#####################################################################
# route tables           
#####################################################################

##################################################
# route table cnc(route to cnc by default)
##################################################
ip route flush table cnc
ip route add table cnc 192.168.0.0/24 dev eth2 src 192.168.0.247
ip route add table cnc 60.190.72.176/29 dev eth3
ip route add table cnc 221.12.164.192/29 dev eth3
ip route add table cnc default via 221.12.164.193 dev eth3

###################################################
# route table telecom (route to telecom by default)
###################################################
ip route flush table telecom
ip route add table telecom 192.168.0.0/24 dev eth1 src 192.168.0.249
ip route add table telecom 60.190.72.176/29 dev eth3
ip route add table telecom 221.12.164.192/29 dev eth3
ip route add table telecom default via 60.190.72.177 dev eth3

##################################################
# route table autocnc(route to cnc by default)
##################################################
ip route flush table autocnc
ip route add table autocnc 192.168.0.0/24 dev eth0 src 192.168.0.253
ip route add table autocnc 60.190.72.176/29 dev eth3
ip route add table autocnc 221.12.164.192/29 dev eth3
ip route add table autocnc default via 221.12.164.193 dev eth3

###################################################
# route table autotelecom (route to telecom by default)
###################################################
ip route flush table autotelecom
ip route add table autotelecom 192.168.0.0/24 dev eth0 src 192.168.0.253
ip route add table autotelecom 60.190.72.176/29 dev eth3
ip route add table autotelecom 221.12.164.192/29 dev eth3
ip route add table autotelecom default via 60.190.72.177 dev eth3


###################################################
# default route table
###################################################
ip route flush table main
ip route add table main 192.168.0.0/24 dev eth0 src 192.168.0.253
ip route add table main 60.190.72.176/29 dev eth3
ip route add table main 221.12.164.192/29 dev eth3
ip route add table main default via 60.190.72.177 dev eth3

ip route flush cache

###############################################
# route rules
###############################################
ip rule flush
ip rule add table default priority 32767
ip rule add table main priority 32766

ip rule add fwmark 0x110/0xFF0 table telecom
ip rule add fwmark 0x120/0xFF0 table cnc
ip rule add fwmark 0x210/0xFF0 table autotelecom
ip rule add fwmark 0x221/0xFF0 table autocnc


###################################################################### 
# iptables configuration           
######################################################################

# iptable modules
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

#####################################################
#####################################################
# mangle table 
#####################################################
#####################################################
iptables -t mangle -F
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -X
iptables -t mangle -N cycle_ip
iptables -t mangle -N choose_telecom_cnc
iptables -t mangle -N calculate_outgoing_mark
iptables -t mangle -N calculate_incoming_mark

######################################
# OUTPUT chain
######################################
# cnc networks
iptables -t mangle -A OUTPUT -s 60.190.72.178 -d ! 192.168.0.0/16 -j MARK --set-mark 0x1111
iptables -t mangle -A OUTPUT -s 60.190.72.179 -d ! 192.168.0.0/16 -j MARK --set-mark 0x1112
iptables -t mangle -A OUTPUT -s 60.190.72.180 -d ! 192.168.0.0/16 -j MARK --set-mark 0x1113
iptables -t mangle -A OUTPUT -s 60.190.72.181 -d ! 192.168.0.0/16 -j MARK --set-mark 0x1114
iptables -t mangle -A OUTPUT -s 60.190.72.182 -d ! 192.168.0.0/16 -j MARK --set-mark 0x1115
iptables -t mangle -A OUTPUT -s 221.12.164.194 -d ! 192.168.0.0/16 -j MARK --set-mark 0x1121
iptables -t mangle -A OUTPUT -s 221.12.164.195 -d ! 192.168.0.0/16 -j MARK --set-mark 0x1122
iptables -t mangle -A OUTPUT -s 221.12.164.196 -d ! 192.168.0.0/16 -j MARK --set-mark 0x1123
iptables -t mangle -A OUTPUT -s 221.12.164.197 -d ! 192.168.0.0/16 -j MARK --set-mark 0x1124
iptables -t mangle -A OUTPUT -s 221.12.164.198 -d ! 192.168.0.0/16 -j MARK --set-mark 0x1125


######################################
# cycle_ip chain
######################################
# default use first ip 
iptables -t mangle -A cycle_ip -j MARK --set-mark 0x1/0xF

# use china telcom 5 ip cyclically
iptables -t mangle -A cycle_ip -s 192.168.0.1 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.2 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.3 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.4 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.5 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.6 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.7 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.8 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.9 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.10 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.11 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.12 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.13 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.14 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.15 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.16 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.17 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.18 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.19 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.20 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.21 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.22 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.23 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.24 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.25 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.26 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.27 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.28 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.29 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.30 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.31 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.32 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.33 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.34 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.35 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.36 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.37 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.38 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.39 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.40 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.41 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.42 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.43 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.44 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.45 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.46 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.47 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.48 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.49 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.50 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.51 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.52 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.53 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.54 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.55 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.56 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.57 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.58 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.59 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.60 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.61 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.62 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.63 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.64 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.65 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.66 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.67 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.68 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.69 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.70 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.71 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.72 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.73 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.74 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.75 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.76 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.77 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.78 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.79 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.80 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.81 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.82 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.83 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.84 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.85 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.86 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.87 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.88 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.89 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.90 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.91 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.92 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.93 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.94 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.95 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.96 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.97 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.98 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.99 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.100 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.101 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.102 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.103 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.104 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.105 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.106 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.107 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.108 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.109 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.110 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.111 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.112 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.113 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.114 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.115 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.116 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.117 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.118 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.119 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.120 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.121 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.122 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.123 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.124 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.125 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.126 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.127 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.128 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.129 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.130 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.131 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.132 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.133 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.134 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.135 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.146 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.147 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.148 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.149 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.150 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.151 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.152 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.153 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.154 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.155 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.156 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.157 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.158 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.159 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.160 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.161 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.162 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.163 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.164 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.165 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.166 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.167 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.168 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.169 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.170 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.171 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.172 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.173 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.174 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.175 -j MARK --set-mark 0x5/0xF

iptables -t mangle -A cycle_ip -s 192.168.0.176 -j MARK --set-mark 0x1/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.177 -j MARK --set-mark 0x2/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.178 -j MARK --set-mark 0x3/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.179 -j MARK --set-mark 0x4/0xF
iptables -t mangle -A cycle_ip -s 192.168.0.180 -j MARK --set-mark 0x5/0xF

# special ip
iptables -t mangle -A cycle_ip -s 192.168.0.248 -j MARK --set-mark 0x4/0xF


######################################
# choose_telecom_cnc chain
######################################
# default to telecom 
iptables -t mangle -A choose_telecom_cnc -j MARK --set-mark 0x10/0xF0

# cnc networks
iptables -t mangle -A choose_telecom_cnc -d 61.12.0.0/16 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -d 221.12.0.0/16 -j MARK --set-mark 0x20/0xF0

# china, non china telecom, route to cnc line
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 58.16.0.0-58.23.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 58.100.0.0-58.101.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 58.214.21.0-58.243.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 60.0.0.0-60.31.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 60.52.145.0-60.52.145.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 60.55.0.0-60.55.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 60.121.175.0-60.121.175.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 60.208.0.0-60.223.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.4.64.0-61.4.79.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.128.210.0-61.128.210.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.133.0.0-61.133.179.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.134.98.0-61.136.118.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.137.128.0-61.138.94.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.138.109.0-61.138.110.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.138.114.0-61.138.191.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.138.114.0-61.138.191.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.139.128.0-61.139.191.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.148.0.0-61.149.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.156.0.0-61.157.95.83 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.158.0.0-61.159.63.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.161.0.0-61.161.63.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.161.128.0-61.163.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.167.0.0-61.168.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.176.0.0-61.176.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.179.0.0-61.179.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.180.133.0-61.182.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.189.30.0-61.189.64.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.233.7.0-61.233.7.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.233.59.0-61.233.59.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.235.139.0-61.235.139.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 202.10.64.0-202.10.79.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 202.96.64.0-202.96.66.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 202.97.128.0-202.97.128.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 202.97.132.0-202.97.159.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 202.97.209.0-202.97.217.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 202.97.236.0-202.97.243.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 202.99.73.0-202.99.86.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 202.99.158.0-202.99.223.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 202.99.243.0-202.99.244.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 202.102.148.0-202.102.191.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 202.102.232.0-202.102.246.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 202.107.0.0-202.107.127.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 202.110.0.0-202.110.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 202.111.152.0-202.111.191.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 202.136.252.0-202.136.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 203.88.192.0-203.88.203.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 203.93.9.0-203.93.18.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 203.93.51.0-203.93.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 203.175.128.0-203.175.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 210.5.15.0-210.5.17.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 210.6.150.0-210.6.150.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 210.12.0.0-210.15.112.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 210.21.0.0-210.22.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 210.51.0.0-210.53.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 210.74.97.0-210.74.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 218.8.57.0-218.8.57.255 -j MARK --set-mark 0x20/0xF0

##non asia area, route to cnc line
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 1.0.0.0-9.255.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 11.0.0.0-57.255.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 62.0.0.0-111.255.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 128.0.0.0-132.255.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 134.0.0.0-149.255.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 151.0.0.0-152.255.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 154.0.0.0-162.255.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 164.0.0.0-170.255.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 172.0.0.0-201.255.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 204.0.0.0-209.255.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 212.0.0.0-217.255.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 223.0.0.0-223.255.255.255 -j MARK --set-mark 0x20/0xF0

## asia, non-china, route to cnc line
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 58.0.0.0-58.13.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 58.26.0.0-58.29.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 58.64.0.0-58.65.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 58.68.0.0-58.68.127.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 58.69.0.0-58.81.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 58.84.0.0-58.87.63.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 58.87.128.0-58.99.127.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 58.102.0.0-58.115.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 58.120.0.0-58.127.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 58.136.0.0-58.143.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 58.145.0.0-58.153.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 58.156.0.0-58.191.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 58.224.0.0-58.239.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 59.0.0.0-59.31.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 59.84.0.0-59.106.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 59.112.0.0-59.150.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 59.151.128.0-59.154.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 59.156.0.0-59.171.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 59.176.0.0-59.190.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 59.191.128.0-59.191.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 60.32.0.0-60.54.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 60.56.0.0-60.62.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 60.64.0.0-60.159.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 60.192.0.0-60.193.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 60.196.0.0-60.199.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 60.224.0.0-60.231.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 60.234.0.0-60.234.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 60.236.0.0-60.245.127.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 60.246.0.0-60.246.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 60.248.0.0-60.251.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 60.253.0.0-60.253.127.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 60.254.0.0-60.254.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.0.0.0-61.8.159.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.8.192.0-61.27.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.28.128.0-61.29.127.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.30.0.0-61.45.127.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.45.192.0-61.47.127.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.47.192.0-61.47.255.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 61.56.0.0-61.87.191.255 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -m iprange --dst-range 123.154.0.0-123.154.255.255 -j MARK --set-mark 0x20/0xF0

iptables -t mangle -A choose_telecom_cnc -d 61.115.0.0/16 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -d 150.65.0.0/16 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -d 202.12.0.0/16 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -d 202.30.0.0/16 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -d 202.229.0.0/16 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -d 202.108.0.0/19 -j MARK --set-mark 0x20/0xF0
iptables -t mangle -A choose_telecom_cnc -d 210.82.0.0/15 -j MARK --set-mark 0x20/0xF0


######################################
# calculate_mark chain
######################################
#outgoing 0xF000
iptables -t mangle -A calculate_outgoing_mark -j MARK --set-mark 0x1000/0xF000
#auto/manual 0xF00 
iptables -t mangle -A calculate_outgoing_mark -i eth0 -j MARK --set-mark 0x200/0xF00
iptables -t mangle -A calculate_outgoing_mark -i eth1 -j MARK --set-mark 0x100/0xF00
iptables -t mangle -A calculate_outgoing_mark -i eth2 -j MARK --set-mark 0x100/0xF00
#which ISP 0x0F0 
iptables -t mangle -A calculate_outgoing_mark -i eth0 -j choose_telecom_cnc
iptables -t mangle -A calculate_outgoing_mark -i eth1 -j MARK --set-mark 0x10/0xF0
iptables -t mangle -A calculate_outgoing_mark -i eth2 -j MARK --set-mark 0x20/0xF0
#which IP 0x00F
iptables -t mangle -A calculate_outgoing_mark -j cycle_ip

######################################
# calculate_incoming_mark chain
######################################
iptables -t mangle -A calculate_incoming_mark -d 60.190.72.178 -j MARK --set-mark 0x2111
iptables -t mangle -A calculate_incoming_mark -d 60.190.72.179 -j MARK --set-mark 0x2112
iptables -t mangle -A calculate_incoming_mark -d 60.190.72.180 -j MARK --set-mark 0x2113
iptables -t mangle -A calculate_incoming_mark -d 60.190.72.181 -j MARK --set-mark 0x2114
iptables -t mangle -A calculate_incoming_mark -d 60.190.72.182 -j MARK --set-mark 0x2115

iptables -t mangle -A calculate_incoming_mark -d 221.12.164.194 -j MARK --set-mark 0x2121
iptables -t mangle -A calculate_incoming_mark -d 221.12.164.195 -j MARK --set-mark 0x2122
iptables -t mangle -A calculate_incoming_mark -d 221.12.164.196 -j MARK --set-mark 0x2123
iptables -t mangle -A calculate_incoming_mark -d 221.12.164.197 -j MARK --set-mark 0x2124
iptables -t mangle -A calculate_incoming_mark -d 221.12.164.198 -j MARK --set-mark 0x2125



######################################
# PREROUTING chain
######################################
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -s 192.168.0.0/24 -d ! 192.168.0.0/16 -m mark --mark 0 -j calculate_outgoing_mark
iptables -t mangle -A PREROUTING -s ! 192.168.0.0/24 -d 60.190.72.176/29 -m mark --mark 0 -j calculate_incoming_mark
iptables -t mangle -A PREROUTING -s ! 192.168.0.0/24 -d 221.12.164.192/29 -m mark --mark 0 -j calculate_incoming_mark
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark




######################################################
# nat table
######################################################
iptables -t nat -F
iptables -t nat -X
iptables -t nat -N telecom_portmap
iptables -t nat -N cnc_portmap

######################################
# telecom_portmap chain
######################################
# server 1 (rdc port)
iptables -t nat -A telecom_portmap -d 60.190.72.178 -p tcp -m tcp --dport 8936 -j DNAT --to-destination 192.168.0.245
iptables -t nat -A telecom_portmap -d 60.190.72.178 -p udp -m udp --dport 27016 -j DNAT --to-destination 192.168.0.245:27016
iptables -t nat -A telecom_portmap -d 60.190.72.178 -p udp -m udp --dport 27015 -j DNAT --to-destination 192.168.0.245:27015

# server czk (ftp/ssh/http/https/samba)
iptables -t nat -A telecom_portmap -d 60.190.72.181 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.248
iptables -t nat -A telecom_portmap -d 60.190.72.181 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.248
iptables -t nat -A telecom_portmap -d 60.190.72.181 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.248
iptables -t nat -A telecom_portmap -d 60.190.72.181 -p tcp -m tcp --dport 60445 -j DNAT --to-destination 192.168.0.248:445
iptables -t nat -A telecom_portmap -d 60.190.72.181 -p udp -m udp --dport 60445 -j DNAT --to-destination 192.168.0.248:445
iptables -t nat -A telecom_portmap -d 60.190.72.181 -p udp -m udp --dport 51194 -j DNAT --to-destination 192.168.0.248:51194
iptables -t nat -A telecom_portmap -d 60.190.72.181 -p tcp -m tcp --dport 62080 -j DNAT --to-destination 192.168.0.248:1080
iptables -t nat -A telecom_portmap -d 60.190.72.181 -p tcp -m tcp --dport 62081 -j DNAT --to-destination 192.168.0.248:9050
iptables -t nat -A telecom_portmap -d 60.190.72.181 -p tcp -m tcp --dport 62082 -j DNAT --to-destination 192.168.0.248:8118
iptables -t nat -A telecom_portmap -d 60.190.72.181 -p tcp -m tcp --dport 62083 -j DNAT --to-destination 192.168.0.248:9051
iptables -t nat -A telecom_portmap -d 60.190.72.181 -p tcp -m tcp --dport 62083 -j DNAT --to-destination 192.168.0.248:9051
iptables -t nat -A telecom_portmap -d 60.190.72.181 -p tcp -m tcp --dport 1723 -j DNAT --to-destination 192.168.0.248:1723

iptables -t nat -A telecom_portmap -d 60.190.72.181 -p tcp -m tcp --dport 50080 -j DNAT --to-destination 192.168.0.248
iptables -t nat -A telecom_portmap -d 60.190.72.181 -p tcp -m tcp --dport 50022 -j DNAT --to-destination 192.168.0.248
iptables -t nat -A telecom_portmap -d 60.190.72.181 -p tcp -m tcp --dport 51080 -j DNAT --to-destination 192.168.0.248

# server 2 (http/https/samba/ftp/ssh)
iptables -t nat -A telecom_portmap -d 60.190.72.182 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.252
iptables -t nat -A telecom_portmap -d 60.190.72.182 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.252
#iptables -t nat -A telecom_portmap -d 60.190.72.182 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.252
iptables -t nat -A telecom_portmap -d 60.190.72.182 -p tcp -m tcp --dport 60445 -j DNAT --to-destination 192.168.0.252:445
iptables -t nat -A telecom_portmap -d 60.190.72.182 -p udp -m udp --dport 60445 -j DNAT --to-destination 192.168.0.252:445

#for jiankong 
iptables -t nat -A telecom_portmap -d 60.190.72.182 -p tcp -m tcp --dport 50000 -j DNAT --to-destination 192.168.0.221
iptables -t nat -A telecom_portmap -d 60.190.72.182 -p tcp -m tcp --dport 50001 -j DNAT --to-destination 192.168.0.221
iptables -t nat -A telecom_portmap -d 60.190.72.182 -p tcp -m tcp --dport 50002 -j DNAT --to-destination 192.168.0.221
iptables -t nat -A telecom_portmap -d 60.190.72.182 -p tcp -m tcp --dport 50003 -j DNAT --to-destination 192.168.0.221
iptables -t nat -A telecom_portmap -d 60.190.72.182 -p tcp -m tcp --dport 55000 -j DNAT --to-destination 192.168.0.221
iptables -t nat -A telecom_portmap -d 60.190.72.182 -p tcp -m tcp --dport 51000 -j DNAT --to-destination 192.168.0.221

#for 192.168.0.246
iptables -t nat -A telecom_portmap -d 60.190.72.178 -p tcp -m tcp --dport 26500 -j DNAT --to-destination 192.168.0.246
iptables -t nat -A telecom_portmap -d 60.190.72.178 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.246
iptables -t nat -A telecom_portmap -d 60.190.72.178 -p udp -m udp --dport 27015 -j DNAT --to-destination 192.168.0.246
iptables -t nat -A telecom_portmap -d 60.190.72.178 -p udp -m udp --dport 27016 -j DNAT --to-destination 192.168.0.246
iptables -t nat -A telecom_portmap -d 60.190.72.178 -p udp -m udp --dport 7000 -j DNAT --to-destination 192.168.0.246
iptables -t nat -A telecom_portmap -d 60.190.72.178 -p udp -m udp --dport 7001 -j DNAT --to-destination 192.168.0.246
iptables -t nat -A telecom_portmap -d 60.190.72.178 -p udp -m udp --dport 7002 -j DNAT --to-destination 192.168.0.246
iptables -t nat -A telecom_portmap -d 60.190.72.178 -p udp -m udp --dport 7003 -j DNAT --to-destination 192.168.0.246

######################################
# cnc_portmap chain
######################################
iptables -t nat -A cnc_portmap -d 221.12.164.194 -p tcp -m tcp --dport 8936 -j DNAT --to-destination 192.168.0.245
iptables -t nat -A cnc_portmap -d 221.12.164.197 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.248
iptables -t nat -A cnc_portmap -d 221.12.164.197 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.248
iptables -t nat -A cnc_portmap -d 221.12.164.197 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.248
iptables -t nat -A cnc_portmap -d 221.12.164.197 -p tcp -m tcp --dport 60445 -j DNAT --to-destination 192.168.0.248:445
iptables -t nat -A cnc_portmap -d 221.12.164.197 -p udp -m udp --dport 60445 -j DNAT --to-destination 192.168.0.248:445
iptables -t nat -A cnc_portmap -d 221.12.164.198 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.252
iptables -t nat -A cnc_portmap -d 221.12.164.198 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.252
#iptables -t nat -A cnc_portmap -d 221.12.164.198 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.252
iptables -t nat -A cnc_portmap -d 221.12.164.198 -p tcp -m tcp --dport 60445 -j DNAT --to-destination 192.168.0.252:445
iptables -t nat -A cnc_portmap -d 221.12.164.198 -p udp -m udp --dport 60445 -j DNAT --to-destination 192.168.0.252:445

######################################
# PREROUTING chain
######################################
#port map
iptables -t nat -A PREROUTING -m iprange --dst-range 60.190.72.178-60.190.72.182 -j telecom_portmap
iptables -t nat -A PREROUTING -m iprange --dst-range 221.12.164.194-221.12.164.198 -j cnc_portmap

# redirect web to squid
#iptables -t nat -A PREROUTING -s 192.168.0.0/24 -d ! 192.168.0.0/16 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128

######################################
# POSTROUTING chain
######################################
iptables -t nat -A POSTROUTING -m connmark --connmark 0x1011/0xF0FF -j SNAT --to-source 60.190.72.178
iptables -t nat -A POSTROUTING -m connmark --connmark 0x1012/0xF0FF -j SNAT --to-source 60.190.72.179
iptables -t nat -A POSTROUTING -m connmark --connmark 0x1013/0xF0FF -j SNAT --to-source 60.190.72.180
iptables -t nat -A POSTROUTING -m connmark --connmark 0x1014/0xF0FF -j SNAT --to-source 60.190.72.181
iptables -t nat -A POSTROUTING -m connmark --connmark 0x1015/0xF0FF -j SNAT --to-source 60.190.72.182

iptables -t nat -A POSTROUTING -m connmark --connmark 0x1021/0xF0FF -j SNAT --to-source 221.12.164.194
iptables -t nat -A POSTROUTING -m connmark --connmark 0x1022/0xF0FF -j SNAT --to-source 221.12.164.195
iptables -t nat -A POSTROUTING -m connmark --connmark 0x1023/0xF0FF -j SNAT --to-source 221.12.164.196
iptables -t nat -A POSTROUTING -m connmark --connmark 0x1024/0xF0FF -j SNAT --to-source 221.12.164.197
iptables -t nat -A POSTROUTING -m connmark --connmark 0x1025/0xF0FF -j SNAT --to-source 221.12.164.198


####################################################
####################################################
# filter table             
####################################################
####################################################
iptables -t filter -F
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT

######################################
# FORWARD chain
######################################
#iptables -A FORWARD -p tcp --syn -s ! 192.168.0.251/29 -m connlimit --connlimit-above 50 -j LOG --log-prefix "connlimit: "
#iptables -A FORWARD -p tcp --syn -s ! 192.168.0.251/29 -m connlimit --connlimit-above 50 -j DROP

iptables -A FORWARD -p tcp --syn -m iprange --src-range 192.168.0.1-192.168.0.180 -m connlimit --connlimit-above 50 -j LOG --log-prefix "connlimit: "
iptables -A FORWARD -p tcp --syn -m iprange --src-range 192.168.0.1-192.168.0.180 -m connlimit --connlimit-above 50 -j DROP 

#iptables -A FORWARD -s ! 192.168.0.251/29 -m ipp2p --ipp2p --bit -j LOG --log-prefix "ipp2p: "
#iptables -A FORWARD -s ! 192.168.0.251/29 -m ipp2p --ipp2p --bit -j DROP

####################################################

# choose ip:
#  0x1: through ip 1
#  0x2: through ip 2
#  0x3: through ip 3
#  0x4: through ip 4
#  0x5: through ip 5
#
# ISP:
#  0x10: through telecom
#  0x20: through cnc
#
# connmark values:
#  0x100: manual choose telecom/cnc
#  0x200: auto choose telecom/cnc
#
# direction:
#  0x1000: outgoing
#  0x2000: incoming 
####################################################

Linux路由器配置 (2009-12-21 21:57:55由czk编辑)

ch3n2k.com | Copyright (c) 2004-2020 czk.