Firewall com iproute2 para 2 links com ip fixo

Publicado por Eduardo Gomes (última atualização em 22/10/2009)

[ Hits: 8.966 ]

Download 4246.rc.firewall




Aí está um firewall funcional para quem quer alta disponibilidade do seu site, e-mail, pop3 e ainda quer se conectar remoto com o Terminal Server.

Claro que tenho muito a agradecer ao Tiago, autor do artigo:

http://www.vivaolinux.com.br/artigo/Roteamento-de-entrada-saida-com-iproute-e-iptables

No qual pude tirar grandes proveitos.

  



Esconder código-fonte

#!/bin/bash
IPTABLES=`which iptables`
# -----------------------
WAN1_NAME="net"
WAN1_IF="eth0"
WAN1_IP="201.100.9.3"
WAN1_GW="201.100.9.1"
WAN1_NET="201.100.9.0/24"
WAN1_MARK=201
WAN1_WEIGHT=8
# -----------------------
WAN2_NAME="gvt"
WAN2_IF="eth1"
WAN2_IP="200.13.6.35"
WAN2_GW="200.13.6.33"
WAN2_NET="200.13.6.0/24"
WAN2_MARK=200
WAN2_WEIGHT=4
# -----------------------
LAN_IF="eth3"
LAN_IP="10.10.2.3"
LAN_NET="10.10.2.0/26"
LAN_BCAST="10.10.2.62"
# -----------------------
LAN2_IF="eth2"
LAN2_IP="10.10.1.5"
LAN2_NET="10.10.1.0/27"
LAN2_BCAST="10.10.1.30"
# -----------------------
LO_IF="lo"
LO_IP="127.0.0.1"
LO_NET="127.0.0.0/8"
# -----------------------
case $1 in 
   start)
      echo "|=====================================================|"
      echo "|:Script de Firewall - IPTABLES             _                                                             |"
      echo "|:Criado por: Eduardo Gomes             °v°                                                            |"
      echo "|:Técnico em Informática                  /(_)\                                                           |"
      echo "|:suportlinux@yahoo.com.br               ^ ^                                                           |"
      echo "|:Uso: /etc/init.d/firewall                                                                                     |"
      echo "|:$HOSTNAME:.............................ok:                                                                 |"
      echo "|=====================================================|"
      $IPTABLES -F
      $IPTABLES -Z
      $IPTABLES -X
      $IPTABLES -F -t nat
      $IPTABLES -X -t nat
      $IPTABLES -F -t mangle
      $IPTABLES -X -t mangle
      $IPTABLES -Z -t mangle
      echo "|:As regras de firewall foram limpas com sucesso     :|"
      $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      $IPTABLES -N REJECT-SSH
      $IPTABLES -A REJECT-SSH -j DROP -m recent --rcheck --name SSH --seconds 60 --hitcount 10
      $IPTABLES -A REJECT-SSH -j LOG --log-prefix SSH-Bruteforce:
      $IPTABLES -A REJECT-SSH -j REJECT -p tcp --reject-with tcp-reset
      $IPTABLES -A REJECT-SSH -j REJECT
      echo "|:Regras de reject-and-log-SSH-Bruteforce ativas     :|"
      $IPTABLES -N ssh
      $IPTABLES -N blacklist
      $IPTABLES -A blacklist -m recent --name blacklist --set
      $IPTABLES -A blacklist -j LOG --log-prefix 'SSH REJECTED: '
      $IPTABLES -A blacklist -j REJECT
      $IPTABLES -A ssh -m recent --set --name couting1
      $IPTABLES -A ssh -m recent --update --name couting1 --seconds 20 --hitcount 3 -j blacklist
      $IPTABLES -A ssh -j ACCEPT
      echo "|:Regras de blacklist SSH ativadas com sucesso       :|"
      $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --name SSH --seconds 60 --hitcount 4 -j REJECT-SSH
      $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
      echo "|:Kill SSH Brute-force attacks ativado com sucesso   :|"
      echo "|=====================================================|"
      echo "|:Regras de input:.................................ok:|"
      $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
      $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
      $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
      $IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT
      echo "|:.............ok:|"
      echo "|:Libera icmp mais com limite:.....................ok:|"
      $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
      $IPTABLES -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT
      echo "|:.............ok:|"
      echo "|:Fechando o resto do INPUT:.......................ok:|"
      $IPTABLES -A INPUT -p icmp -j DROP
      $IPTABLES -A INPUT -j LOG --log-prefix "INPUT Barrado: "
      $IPTABLES -A INPUT -j REJECT
      $IPTABLES -P INPUT DROP
      echo "|:.............ok:|"
      if [ "$SYSCTL" = "" ]
      then
      echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
      else
      $SYSCTL net.ipv4.conf.all.rp_filter="0"
      fi
      if [ "$SYSCTL" = "" ]
      then
      echo "1" > /proc/sys/net/ipv4/conf/all/accept_source_route
      else
      $SYSCTL net.ipv4.conf.all.accept_source_route="1"
      fi
      if [ "$SYSCTL" = "" ]
      then
      echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects
      else
      $SYSCTL net.ipv4.conf.all.secure_redirects="0"
      fi
      echo "|:Ativar redirecionamento no arquivo ip_forward:.....:|"
      echo "1" > /proc/sys/net/ipv4/ip_forward
      echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
      echo "|:.............ok:|"
      echo "|:Regras de prerouting e redirecionamento:...........:|"
      echo "|:.............ok:|"
      echo "|:Implementando regras de QoS para o VOIP:...........:|"
      $IPTABLES -t mangle -A POSTROUTING -p udp --sport 5060 -j TOS --set-tos 16
      $IPTABLES -t mangle -A POSTROUTING -p udp --sport 5061 -j TOS --set-tos 16
      $IPTABLES -t mangle -A POSTROUTING -p udp --sport 10000:20000 -j TOS --set-tos 16
      $IPTABLES -t mangle -A PREROUTING -p udp --dport 5060 -j TOS --set-tos 16
      $IPTABLES -t mangle -A PREROUTING -p udp --dport 5061 -j TOS --set-tos 16
      $IPTABLES -t mangle -A PREROUTING -p udp --dport 10000:20000 -j TOS --set-tos 16
      echo "|:.............ok:|"
      echo "|:Implementando regras de HTB para o VOIP:...........:|"
      $IPTABLES -t mangle -A POSTROUTING -p udp --sport 10000:20000 -j MARK --set-mark 0x10
      $IPTABLES -t mangle -A POSTROUTING -p udp --sport 5060 -j MARK --set-mark 0x10
      $IPTABLES -t mangle -A PREROUTING -p udp --dport 10000:20000 -j MARK --set-mark 0x10
      $IPTABLES -t mangle -A PREROUTING -p udp --dport 5060 -j MARK --set-mark 0x10
      echo "|:.............ok:|"
      echo "|:Marcar pacotes para usar os Links:.................:|"
      echo "|:Marcar smtp com entrada no Link 1:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 25 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 1 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar smtp com entrada no Link 2:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 25 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 2 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar pop3 com entrada no Link 1:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 110 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 3 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar pop3 com entrada no Link 2:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 110 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 4 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar http com entrada no Link 1:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --sport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0
      $IPTABLES -t mangle -A INPUT -i $WAN1_IF -p tcp --dport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --sport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --dport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar http com entrada no Link 2:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --sport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0
      $IPTABLES -t mangle -A INPUT -i $WAN2_IF -p tcp --dport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --sport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --dport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar 443 com entrada no Link 1:..................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --sport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0
      $IPTABLES -t mangle -A INPUT -i $WAN1_IF -p tcp --dport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --sport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --dport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar 443 com entrada no Link 2:..................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --sport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0
      $IPTABLES -t mangle -A INPUT -i $WAN2_IF -p tcp --dport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --sport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --dport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar 8009 com entrada no Link 1:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --sport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0
      $IPTABLES -t mangle -A INPUT -i $WAN1_IF -p tcp --dport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --sport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --dport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar 8009 com entrada no Link 2:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --sport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0
      $IPTABLES -t mangle -A INPUT -i $WAN2_IF -p tcp --dport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --sport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --dport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar 8009 com entrada no Link 1:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --sport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0
      $IPTABLES -t mangle -A INPUT -i $WAN1_IF -p tcp --dport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --sport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --dport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar 8009 com entrada no Link 2:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --sport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0
      $IPTABLES -t mangle -A INPUT -i $WAN2_IF -p tcp --dport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --sport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --dport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Tabela nat de entrada na porta 25 dos links:.......:|"
      $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-dest 10.10.1.8
      $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to-dest 10.10.1.8
      echo "|:.............ok:|"
      echo "|:Tabela nat de entrada na porta 80 dos links:.......:|"
      $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-dest 10.10.1.9
      $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-dest 10.10.1.9
      echo "|:.............ok:|"
      echo "|:Tabela nat de entrada na porta 443 dos links:......:|"
      $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-dest 10.10.1.8
      $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to-dest 10.10.1.8
      echo "|:.............ok:|"
      echo "|:Tabela nat de entrada dos links:...................:|"
      $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 8009 -j DNAT --to-dest 10.10.1.8
      $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 8009 -j DNAT --to-dest 10.10.1.8
      echo "|:.............ok:|"
      echo "|:Tabela nat de entrada na porta 8081 dos links:.....:|"
      $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 8081 -j DNAT --to-dest 10.10.2.5
      $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 8081 -j DNAT --to-dest 10.10.2.5
      echo "|:.............ok:|"
      echo "|:Regras de forward:...............................ok:|"
      $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
      $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
      $IPTABLES -A FORWARD -m state --state INVALID -j DROP
      echo "|:.............ok:|"
      echo "|:IPs com previlegios especiais:...................ok:|"
      $IPTABLES -A FORWARD -s 10.10.2.4/32 -j ACCEPT
      $IPTABLES -A FORWARD -s 10.10.2.5/32 -j ACCEPT
      echo "|:.............ok:|"
      echo "|:Liberar portas de saída:.........................ok:|"
      $IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 22 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 25 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 25 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT
      $IPTABLES -A FORWARD -p udp --dport 53 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 81 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 81 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 82 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 82 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 443 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 443 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p udp --dport 5060 -j ACCEPT
      $IPTABLES -A FORWARD -p udp --dport 5060 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 8009 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 8009 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 8080 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 8080 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 8081 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 8081 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD Barrado: "
      #$IPTABLES -A FORWARD -j REJECT
      #$IPTABLES -P FORWARD DROP
      echo "|:Regras de output:................................ok:|"
      $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      echo "|:.............ok:|"
      echo "|:Implementando regras de QoS para o VOIP:...........:|"
      $IPTABLES -t mangle -A OUTPUT -p udp --dport 5060 -j TOS --set-tos 16
      $IPTABLES -t mangle -A OUTPUT -p udp --dport 5061 -j TOS --set-tos 16
      $IPTABLES -t mangle -A OUTPUT -p udp --dport 10000:20000 -j TOS --set-tos 16
      $IPTABLES -t mangle -A OUTPUT -p udp --dport 5060 -j TOS --set-tos 16
      $IPTABLES -t mangle -A OUTPUT -p udp --dport 5061 -j TOS --set-tos 16
      $IPTABLES -t mangle -A OUTPUT -p udp --dport 10000:20000 -j TOS --set-tos 16
      $IPTABLES -P OUTPUT ACCEPT
      echo "|:Salvar rotas de entrada dos links:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -j CONNMARK --save-mark
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -j CONNMARK --save-mark
      echo "|:.............ok:|"
      echo "|:Lembrando marca de entrada anterios dos links:.....:|"
      $IPTABLES -t mangle -A PREROUTING -i $LAN_IF -p tcp -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
      $IPTABLES -t mangle -A PREROUTING -i $LAN2_IF -p tcp -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
      echo "|:.............ok:|"
      $IPTABLES -t mangle -N MARK_NET
      $IPTABLES -t mangle -A MARK_NET -j MARK --set-mark $WAN1_MARK
      $IPTABLES -t mangle -A MARK_NET -j ACCEPT
      # ------------------------------------------------------------
      $IPTABLES -t mangle -N MARK_GVT
      $IPTABLES -t mangle -A MARK_GVT -j MARK --set-mark $WAN2_MARK
      $IPTABLES -t mangle -A MARK_GVT -j ACCEPT
      # ------------------------------------------------------------
      echo "|:Apaga tabelas de roteamento:.......................:|"
      ip route flush table net
      ip route flush table gvt
      echo "|:.............ok:|"
      # ------------------------------------------------------------
      echo "|:Regras para direcionar marcas no roteamento:.......:|"
      ip rule add fwmark $WAN1_MARK table net
      ip rule add fwmark $WAN2_MARK table gvt
      echo "|:.............ok:|"

      # Copia rotas da tabela principal para as outras tabelas de roteamento
      #ip route show | grep -v ^default | while read rota; do
      #ip route add table net $rota
      #ip route add table gvt $rota
      #done

      # ------------------------------------------------------------
      ip rule add from $WAN1_IP table net
      ip rule add from $WAN2_IP table gvt
      # ------------------------------------------------------------
      echo "|:Indica quem é o gateway de cada link:..............:|"
      ip route add default via $WAN1_GW dev $WAN1_IF table net
      ip route add default via $WAN2_GW dev $WAN2_IF table gvt
      echo "|:.............ok:|"

      #echo "|:Tabela default:....................................:|"
      #ip route add default via $WAN1_GW dev $WAN1_IF
      #ip route add default via $WAN2_GW dev $WAN2_IF
      #echo "|:.............ok:|"

      echo "|=====================================================|"
      ip rule add fwmark 1 from 10.10.1.8 table net prio 19
      echo "|:Efetuado á marcação do smtp com entrada pelo link 1:|"
      ip rule add fwmark 2 from 10.10.1.8 table gvt prio 20
      echo "|:Efetuado á marcação do smtp com entrada pelo link 2:|"
      ip rule add fwmark 3 from 10.10.2.5 table net prio 21
      echo "|:Efetuado á marcação do pop3 com entrada pelo link 1:|"
      ip rule add fwmark 4 from 10.10.2.5 table gvt prio 22
      echo "|:Efetuado á marcação do pop3 com entrada pelo link 2:|"
      ip rule add fwmark 5 from 10.10.1.9 table net prio 23
      echo "|:Efetuado á marcação do http com entrada pelo link 1:|"
      ip rule add fwmark 6 from 10.10.1.9 table gvt prio 24
      echo "|:Efetuado á marcação do http com entrada pelo link 2:|"
      echo "|=====================================================|"
      ip rule add fwmark 7 from 10.10.1.8 table net prio 25
      echo "|:Marcação na porta 3389 com entrada pelo link 1     :|"
      ip rule add fwmark 8 from 10.10.1.8 table gvt prio 26
      echo "|:Marcação na porta 3389 com entrada pelo link 2     :|"
      ip rule add fwmark 9 from 10.10.1.8 table net prio 25
      echo "|:Marcação na porta 8009 com entrada pelo link 1     :|"
      ip rule add fwmark 10 from 10.10.1.8 table gvt prio 26
      echo "|:Marcação na porta 8009 com entrada pelo link 2     :|"
      ip rule add fwmark 11 from 10.10.2.5 table net prio 25
      echo "|:Marcação na porta 8081 com entrada pelo link 1     :|"
      ip rule add fwmark 12 from 10.10.2.5 table gvt prio 26
      echo "|:Marcação na porta 8080 com entrada pelo link 2     :|"
      echo "|:Marcações efetuadas com sucesso                    :|"
      echo "|=====================================================|"
      ip route flush cache
      echo "|:Atualizado o cache de roteamento com sucesso       :|"
      # ------------------------------------------------------------
      echo "|:ATIVA O MASCARAMENTO DE SAÍDA:.....................:|"
      $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
      $IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE
      echo "|:.............ok:|"
   ;;
   stop)
      echo "|:Desativar o firewall:..............................:|"
      $IPTABLES -F
      $IPTABLES -Z
      $IPTABLES -X
      $IPTABLES -F -t nat
      $IPTABLES -X -t nat
      $IPTABLES -F -t mangle
      $IPTABLES -X -t mangle
      $IPTABLES -P INPUT ACCEPT
      $IPTABLES -P FORWARD ACCEPT
      echo "|:.............ok:|"
   ;;
   stats)
      $IPTABLES -nL
   ;;
   restart)
      $0 stop
      $0 start
   ;;
   nat)
      $IPTABLES -L -v -t nat -n
   ;;
   mangle)
      $IPTABLES -t mangle -L
   ;;
   *)
      echo "Usage: $0 [start|stop|stats|restart|nat|mangle]"
   ;;
esac

Scripts recomendados

Substituir strings em arquivos ascII

Controlando bloqueios de máquinas com squid.conf

Monitoramento Serviços por IP e PORTA !

Backup com TAR em LOG usando FITA LTO/DLT com filtro de arquivos

Scritp de Firewall com Iptables


  

Comentários

Nenhum comentário foi encontrado.


Contribuir com comentário




Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner
Linux banner
Linux banner

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts