Alguem me ajuda no Redirecionamento... POR FAVOR!!!!

1. Alguem me ajuda no Redirecionamento... POR FAVOR!!!!

robsonclayton
(usa Outra)

Enviado em 10/09/2010 - 14:42h

Pessoal, Boa tarde,
Estou quebrando a cabeça a varias semanas e so hoje que resolvi postar meu firewall aqui para que alguem possa me ajudar..
Eu consegui fazer o balanceamento de carga, com 2 links, so que o povo de fora nao consegue acessar uma determinada maquina por um link, mais eu consigo pingar todas as interfaces de fora para dentro, nao sei o que mais tentar de Snat DNAT, tentei o Nmap so mostra 2 portas abertas no meu firewall, 22 e a 3128 do squid, esta certo?? segue o meu FIREWALL, Por favor me AJUDEM!!!!

#!/bin/bash

#eth0=NETVIRTUA
#eth2=LAN
#eth3=GVT

IPT=/sbin/iptables
GVT=201.86.xxx.xxx.xxx
GVT251=201.xxx.xxx.xxx
GVT252=201.xxx.xxx.xxx
LAN=10.0.0.0/14

# Regras padrao

echo "Politica de Seguranca DROP Para a tabela FILTER"

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

echo "Limpando toda a Tabela FILTER"
sleep 1

$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t mangle -F
$IPT -t filter -F

echo "Realizando NAT e Redirecionamento para o SQUID"
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o eth3 -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $LAN -o eth0 -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $LAN -o eth3 -j MASQUERADE

$IPT -t nat -A PREROUTING -i eth0 -s 10.0.0.0/14 -p tcp --dport 80 -j REDIRECT --to-port 3128

$IPT -A FORWARD -s $LAN -j ACCEPT

echo "Liberando SSH para acesso interno"
$IPT -A INPUT -p tcp -s $LAN --dport 22 -j ACCEPT
$IPT -A FORWARD -p tcp -s $LAN --dport 22 -j ACCEPT

echo "Ativando trafego loopback"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth0 -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth2 -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth3 -j ACCEPT

$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

echo "Redirecionamento Rede externa para rede Interna"
sleep 1

# redirecionando acesso ao servidor VOIP
$IPT -t nat -A PREROUTING -d $GVT -j DNAT --to 10.2.2.200
$IPT -t nat -A PREROUTING -p tcp -i eth3 -d $GVT --dport 5060 -j DNAT --to-destination 10.2.2.200:5060
$IPT -t nat -A PREROUTING -p udp -i eth3 -d $GVT --dport 5060 -j DNAT --to-destination 10.2.2.200:5060

$IPT -t mangle -I PREROUTING -s $GVT -d 10.2.2.200 -j MARK --set-mark 0x4
$IPT -t mangle -I PREROUTING -p tcp --dport 5060 -j MARK --set-mark 0x4
$IPT -t mangle -I PREROUTING -p udp --dport 5060 -j MARK --set-mark 0x4
$IPT -A FORWARD -p tcp -d 10.2.2.200 --dport 5060 -j ACCEPT

######### TESTE vOIP
$IPT -t nat -A PREROUTING -i $GVT -p udp --dport 5060:5061 -j DNAT --to 10.2.2.200
$IPT -t nat -A PREROUTING -i $GVT -p tcp --dport 5060:5061 -j DNAT --to 10.2.2.200
$IPT -t nat -A PREROUTING -i $GVT -p udp --dport 53 -j DNAT --to 10.2.2.200
$IPT -t nat -A PREROUTING -i $GVT -p tcp --dport 53 -j DNAT --to 10.2.2.200
$IPT -t nat -A PREROUTING -i $GVT -p udp --dport 69 -j DNAT --to 10.2.2.200
$IPT -t nat -A PREROUTING -i $GVT -p tcp --dport 69 -j DNAT --to 10.2.2.200
$IPT -t nat -A PREROUTING -i $GVT -p udp --dport 10000 -j DNAT --to 10.2.2.200
$IPT -t nat -A PREROUTING -i $GVT -p tcp --dport 10000 -j DNAT --to 10.2.2.200

# redirecionando acesso ao servidor web via rede local e internet"
$IPT -t nat -A PREROUTING -d $GVT -p tcp --dport 80 -j DNAT --to 10.0.0.27
$IPT -t nat -A PREROUTING -d $GVT -p tcp --dport 443 -j DNAT --to 10.0.0.27
$IPT -t nat -A POSTROUTING -s 10.0.0.27 -p tcp --sport 80 -j SNAT --to-source 201.xxx.xxx.xxx
$IPT -t nat -A POSTROUTING -s 10.0.0.27 -p tcp --sport 443 -j SNAT --to-source 201.xxx.xxx.xxx
$IPT -A FORWARD -p tcp -d 10.0.0.27 --dport 80 -j ACCEPT
$IPT -A FORWARD -p tcp -d 10.0.0.27 --dport 443 -j ACCEPT

# VIA
$IPT -t nat -A PREROUTING -d $GVT251 -p tcp --dport 443 -j DNAT --to 10.0.0.249
$IPT -t nat -A POSTROUTING -s 10.0.0.249 -p tcp --sport 443 -j SNAT --to-source 201.xxx.xxx.xxx
$IPT -A FORWARD -p tcp -d 10.0.0.249 --dport 443 -j ACCEPT

# SAP ROUTER"
$IPT -t nat -A PREROUTING -d $GVT -p tcp --dport 3200 -j DNAT --to-destination 10.0.0.60
$IPT -t nat -A POSTROUTING -s 10.0.0.60 -p tcp --sport 3200 -j SNAT --to-source 201.xxx.xxx.xxx
$IPT -A FORWARD -p tcp -d 10.0.0.60 --dport 3200 -j ACCEPT

# acesso o SSH
$IPT -t nat -A PREROUTING -d $GVT -p tcp --dport 22 -j DNAT --to 10.0.0.3
$IPT -t nat -A POSTROUTING -s 10.0.0.3 -p tcp --sport 22 -j SNAT --to-source 201.xxx.xxx.xxx
$IPT -A FORWARD -p tcp -d 10.0.0.3 --dport 22 -j ACCEPT

# acesso TELNET"
$IPT -t nat -A PREROUTING -d $GVT -p tcp --dport 23 -j DNAT --to 10.0.0.60
$IPT -t nat -A POSTROUTING -s 10.0.0.60 -p tcp --sport 23 -j SNAT --to-source 201.xxx.xxx.xxx
$IPT -A FORWARD -p tcp -d 10.0.0.60 --dport 23 -j ACCEPT

# SAP
$IPT -t nat -A PREROUTING -d $GVT251 -p tcp --dport 50000 -j DNAT --to 10.0.0.51
$IPT -t nat -A POSTROUTING -s 10.0.0.51 -p tcp --sport 50000 -j SNAT --to-source 201.xxx.xxx.xxx
$IPT -A FORWARD -p tcp -d 10.0.0.51 --dport 50000 -j ACCEPT

############# Outros redirecionamentos
$IPT -t nat -A PREROUTING -d $GVT251 -p tcp --dport 80 -j DNAT --to 10.0.0.17
$IPT -t nat -A POSTROUTING -s 10.0.0.17 -p tcp --sport 80 -j SNAT --to-source 201.xxx.xxx.xxx
$IPT -A FORWARD -p tcp -d 10.0.0.17 --dport 80 -j ACCEPT

echo "Definindo Prioridade a pacotes VoiP "
### teste ##
$IPT -t mangle -A PREROUTING -d 10.2.0.200 -p tcp --dport 5060 -j TOS --set-tos 0x10
$IPT -t mangle -A PREROUTING -d 10.2.0.200 -p udp --dport 5060 -j TOS --set-tos 0x10

echo "Adcionando Rotas para o LINKS, GVT e NET"

ip rule add fwmark 3 table net
ip rule add fwmark 4 table gvt

ip route add 201.xxx.xxx.xxx/31 dev eth3 src 10.0.0.230 table gvt
ip route add default via 201.xxx.xxx.xxx table gvt

ip route add 192.168.1.0/24 dev eth0 src 192.168.1.2 table net
ip route add default via 192.168.1.1 table net

ip rule add from 201.xxx.xxx.xxx table gvt
ip rule add from 192.168.1.1 table net

echo "definir peso para rede"
ip route add default scope global nexthop via 201.xxx.xxx.xxx dev eth3 weight 4 nexthop via 192.168.1.1 dev eth0 weight 5

echo "Fazendo marcacao de pacotes para o LOAD BALANCE"

## WEB
$IPT -t mangle -I PREROUTING -p tcp --dport 80 -j MARK --set-mark 0x3
$IPT -t mangle -I PREROUTING -p udp --dport 80 -j MARK --set-mark 0x3
$IPT -t mangle -I PREROUTING -p tcp --dport 443 -j MARK --set-mark 0x3
$IPT -t mangle -I PREROUTING -p udp --dport 443 -j MARK --set-mark 0x3

##IMAP
$IPT -t mangle -I PREROUTING -p udp --dport 143 -j MARK --set-mark 0x3
$IPT -t mangle -I PREROUTING -p tcp --dport 143 -j MARK --set-mark 0x3
$IPT -t mangle -I PREROUTING -p udp --dport 993 -j MARK --set-mark 0x3
$IPT -t mangle -I PREROUTING -p tcp --dport 993 -j MARK --set-mark 0x3

## POP
$IPT -t mangle -I PREROUTING -p tcp --dport 110 -j MARK --set-mark 0x3
$IPT -t mangle -I PREROUTING -p udp --dport 110 -j MARK --set-mark 0x3

## SMTP
$IPT -t mangle -I PREROUTING -p tcp --dport 25 -j MARK --set-mark 0x3
$IPT -t mangle -I PREROUTING -p udp --dport 25 -j MARK --set-mark 0x3

## VOIP
$IPT -t mangle -I PREROUTING -s 201.xxx.xxx.xxx -d 10.2.0.200 -j MARK --set-mark 0x4
$IPT -t mangle -I PREROUTING -p tcp --dport 5060 -j MARK --set-mark 0x4
$IPT -t mangle -I PREROUTING -p udp --dport 5060 -j MARK --set-mark 0x4

$IPT -t mangle -A POSTROUTING -p udp -s 0/0 -d 0/0 --dport 5060 -j MARK --set-mark 0x4
$IPT -t mangle -A FORWARD -p udp -s 0/0 -d 0/0 --dport 5060 -j MARK --set-mark 0x4

$IPT -t mangle -A PREROUTING -p udp -s 0/0 -d 0/0 --dport 5060 -j MARK --set-mark 0x4
$IPT -t mangle -A PREROUTING -p tcp -s 0/0 -d 0/0 --dport 5060 -j MARK --set-mark 0x4

$IPT -t mangle -A POSTROUTING -p tcp -s 0/0 -d 0/0 --dport 5060 -j MARK --set-mark 0x4
$IPT -t mangle -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 5060 -j MARK --set-mark 0x4

ip route flush cached

echo "Ativando IP Forward (Redirecionamento)"
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "Salvando Iptables.up.rules"
iptables-save > /etc/iptables.up.rules

echo "FIM"

0 0

Quote