Problemas com redirecionamento [RESOLVIDO]

1. Problemas com redirecionamento [RESOLVIDO]

removido
(usa Nenhuma)

Enviado em 17/04/2019 - 17:26h

Boa tarde Pessoal,
tenho o load balance ativado e funcionando perfeitamente:

## Load Balanced
route del via default
ip route add 255.255.255.252 dev enp1s0 src 187.x.x.2 table link1
ip route add default via 187.x.x.1 table link1
ip route add 127.0.0.0/8 dev lo table link1

ip route add 255.255.255.128 dev enp6s0 src 201.x.x.2 table link2
ip route add default via 201.x.x.1 table link2
ip route add 127.0.0.0/8 dev lo table link2

ip rule add from 187.x.x.2 table link1
ip rule add from 201.x.x.2 table link2
ip route add default nexthop via 187.x.x.1 dev enp1s0 weight 50 nexthop via 201.x.x.1 dev enp2s0 weight 50

Mas quando o loadBalance esta ativado, redirecionamento abaixo não funciona:

iptables -t nat -A PREROUTING -s 200.200.200.200 -d 187.x.x.2 -p TCP --dport 7712 -j DNAT --to 192.168.1.10:7712 # Origem conhecido
iptables -t nat -A PREROUTING -s 0.0.0.0 -d 187.x.x.2 -p TCP --dport 7712 -j DNAT --to 192.168.1.10:7712 # Origem desconhecido
iptables -t nat -A PREROUTING -s 0.0.0.0/0.0.0.0 -d 187.x.x.2 -p TCP --dport 2022 -j DNAT --to 192.168.1.10:7712 # Origem desconhecido
iptables -t nat -A PREROUTING -s 0/0 -d 187.x.x.2 -p TCP --dport 2022 -j DNAT --to 192.168.1.10:7712 # Origem desconhecido

Estou analisando documentação, forum, testes e nao encontrei o erro, alguem pode me ajudar?

0 0

Quote

2. Re: Problemas com redirecionamento

LSSilva
(usa Outra)

Enviado em 19/04/2019 - 11:12h

fernanda_mon escreveu:

Boa tarde Pessoal,
tenho o load balance ativado e funcionando perfeitamente:

## Load Balanced
route del via default
ip route add 255.255.255.252 dev enp1s0 src 187.x.x.2 table link1
ip route add default via 187.x.x.1 table link1
ip route add 127.0.0.0/8 dev lo table link1

ip route add 255.255.255.128 dev enp6s0 src 201.x.x.2 table link2
ip route add default via 201.x.x.1 table link2
ip route add 127.0.0.0/8 dev lo table link2

ip rule add from 187.x.x.2 table link1
ip rule add from 201.x.x.2 table link2
ip route add default nexthop via 187.x.x.1 dev enp1s0 weight 50 nexthop via 201.x.x.1 dev enp2s0 weight 50

Mas quando o loadBalance esta ativado, redirecionameo abaixo não funciona:

iptables -t nat -A PREROUTING -s 200.200.200.200 -d 187.x.x.2 -p TCP --dport 7712 -j DNAT --to 192.168.1.10:7712 # Origem conhecido
iptables -t nat -A PREROUTING -s 0.0.0.0 -d 187.x.x.2 -p TCP --dport 7712 -j DNAT --to 192.168.1.10:7712 # Origem desconhecido
iptables -t nat -A PREROUTING -s 0.0.0.0/0.0.0.0 -d 187.x.x.2 -p TCP --dport 2022 -j DNAT --to 192.168.1.10:7712 # Origem desconhecido
iptables -t nat -A PREROUTING -s 0/0 -d 187.x.x.2 -p TCP --dport 2022 -j DNAT --to 192.168.1.10:7712 # Origem desconhecido

Estou analisando documentação, forum, testes e nao encontrei o erro, alguem pode me ajudar?

Bom dia!

Eis o exemplo que uso para o balance (3 links):



#!/bin/bash



#Vars

#link1

iflink1="ens3"

tablelink1="200"

gwlink1="192.168.10.1"

netlink1="192.168.10.0/24"

pesolink1=3



#link2

iflink2="enp5s5"

tablelink2="201"

gwlink2="192.168.2.1"

netlink2="192.168.2.0/24"

pesolink2=1



#link3

iflink3="enp5s6"

tablelink3="202"

gwlink3="192.168.1.1"

netlink3="192.168.1.0/24"

pesolink3=2





#Internal

ifinternal="ens2"

internalnet="192.168.0.0/24"



#Modulos

modprobe iptable_nat

modprobe ip_nat_ftp

modprobe ipt_MARK



#Ativar tcp_syncookies, ip_forward e ip_dynaddr (feitos sysctl)

#Deleta rota padr&#258;£o

ip route del default



#limpa regras tabelas

ip route flush $tablelink1

ip route flush $tablelink2

ip route flush $tablelink3



#Define rotas

ip route add default dev $iflink1 via $gwlink1 table $tablelink1

ip route add default dev $iflink2 via $gwlink2 table $tablelink2

ip route add default dev $iflink3 via $gwlink3 table $tablelink3



#Define roteamento links

cmd_link1=$(ip rule show | grep $netlink1)

if [ "$cmd_link1" = "" ]; then

ip rule add from $netlink1 lookup $tablelink1

fi

cmd_link2=$(ip rule show | grep $netlink2)

if [ "$cmd_link2" = "" ]; then

ip rule add from $netlink2 lookup $tablelink2

fi

cmd_link3=$(ip rule show | grep $netlink3)

if [ "$cmd_link3" = "" ]; then

ip rule add from $netlink3 lookup $tablelink3

fi



#Define as regras para balanceamento

ip route add default scope global nexthop via $gwlink1 dev $iflink1 weight $pesolink1 nexthop via $gwlink2 dev $iflink2 weight $pesolink2 nexthop via $gwlink3 dev $iflink3 weight $pesolink3



#Aplica as regras

ip route flush cache

Mais isso usando links "nateados".

Ao invés de usar o address "/32" no ip rule add from "x" lookup "tablex", eu usei address "/24", onde "x". No seu caso, deve ter recebido um range "/29". Correto? Tente colocar ele.

O direcionamento de portas, efetuei utilizando interface de origem:



iptables -t nat -A PREROUTING -p tcp --dport 3389 -i "waninet1" -j DNAT --to-dest "endereçoderedelocal"

Onde, neste cenário meu, você terá que fazer dois direcionamentos de porta e considere:
"endereçoderedelocal" como seu host interno, ex: 192.168.1.100.
"waninet1" como interface wan, relacionada com respectivo link.

Bom, irei colocar aqui todos os scritps que uso pro controle:

Firewall:



#!/bin/bash



#vars

iflocalnet="ens2"

localnet="192.168.0.0/24"

ifwans="ens3 enp5s5 enp5s6"

ifwan1="ens3"

ifwan2="enp5s5"

ifwan3="enp5s6"

rfc1918="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"



start (){

#Set permissive defaults

#Policy

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

#Clean

iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -t mangle -F

iptables -t mangle -X



##############

#Filter(INPUT)

##############

#Invalid

iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "Firewall: Invalid Input  "

iptables -A INPUT -m state --state INVALID -j DROP

#Valid

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



#Services-Accept (TCP / LAN)

for port in $(cat /etc/firewall/rules/allowportsinputtcplan | grep -v "#")

do

iptables -A INPUT -p tcp -i $iflocalnet --dport $port -s $localnet -m state --state NEW --syn -j ACCEPT

done

#Services-Accept (UDP / LAN)

for port in $(cat /etc/firewall/rules/allowportsinputudplan | grep -v "#")

do

iptables -A INPUT -p udp -i $iflocalnet --dport $port -s $localnet -m state --state NEW -j ACCEPT

done



#Block RFC1918 SrcAddres From Wan

#for iface in $ifwans

#do

#for srcblk in $rfc1918

#do

#iptables -A INPUT -i $iface -s $srcblk -j LOG --log-prefix "Firewall: RFC1918 Manipulated IP  "

#iptables -A INPUT -i $iface -s $srcblk -j DROP

#done

#done



#Services-Accept (TCP / WAN)

for port in $(cat /etc/firewall/rules/allowportsinputtcpwan | grep -v "#")

do

iptables -A INPUT -p tcp -i $ifwan1 --dport $port -m state --state NEW --syn -j ACCEPT

iptables -A INPUT -p tcp -i $ifwan2 --dport $port -m state --state NEW --syn -j ACCEPT

iptables -A INPUT -p tcp -i $ifwan3 --dport $port -m state --state NEW --syn -j ACCEPT

done

#Services-Accept (UDP / WAN)

for port in $(cat /etc/firewall/rules/allowportsinputudpwan | grep -v "#")

do

iptables -A INPUT -p udp -i $ifwan1 --dport $port -m state --state NEW -j ACCEPT

iptables -A INPUT -p udp -i $ifwan2 --dport $port -m state --state NEW -j ACCEPT

iptables -A INPUT -p udp -i $ifwan3 --dport $port -m state --state NEW -j ACCEPT

done



#Services-Accept (ICMP)

iptables -A INPUT -p icmp --icmp-type echo-request -s $localnet -j ACCEPT



#Loopback

iptables -A INPUT -i lo -j ACCEPT



#Default LOG

iptables -A INPUT ! -i lo -j LOG --log-prefix "Firewall: Drop Input  "



###############

#Filter(OUTPUT)

###############

iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Firewall: Invalid Output  "

iptables -A OUTPUT -m state --state INVALID -j DROP



################

#Filter(FORWARD)

################

#Invalid

iptables -A FORWARD -m state --state INVALID -j LOG --log-prefix "Firewall: Invalid Forward  "

iptables -A FORWARD -m state --state INVALID -j DROP

#Valid

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



#Blocked Sites

for site in $(cat /etc/firewall/rules/blockedsites | grep -v "#")

do

iptables -I FORWARD -p tcp -m multiport --dports 80,443 -s $localnet -i $iflocalnet -m string --algo bm --string $site -j DROP

done



#Ip Adress Allow FOR ALL

for ip in $(cat /etc/firewall/rules/allowips | grep -v "#")

do

iptables -I FORWARD -i $iflocalnet -s $ip -j ACCEPT

done



#Anti-Spoof Rule

iptables -A FORWARD -i $iflocalnet ! -s $localnet -j LOG --log-prefix "Firewall: Spoofed Packet  "

iptables -A FORWARD -i $iflocalnet ! -s $localnet -j DROP



#Services-Accept (TCP)

for port in $(cat /etc/firewall/rules/allowportsforwardtcp | grep -v "#")

do

iptables -A FORWARD -p tcp -i $iflocalnet --dport $port -s $localnet -m state --state NEW --syn -j ACCEPT

done

#Services-Accept (UDP)

for port in $(cat /etc/firewall/rules/allowportsforwardudp | grep  -v "#")

do

iptables -A FORWARD -p udp -i $iflocalnet --dport $port -s $localnet -m state --state NEW -j ACCEPT

done



#Redirects (Port Redirects - Services (From Nat-Prerouting) - Accept in Forward)

for iface in $ifwans

do

for dest in $(cat /etc/firewall/rules/allowportspreroutingtcp | grep -v '#')

do

port=$(echo $dest | cut -f 1 -d '*')

host=$(echo $dest | cut -f 2 -d '*')

iptables -A FORWARD -p tcp --dport $port -i $iface -d $host -m state --state NEW --syn -j ACCEPT

done

for dest in $(cat /etc/firewall/rules/allowportspreroutingudp | grep -v '#')

do

port=$(echo $dest | cut -f 1 -d '*')

host=$(echo $dest | cut -f 2 -d '*')

iptables -A FORWARD -p udp --dport $port -i $iface -d $host -m state --state NEW -j ACCEPT

done

done





#Services-Accept (ICMP)

iptables -A FORWARD -p icmp --icmp-type echo-request -s $localnet -i $iflocalnet -j ACCEPT



#Default LOG

iptables -A FORWARD ! -i lo -j LOG --log-prefix "Firewall: Drop Forward  "

##################

#Nat - PreRouting

##################

#Proxy

iptables -t nat -A PREROUTING -p tcp --dport 80 -i $iflocalnet -s $localnet -j REDIRECT --to-port 3128

#Redirects (Port Redirects - Services)

for iface in $ifwans

do

for dest in $(cat /etc/firewall/rules/allowportspreroutingtcp | grep -v '#')

do

port=$(echo $dest | cut -f 1 -d '*')

host=$(echo $dest | cut -f 2 -d '*')

iptables -t nat -A PREROUTING -p tcp --dport $port -i $iface -j DNAT --to-dest $host

done

for dest in $(cat /etc/firewall/rules/allowportspreroutingudp | grep -v '#')

do

port=$(echo $dest | cut -f 1 -d '*')

host=$(echo $dest | cut -f 2 -d '*')

iptables -t nat -A PREROUTING -p udp --dport $port -i $iface -j LOG --log-prefix "VPN-1194  ..."

iptables -t nat -A PREROUTING -p udp --dport $port -i $iface -j DNAT --to-dest $host

done

done



##################

#Nat - PostRouting

##################

for iface in $ifwans

do

iptables -t nat -A POSTROUTING -o $iface -j MASQUERADE

done



}

stop (){

#Set permissive defaults

#Policy

iptables -P INPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -P OUTPUT ACCEPT

#Clean

iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -t mangle -F

iptables -t mangle -X

#Masquerading

iptables -t nat -A POSTROUTING -j MASQUERADE



}

case $1 in

start) start;;

stop) stop;;

restart) stop;start;;

*) echo "Use";;

esac

Failover:



#!/bin/bash



#Executar no rc.local nohup > /dev/null /etc/firewall/failover &



#Arquivo de Log

LOGFILE=/etc/firewall/log



#Tempo de espera para teste de conexão

tempo_espera=30



#Número de pacote do ping

numero_pacotes=2



#Internet ifaces

iflink1=ens3

iflink2=enp5s5

iflink3=enp5s6



#Gw's

gwlink1=192.168.10.1

gwlink2=192.168.2.1

gwlink3=192.168.1.1



#Tables

tablelink1=200

tablelink2=201

tablelink3=202



#Ping destiny

endereco_ping_link1=8.8.8.8

endereco_ping_link2=8.8.4.4

endereco_ping_link3=1.1.1.1



#Arquivos balance

arquivo=/etc/firewall/loadbalance

arquivol1l2=/etc/firewall/loadbalancel1l2

arquivol1l3=/etc/firewall/loadbalancel1l3

arquivol2l3=/etc/firewall/loadbalancel2l3



#Não alterar

#Variáveis destinadas ao controle

i=0

link1=1

link2=1

link3=1



#Ativação banlanceamento de links

sh $arquivo > /dev/null



while [ $i -le 10 ];

do



#Determining Routes

ip route add 8.8.8.8/32 via $gwlink1

ip route add 8.8.4.4/32 via $gwlink2

ip route add 1.1.1.1/32 via $gwlink3



#Gets date

DATE=`date '+%d-%m-%Y %H:%M:%S'`



#########

#Link1###

#########

#Detecta se esta em link up antes de testar ping.

cmd_link1=$(ip addr show $iflink1 | grep state | awk '{print $9}')

if [ "$cmd_link1" != "DOWN" ]

then

cmd_link1_route=$(ip route show table $tablelink1 | awk '{print $2}')

if [ "$cmd_link1_route" != "via" ]

then

ip route add default dev $iflink1 via $gwlink1 table $tablelink1

fi

if (ping -I $iflink1 -c $numero_pacotes $endereco_ping_link1 > /dev/null)

then

link1="1"

else

link1="0"

fi

else

link1="0"

fi



#########

#Link2###

#########

#Detecta se esta em link up antes de testar ping.

cmd_link2=$(ip addr show $iflink2 | grep state | awk '{print $9}')

if [ "$cmd_link2" != "DOWN" ] 

then

cmd_link2_route=$(ip route show table $tablelink2 | awk '{print $2}')

if [ "$cmd_link2_route" != "via" ]

then

ip route add default dev $iflink2 via $gwlink2 table $tablelink2

fi

if (ping -I $iflink2 -c $numero_pacotes $endereco_ping_link2 > /dev/null)

then

link2="1"

else

link2="0"

fi

else

link2="0"

fi



#########

#Link3###

#########

#Detecta se esta em link up antes de testar ping.

cmd_link3=$(ip addr show $iflink3 | grep state | awk '{print $9}')

if [ "$cmd_link3" != "DOWN" ] 

then

cmd_link3_route=$(ip route show table $tablelink3 | awk '{print $2}')

if [ "$cmd_link3_route" != "via" ]

then

ip route add default dev $iflink3 via $gwlink3 table $tablelink3

fi

if (ping -I $iflink3 -c $numero_pacotes $endereco_ping_link3 > /dev/null)

then

link3="1"

else

link3="0"

fi

else

link3="0"

fi



#Testing comparations

if [ "$link1" = "1" ] && [ "$link2" = "1" ] && [ "$link3" = "1" ];then

sh $arquivo > /dev/null

elif [ "$link1" = "0" ] && [ "$link2" = "1" ] && [ "$link3" = "1" ];then

echo -e "------------------" >> $LOGFILE

echo -e "Evento de Queda..." >> $LOGFILE

echo -e "Link L1 Inativo!" >> $LOGFILE

echo -e $DATE >> $LOGFILE

echo -e "------------------" >> $LOGFILE

sh $arquivol2l3 > /dev/null

elif [ "$link1" = "1" ] && [ "$link2" = "0" ] && [ "$link3" = "1" ];then

echo -e "------------------" >> $LOGFILE

echo -e "Evento de Queda..." >> $LOGFILE

echo -e "Link L2 Invativo!" >> $LOGFILE

echo -e $DATE >> $LOGFILE

echo -e "------------------" >> $LOGFILE

sh $arquivol1l3 > /dev/null

elif [ "$link1" = "1" ] && [ "$link2" = "1" ] && [ "$link3" = "0" ];then

echo -e "------------------" >> $LOGFILE

echo -e "Evento de Queda..." >> $LOGFILE

echo -e "Link L3 Invativo!" >> $LOGFILE

echo -e $DATE >> $LOGFILE

echo -e "------------------" >> $LOGFILE

sh $arquivol1l2 > /dev/null

elif [ "$link1" = "1" ] && [ "$link2" = "0" ] && [ "$link3" = "0" ];then

echo -e "------------------" >> $LOGFILE

echo -e "Evento de Queda..." >> $LOGFILE

echo -e "Link L2/L3 Inativos!" >> $LOGFILE

echo -e $DATE >> $LOGFILE

echo -e "------------------" >> $LOGFILE

ip route del default

ip route add default via $gwlink1

ip route flush cache

elif [ "$link1" = "0" ] && [ "$link2" = "1" ] && [ "$link3" = "0" ];then

echo -e "------------------" >> $LOGFILE

echo -e "Evento de Queda..." >> $LOGFILE

echo -e "Link L1/L3 Inativos" >> $LOGFILE

echo -e $DATE >> $LOGFILE

echo -e "------------------" >> $LOGFILE

ip route del default

ip route add default via $gwlink2

ip route flush cache

elif [ "$link1" = "0" ] && [ "$link2" = "0" ] && [ "$link3" = "1" ];then

echo -e "------------------" >> $LOGFILE

echo -e "Evento de Queda..." >> $LOGFILE

echo -e "Link L1/L2 Inativos!" >> $LOGFILE

echo -e $DATE >> $LOGFILE

echo -e "------------------" >> $LOGFILE

ip route del default

ip route add default via $gwlink3

ip route flush cache

fi





sleep $tempo_espera





done

Ah, se tiver utilizando firewall com política "DROP" para "FORWARD", vai ter que liberar o fluxo de "PREROUTING" na chain "FORWARD" também (como exemplo citado no script de firewall).

Qualquer coisa vai postando pra ir vendo.

Abraço!

0 0

Quote