Não consigo compartilhar velox na rede interna (reenviando de forma decente)

paulofnet
(usa Debian)

Enviado em 15/05/2012 - 15:47h

Primeirament me desculpem pelo ultimo post, já removido. Estava realmente confuso...cabeça quante.

Minha configuração é a seguinte - Debian 6

#/etc/resolv.conf
nameserver 200.222.122.133
nameserver 200.222.123.100

=============================================================================

#/etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interfaces file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

auto dsl-provider
iface dsl-provider inet ppp
pre-up /sbin/ifconfig eth0 up # line maintained by pppoeconf
provider dsl-provider

auto eth0
iface eth0 inet static
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
gateway 192.168.1.1
broadcast 192.168.1.255


auto eth1
iface eth1 inet dhcp

#servidor está acessando internet
===============================================================================
#/etc/iftab
# fixando device com mac address das placas
# a configuração se torna permanante
#
eth0 mac 00:04:ac:15:72:5d
eth1 mac 00:22:15:c0:fb:f7

===============================================================================

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
...
==========================================================================

#
# Sample configuration file for ISC dhcpd for Debian
#
#

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# option definitions common to all supported networks...

option domain-name "lanpredio2";

#option domain-name-servers ns1.example.org, ns2.example.org;


# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.

ddns-update-style none;

default-lease-time 600;
max-lease-time 7200;
authoritative;

subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.2 192.168.0.200;
option subnet-mask 255.255.255.0;
option domain-name-servers 200.222.122.133,200.222.123.100;
option routers 192.168.1.1;
}

============================================================================
#firewall para compartilhar carregado dentro do rc.local

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
#
# Modem configurado como bridge. O Roteamento sera feito via Nat
# compartilhamento da internet via nat
#
modprobe iptable_nat # modulo responsavel pelo suporte via NAT.
echo 1 > /proc/sys/net/ipv4/ip_forward # modulo responsavel pelo encaminhamento de pacotes usando iptable_nat.

iptables -t nat POSTROUTING -o eth0 -j MASQUERADE

# apartir daqui o servidor passa ser o gateway.

iptables -A INPUT -i lo -j ACCEPT # necessário para proxy transparente
# ajustando os tamanhos dos pacotes recebidos

iptables -A FORWARD --p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu

#iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # deixa de responder a pings

#echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter # protecao contra IP spooling
#iptables -A INPUT -m state --state INVALID -j DROP # proteje contra pacotes invalidos ataques Dos e ataques de

iptables -A INPUT -i lo -j ACCEPT # autoriza pacotes vindo do loopbak
iptables -A INPUT -i eth1 -j ACCEPT # autoriza pacotes vindos da rede interna

iptables -A INPUT -p tcp --dport 22 -j ACCEPT # abre a porta para SSH

#iptables -t nat -A PREROUTING -i $IFINT -p tcp --dport 80 -j REDIRECT --to-port 3128

# ARQUIVO PARA SER COLOCADO DENTRO DO RC.LOCAL

exit 0

==================================================================================

root@lanpredio2:/etc# cat /etc/squid/squid.conf
#squid.conf
http_port 3128
visible_hostname lanpredio2
acl all src 0.0.0.0/0.0.0.0
http_access allow all

danniel-lara
(usa Fedora)

Enviado em 15/05/2012 - 15:51h

assim
iptables -t nat POSTROUTING -o eth0 -j MASQUERADE

não seria a eth1
pois pelo que vi esta por dhcp

a sua eth1 é o velox ? se for só altera

iptables -t nat POSTROUTING -o eth1 -j MASQUERADE

phrich
(usa Slackware)

Enviado em 15/05/2012 - 15:54h

Dê uma olhada neste artigo:

http://www.vivaolinux.com.br/artigo/Squid-+-Iptables-Combinacao-Infalivel