCEPT active FTP data connections on firewall 
iptables -t filter -A INPUT -m state --state RELATED 
-i $EXT_IFACE -p tcp -d $IP --dport 1024: 
--sport ftp-data -j ACCEPT

# ACCEPT new outbound traffic (stateful firewall) 
iptables -t filter -A FORWARD -m state —state NEW,ESTABLISHED 
-i $INT_IFACE -s $INT_NET -j ACCEPT 

# ACCEPT return traffic (stateful firewall) 
iptables -t filter -A FORWARD -m state —state NEW,ESTABLISHED,RELATED 
-i $EXT_IFACE -s ! $INT_NET -j ACCEPT 

# Pass Internet traffic to internal network unmodified 
iptables -t nat -A POSTROUTING -o $INT_IFACE -j ACCEPT 

# Masquerading outbound connections from internal network
iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE