iptables -A FORWARD -p tcp --sport 137:139 -o eth1 -j DROP

iptables -A FORWARD -p udp --sport 137:139 -o eth1 -j DROP

iptables -A OUTPUT -p tcp --sport 137:139 -o eth1 -j DROP

iptables -A OUTPUT -p udp --sport 137:139 -o eth1 -j DROP

iptables -A FORWARD -s ! $PRIVATE -i eth0 -j DROP

iptables -A INPUT -s $LOOP -j ACCEPT

iptables -A INPUT -d $LOOP -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A INPUT -p tcp --dport http -j ACCEPT

iptables -A INPUT -p tcp --dport ssh -j ACCEPT

iptables -A INPUT -p udp --dport 5000 -j ACCEPT #openvpn默认使用udp 5000端口

iptables -A INPUT -i tun+ -j ACCEPT

iptables -A FORWARD -i tun+ -j ACCEPT #这两句很重要

iptables -A INPUT -i tap+ -j ACCEPT

iptables -A FORWARD -i tap+ -j ACCEPT

iptables -A INPUT -i eth0 -j ACCEPT

iptables -A FORWARD -i eth0 -j ACCEPT

iptables -A OUTPUT -m state --state NEW -o eth1 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -m state --state NEW -o eth1 -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -s $PRIVATE -o eth1 -j MASQUERADE

office.up脚本配置如下：

#!/bin/bash

route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.1.0.2 #此处是对端的vpn ip地址

openvpn-startup.sh脚本配置如下：

#!/bin/bash

dir=/etc/openvpn

$dir/firewall.sh

modprobe tun

echo 1 > /proc/sys/net/ipv4/ip_forward