Вывод команды 'iptables -t mangle -nvL' для схемы на рис. 2
Chain PREROUTING (policy ACCEPT ) target prot opt in out source destination05_LAN_INET_MARK all -- eth0 * 192.168.0.0/24 !192.168.0.0/16 05_LAN_INET_MARK all -- ppp+ * 192.168.1.0/24 !192.168.0.0/16 05_LAN_INET_MARK all -- tun0 * 192.168.4.0/24 !192.168.0.0/1608_DMZ_INET_MARK all -- eth2 * 203.0.113.0/29 !192.168.0.0/16Chain INPUT (policy ACCEPT ) target prot opt in out source destination Chain FORWARD (policy ACCEPT ) target prot opt in out source destination05_LAN_INET all -- eth0 eth1 192.168.0.0/24 !192.168.0.0/16 05_LAN_INET all -- ppp+ eth1 192.168.1.0/24 !192.168.0.0/16 05_LAN_INET_ISP2 all -- eth0 eth3 192.168.0.0/24 !192.168.0.0/16 05_LAN_INET_ISP2 all -- ppp+ eth3 192.168.1.0/24 !192.168.0.0/16 06_INET_LAN all -- eth3 eth0 !192.168.0.0/16 192.168.0.0/24 06_INET_LAN all -- eth3 ppp+ !192.168.0.0/16 192.168.1.0/24 06_INET_LAN_ISP1 all -- eth1 eth0 !192.168.0.0/16 192.168.0.0/24 06_INET_LAN_ISP1 all -- eth1 ppp+ !192.168.0.0/16 192.168.1.0/2407_INET_DMZ all -- eth1 eth2 !192.168.0.0/16 203.0.113.0/29 07_INET_DMZ_ISP2 all -- eth3 eth2 !192.168.0.0/16 203.0.113.0/29 08_DMZ_INET all -- eth2 eth1 203.0.113.0/29 !192.168.0.0/16 08_DMZ_INET_ISP2 all -- eth2 eth3 203.0.113.0/29 !192.168.0.0/16Chain OUTPUT (policy ACCEPT ) target prot opt in out source destination04_GW_INET_MARK all -- * eth1 198.51.100.2 !192.168.0.0/1606_INET_LAN all -- * eth0 0.0.0.0/0 192.168.0.0/24 connmark match 0x3128 tos match !0x88/0xff 06_INET_LAN all -- * ppp+ 0.0.0.0/0 192.168.1.0/24 connmark match 0x3128 tos match !0x88/0xffChain POSTROUTING (policy ACCEPT ) target prot opt in out source destination CONNMARK all -- * eth3 198.51.100.2 0.0.0.0/0 CONNMARK xset 0x500/0xffffffffChain 04_GW_INET_MARK (1 references) target prot opt in out source destination RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state NEW RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW CONNMARK xset 0x500/0xffffffff MARK all -- * * 0.0.0.0/0 0.0.0.0/0 connmark match 0x500 MARK xset 0x4/0xffffffffChain 05_LAN_INET (2 references) target prot opt in out source destination CLASSIFY all -- * * 0.0.0.0/0 0.0.0.0/0 CLASSIFY set 6:13 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x10 length 0:100 CLASSIFY set 6:11 CLASSIFY udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 CLASSIFY set 6:11 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 53,123,3389 CLASSIFY set 6:11 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 80,123,443,3128,3129,1521 CLASSIFY set 6:12 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 helper match "ftp" CLASSIFY set 6:12 Chain 05_LAN_INET_ISP2 (2 references) target prot opt in out source destination CLASSIFY all -- * * 0.0.0.0/0 0.0.0.0/0 CLASSIFY set 6:23 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x10 length 0:100 CLASSIFY set 6:21 CLASSIFY udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 CLASSIFY set 6:21 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 53,123,3389 CLASSIFY set 6:21 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 80,123,443,3128,3129,1521 CLASSIFY set 6:22 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 helper match "ftp" CLASSIFY set 6:22 Chain 05_LAN_INET_MARK (3 references) target prot opt in out source destination RETURN all -- * * 0.0.0.0/0 198.51.100.0/30 RETURN all -- * * 192.168.1.3 0.0.0.0/0 RETURN all -- * * 0.0.0.0/0 203.0.113.0/29 RETURN all -- * * 0.0.0.0/0 192.168.255.0/24 CONNMARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 state NEW CONNMARK xset 0x3389/0xffffffff RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 connmark match 0x3389 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW CONNMARK xset 0x400/0xffffffff MARK all -- * * 0.0.0.0/0 0.0.0.0/0 connmark match 0x400 MARK xset 0x4/0xffffffff Chain 06_INET_LAN (4 references) target prot opt in out source destination CLASSIFY all -- * * 0.0.0.0/0 0.0.0.0/0 CLASSIFY set 4:23 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x10 length 0:100 CLASSIFY set 4:21 CLASSIFY udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 CLASSIFY set 4:21 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 53,123,3389 CLASSIFY set 4:21 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 80,123,443,3128,3129,1521 CLASSIFY set 4:22 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 helper match "ftp" CLASSIFY set 4:22 CLSFY_19216811 all -- * * 0.0.0.0/0 192.168.1.1 CLSFY_19216813 all -- * * 0.0.0.0/0 192.168.1.3 CLSFY_192168013 all -- * * 0.0.0.0/0 192.168.0.13 Chain 06_INET_LAN_ISP1 (2 references) target prot opt in out source destination CLASSIFY all -- * * 0.0.0.0/0 0.0.0.0/0 CLASSIFY set 4:13 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x10 length 0:100 CLASSIFY set 4:11 CLASSIFY udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 CLASSIFY set 4:11 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 53,123,3389 CLASSIFY set 4:11 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 80,123,443,3128,3129,1521 CLASSIFY set 4:12 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 helper match "ftp" CLASSIFY set 4:12Chain 07_INET_DMZ (1 references) target prot opt in out source destination CLASSIFY all -- * * 0.0.0.0/0 0.0.0.0/0 CLASSIFY set 4:1b CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x10 length 0:100 CLASSIFY set 4:19 CLASSIFY udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 CLASSIFY set 4:19 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 53,123,3389 CLASSIFY set 4:19 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 80,123,443,3128,3129,1521 CLASSIFY set 4:1a CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 helper match "ftp" CLASSIFY set 4:1a Chain 07_INET_DMZ_ISP2 (1 references) target prot opt in out source destination CLASSIFY all -- * * 0.0.0.0/0 0.0.0.0/0 CLASSIFY set 4:2b CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x10 length 0:100 CLASSIFY set 4:29 CLASSIFY udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 CLASSIFY set 4:29 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 53,123,3389 CLASSIFY set 4:29 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 80,123,443,3128,3129,1521 CLASSIFY set 4:2a CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 helper match "ftp" CLASSIFY set 4:2a Chain 08_DMZ_INET (1 references) target prot opt in out source destination CLASSIFY all -- * * 0.0.0.0/0 0.0.0.0/0 CLASSIFY set 6:1b CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x10 length 0:100 CLASSIFY set 6:19 CLASSIFY udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 CLASSIFY set 6:19 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 53,123,3389 CLASSIFY set 6:19 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 80,123,443,3128,3129,1521 CLASSIFY set 6:1a CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 helper match "ftp" CLASSIFY set 6:1a Chain 08_DMZ_INET_ISP2 (1 references) target prot opt in out source destination CLASSIFY all -- * * 0.0.0.0/0 0.0.0.0/0 CLASSIFY set 6:2b CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x10 length 0:100 CLASSIFY set 6:29 CLASSIFY udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 CLASSIFY set 6:29 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 53,123,3389 CLASSIFY set 6:29 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 80,123,443,3128,3129,1521 CLASSIFY set 6:2a CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 helper match "ftp" CLASSIFY set 6:2a Chain 08_DMZ_INET_MARK (1 references) target prot opt in out source destination CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW CONNMARK xset 0x800/0xffffffff MARK all -- * * 0.0.0.0/0 0.0.0.0/0 connmark match 0x800 MARK xset 0x4/0xffffffffChain CLSFY_192168013 (1 references) target prot opt in out source destination CLASSIFY all -- * * 0.0.0.0/0 0.0.0.0/0 CLASSIFY set 4:3b CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x10 length 0:100 CLASSIFY set 4:39 CLASSIFY udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 CLASSIFY set 4:39 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 53,123,3389 CLASSIFY set 4:39 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 80,123,443,3128,3129,1521 CLASSIFY set 4:3a CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 helper match "ftp" CLASSIFY set 4:3a Chain CLSFY_19216811 (1 references) target prot opt in out source destination CLASSIFY all -- * * 0.0.0.0/0 0.0.0.0/0 CLASSIFY set 4:33 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x10 length 0:100 CLASSIFY set 4:31 CLASSIFY udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 CLASSIFY set 4:31 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 53,123,3389 CLASSIFY set 4:31 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 80,123,443,3128,3129,1521 CLASSIFY set 4:32 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 helper match "ftp" CLASSIFY set 4:32 Chain CLSFY_19216813 (1 references) target prot opt in out source destination CLASSIFY all -- * * 0.0.0.0/0 0.0.0.0/0 CLASSIFY set 4:37 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x10 length 0:100 CLASSIFY set 4:35 CLASSIFY udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 CLASSIFY set 4:35 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 53,123,3389 CLASSIFY set 4:35 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 80,123,443,3128,3129,1521 CLASSIFY set 4:36 CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 helper match "ftp" CLASSIFY set 4:36