#!/bin/sh -e
IPT="/sbin/iptables"


IF_VPN=tun0
IF_LAN=eth0

VPN_IP=10.8.0.0/24
#VPN_IP= Адрес ВПН сервера
LAN_IP=111.111.111.111
#LAN_IP= Физическеий адрес сервера

TCP_PORTS="22,53,43,443,1194"
UDP_PORTS="20,53,1194"
D_UDP_PORTS="20,21,53"

$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t mangle -F

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

$IPT -A FORWARD -i $IF_VPN -o $IF_LAN -s $VPN_IP -j ACCEPT
$IPT -A FORWARD -i $IF_LAN -o $IF_VPN -d $VPN_IP -j ACCEPT
$IPT -A FORWARD -p tcp -m multiport --dports $TCP_PORTS -j ACCEPT

$IPT -A FORWARD -p icmp -m icmp --icmp-type echo-reply -j ACCEPT

$IPT -A INPUT -p tcp -m multiport --dports $TCP_PORTS -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dports $UDP_PORTS -j ACCEPT

$IPT -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT

$IPT -t nat -A POSTROUTING -o $IF_LAN -j MASQUERADE

$IPT -t nat -A PREROUTING -d $LAN_IP -p tcp -m tcp --dport 33101 -j DNAT --to-destination 10.8.0.2
$IPT -t nat -A POSTROUTING -d 10.8.0.2 -p tcp -m tcp --dport 33101 -j SNAT --to-source 10.8.0.1

$IPT -t nat -A PREROUTING -d $LAN_IP -p tcp -m tcp --dport 33102 -j DNAT --to-destination 10.8.0.3
$IPT -t nat -A POSTROUTING -d 10.8.0.3 -p tcp -m tcp --dport 33102 -j SNAT --to-source 10.8.0.1