81 - cluster14 173.16.1.57

89 - orbita88 173.16.0.11

4101 - ura2:3333 (u-r01-r01) eth
4102 - ura2:42000 (u-r01-r01) zec
4103 - ura1:42000 (home1) zec
4104 - ura1:3334 (home1) xmr
4105 - ura2:3334 (u-r01-r01) xmr
4106 - ura1:3333 (home1) eth
4107 - ura2:3335 (u-r01-r01) rvn
4108 - ura1:3335 (home1) rvn
4109 - ura1:4067 (home1) sero
4110 - 173.16.0.57:4067 (f002) sero

4211 - cluster11:80
4212 - cluster12:80
4213 - cluster13:80
4214 - cluster14:80

8001 - work1:80
8002 - work2:80

/etc/systemd/system/firewall.service

[Unit]
Description=Firewall
After=network.target
After=syslog.target
 
[Service]
Type=forking
ExecStart=/etc/firewall/rules.sh
 
[Install]
WantedBy=multi-user.target

/etc/firewall/rules.sh

#!/bin/bash
 
IPT=/sbin/iptables
IPTS=/sbin/iptables-save
 
# -------------------------------
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
 
# -------------------------------
$IPT -t mangle -A POSTROUTING -j TTL --ttl-set 65
 
# -------------------------------
# vpn
$IPT -t nat -A POSTROUTING -p icmp -d 173.0.0.0/8 -j MASQUERADE
$IPT -A FORWARD -p icmp -d 173.0.0.0/8 -j ACCEPT
$IPT -t nat -A POSTROUTING -p udp -d 173.0.0.0/8 -j MASQUERADE
$IPT -A FORWARD -p udp -d 173.0.0.0/8 -j ACCEPT
$IPT -t nat -A POSTROUTING -p tcp -d 173.0.0.0/8 -j MASQUERADE
$IPT -A FORWARD -p tcp -d 173.0.0.0/8 -j ACCEPT
 
# -------------------------------
$IPT -t nat -A POSTROUTING -p all -o eth0 -j MASQUERADE
$IPT -t nat -A POSTROUTING -p all -o wlan0 -j MASQUERADE
# -------------------------------
 
# -------------------------------
$IPTS > /etc/firewall/rules

>$ systemctl enable firewall.service