*filter
: INPUT ACCEPT [25,350:2,120,857]
: FORWARD ACCEPT [1:20,000]
: OUTPUT ACCEPT [26,183:2,224,589]
-A input-m state--state related,established-j ACCEPT
-A input-p icmp-j ACCEPT
-A input-i lo-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 22-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 80-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 443-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 808-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 1080-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 3128-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 8000-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 8080-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 8088-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 8084-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 8888-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 15210-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 15211-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 15223-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 30001-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 4869-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 11211-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 7000-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 6000-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 15440-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 12000-j ACCEPT
-A input-p udp-m state--state new-m UDP--dport 12000-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 12001-j ACCEPT
-A input-p udp-m state--state new-m UDP--dport 12001-j ACCEPT
-A forward-d 192.168.10.210/32-o eth0-p tcp-m tcp--dport 22-j ACCEPT
-A forward-s 192.168.10.210/32-i eth0-p tcp-m tcp--sport 22-j ACCEPT
-A forward-d 192.168.10.246/32-o eth0-p udp-m UDP--dport 12000-j ACCEPT
-A forward-s 192.168.10.246/32-i eth0-p udp-m UDP--sport 12000-j ACCEPT
# The following two means to reject all other packets that do not conform to any of the above rules in the input and forward tables, so you must place the end of this section
-A input-j REJECT--reject-with icmp-host-prohibited
-A forward-j REJECT--reject-with icmp-host-prohibited
COMMIT
*nat
:P rerouting ACCEPT [10,000:20,000]
:P ostrouting ACCEPT [20:20,000]
: OUTPUT ACCEPT [125:20,000]
-A prerouting-p tcp-m tcp--dport 15210-j dnat--to-destination
-A prerouting-p tcp-m tcp--dport 12000-j dnat--to-destination
-A prerouting-p udp-m UDP--dport 12000-j dnat--to-destination 192.168.10.246:12000
-A postrouting-d 192.168.10.210/32-p tcp-m tcp--dport 22-j SNAT--to-source 192.168.10.250
-A postrouting-d 192.168.10.246/32-p tcp-m tcp--dport 12000-j SNAT--to-source 192.168.10.250
-A postrouting-d 192.168.10.246/32-p udp-m UDP--dport 12000-j SNAT--to-source 192.168.10.250
COMMIT
Note
192.168.10.250 is an extranet can access the intranet address of the server, this machine is a direct external network IP.
192.168.10.246 is a server inside the intranet, this server and 192.168.10.250 in the same subnet, but no extranet IP, must jump through the 192.168.10.250
)