Problemas com redirecionamento [RESOLVIDO]

1. Problemas com redirecionamento [RESOLVIDO]

Fernanda Montovani Albuquerk
fernanda_mon

(usa Debian)

Enviado em 17/04/2019 - 17:26h

Boa tarde Pessoal,
tenho o load balance ativado e funcionando perfeitamente:

## Load Balanced
route del via default
ip route add 255.255.255.252 dev enp1s0 src 187.x.x.2 table link1
ip route add default via 187.x.x.1 table link1
ip route add 127.0.0.0/8 dev lo table link1

ip route add 255.255.255.128 dev enp6s0 src 201.x.x.2 table link2
ip route add default via 201.x.x.1 table link2
ip route add 127.0.0.0/8 dev lo table link2

ip rule add from 187.x.x.2 table link1
ip rule add from 201.x.x.2 table link2
ip route add default nexthop via 187.x.x.1 dev enp1s0 weight 50 nexthop via 201.x.x.1 dev enp2s0 weight 50

Mas quando o loadBalance esta ativado, redirecionamento abaixo não funciona:

iptables -t nat -A PREROUTING -s 200.200.200.200 -d 187.x.x.2 -p TCP --dport 7712 -j DNAT --to 192.168.1.10:7712 # Origem conhecido
iptables -t nat -A PREROUTING -s 0.0.0.0 -d 187.x.x.2 -p TCP --dport 7712 -j DNAT --to 192.168.1.10:7712 # Origem desconhecido
iptables -t nat -A PREROUTING -s 0.0.0.0/0.0.0.0 -d 187.x.x.2 -p TCP --dport 2022 -j DNAT --to 192.168.1.10:7712 # Origem desconhecido
iptables -t nat -A PREROUTING -s 0/0 -d 187.x.x.2 -p TCP --dport 2022 -j DNAT --to 192.168.1.10:7712 # Origem desconhecido

Estou analisando documentação, forum, testes e nao encontrei o erro, alguem pode me ajudar?




  


2. Re: Problemas com redirecionamento

Leandro Silva
LSSilva

(usa Outra)

Enviado em 19/04/2019 - 11:12h

fernanda_mon escreveu:

Boa tarde Pessoal,
tenho o load balance ativado e funcionando perfeitamente:

## Load Balanced
route del via default
ip route add 255.255.255.252 dev enp1s0 src 187.x.x.2 table link1
ip route add default via 187.x.x.1 table link1
ip route add 127.0.0.0/8 dev lo table link1

ip route add 255.255.255.128 dev enp6s0 src 201.x.x.2 table link2
ip route add default via 201.x.x.1 table link2
ip route add 127.0.0.0/8 dev lo table link2

ip rule add from 187.x.x.2 table link1
ip rule add from 201.x.x.2 table link2
ip route add default nexthop via 187.x.x.1 dev enp1s0 weight 50 nexthop via 201.x.x.1 dev enp2s0 weight 50

Mas quando o loadBalance esta ativado, redirecionameo abaixo não funciona:

iptables -t nat -A PREROUTING -s 200.200.200.200 -d 187.x.x.2 -p TCP --dport 7712 -j DNAT --to 192.168.1.10:7712 # Origem conhecido
iptables -t nat -A PREROUTING -s 0.0.0.0 -d 187.x.x.2 -p TCP --dport 7712 -j DNAT --to 192.168.1.10:7712 # Origem desconhecido
iptables -t nat -A PREROUTING -s 0.0.0.0/0.0.0.0 -d 187.x.x.2 -p TCP --dport 2022 -j DNAT --to 192.168.1.10:7712 # Origem desconhecido
iptables -t nat -A PREROUTING -s 0/0 -d 187.x.x.2 -p TCP --dport 2022 -j DNAT --to 192.168.1.10:7712 # Origem desconhecido

Estou analisando documentação, forum, testes e nao encontrei o erro, alguem pode me ajudar?



Bom dia!

Eis o exemplo que uso para o balance (3 links):

#!/bin/bash

#Vars
#link1
iflink1="ens3"
tablelink1="200"
gwlink1="192.168.10.1"
netlink1="192.168.10.0/24"
pesolink1=3

#link2
iflink2="enp5s5"
tablelink2="201"
gwlink2="192.168.2.1"
netlink2="192.168.2.0/24"
pesolink2=1

#link3
iflink3="enp5s6"
tablelink3="202"
gwlink3="192.168.1.1"
netlink3="192.168.1.0/24"
pesolink3=2


#Internal
ifinternal="ens2"
internalnet="192.168.0.0/24"

#Modulos
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_MARK

#Ativar tcp_syncookies, ip_forward e ip_dynaddr (feitos sysctl)
#Deleta rota padrĂ£o
ip route del default

#limpa regras tabelas
ip route flush $tablelink1
ip route flush $tablelink2
ip route flush $tablelink3

#Define rotas
ip route add default dev $iflink1 via $gwlink1 table $tablelink1
ip route add default dev $iflink2 via $gwlink2 table $tablelink2
ip route add default dev $iflink3 via $gwlink3 table $tablelink3

#Define roteamento links
cmd_link1=$(ip rule show | grep $netlink1)
if [ "$cmd_link1" = "" ]; then
ip rule add from $netlink1 lookup $tablelink1
fi
cmd_link2=$(ip rule show | grep $netlink2)
if [ "$cmd_link2" = "" ]; then
ip rule add from $netlink2 lookup $tablelink2
fi
cmd_link3=$(ip rule show | grep $netlink3)
if [ "$cmd_link3" = "" ]; then
ip rule add from $netlink3 lookup $tablelink3
fi

#Define as regras para balanceamento
ip route add default scope global nexthop via $gwlink1 dev $iflink1 weight $pesolink1 nexthop via $gwlink2 dev $iflink2 weight $pesolink2 nexthop via $gwlink3 dev $iflink3 weight $pesolink3

#Aplica as regras
ip route flush cache


Mais isso usando links "nateados".

Ao invés de usar o address "/32" no ip rule add from "x" lookup "tablex", eu usei address "/24", onde "x". No seu caso, deve ter recebido um range "/29". Correto? Tente colocar ele.

O direcionamento de portas, efetuei utilizando interface de origem:


iptables -t nat -A PREROUTING -p tcp --dport 3389 -i "waninet1" -j DNAT --to-dest "endereçoderedelocal"


Onde, neste cenário meu, você terá que fazer dois direcionamentos de porta e considere:
"endereçoderedelocal" como seu host interno, ex: 192.168.1.100.
"waninet1" como interface wan, relacionada com respectivo link.

Bom, irei colocar aqui todos os scritps que uso pro controle:

Firewall:

#!/bin/bash

#vars
iflocalnet="ens2"
localnet="192.168.0.0/24"
ifwans="ens3 enp5s5 enp5s6"
ifwan1="ens3"
ifwan2="enp5s5"
ifwan3="enp5s6"
rfc1918="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"

start (){
#Set permissive defaults
#Policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#Clean
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

##############
#Filter(INPUT)
##############
#Invalid
iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "Firewall: Invalid Input "
iptables -A INPUT -m state --state INVALID -j DROP
#Valid
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Services-Accept (TCP / LAN)
for port in $(cat /etc/firewall/rules/allowportsinputtcplan | grep -v "#")
do
iptables -A INPUT -p tcp -i $iflocalnet --dport $port -s $localnet -m state --state NEW --syn -j ACCEPT
done
#Services-Accept (UDP / LAN)
for port in $(cat /etc/firewall/rules/allowportsinputudplan | grep -v "#")
do
iptables -A INPUT -p udp -i $iflocalnet --dport $port -s $localnet -m state --state NEW -j ACCEPT
done

#Block RFC1918 SrcAddres From Wan
#for iface in $ifwans
#do
#for srcblk in $rfc1918
#do
#iptables -A INPUT -i $iface -s $srcblk -j LOG --log-prefix "Firewall: RFC1918 Manipulated IP "
#iptables -A INPUT -i $iface -s $srcblk -j DROP
#done
#done

#Services-Accept (TCP / WAN)
for port in $(cat /etc/firewall/rules/allowportsinputtcpwan | grep -v "#")
do
iptables -A INPUT -p tcp -i $ifwan1 --dport $port -m state --state NEW --syn -j ACCEPT
iptables -A INPUT -p tcp -i $ifwan2 --dport $port -m state --state NEW --syn -j ACCEPT
iptables -A INPUT -p tcp -i $ifwan3 --dport $port -m state --state NEW --syn -j ACCEPT
done
#Services-Accept (UDP / WAN)
for port in $(cat /etc/firewall/rules/allowportsinputudpwan | grep -v "#")
do
iptables -A INPUT -p udp -i $ifwan1 --dport $port -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -i $ifwan2 --dport $port -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -i $ifwan3 --dport $port -m state --state NEW -j ACCEPT
done

#Services-Accept (ICMP)
iptables -A INPUT -p icmp --icmp-type echo-request -s $localnet -j ACCEPT

#Loopback
iptables -A INPUT -i lo -j ACCEPT

#Default LOG
iptables -A INPUT ! -i lo -j LOG --log-prefix "Firewall: Drop Input "

###############
#Filter(OUTPUT)
###############
iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Firewall: Invalid Output "
iptables -A OUTPUT -m state --state INVALID -j DROP

################
#Filter(FORWARD)
################
#Invalid
iptables -A FORWARD -m state --state INVALID -j LOG --log-prefix "Firewall: Invalid Forward "
iptables -A FORWARD -m state --state INVALID -j DROP
#Valid
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#Blocked Sites
for site in $(cat /etc/firewall/rules/blockedsites | grep -v "#")
do
iptables -I FORWARD -p tcp -m multiport --dports 80,443 -s $localnet -i $iflocalnet -m string --algo bm --string $site -j DROP
done

#Ip Adress Allow FOR ALL
for ip in $(cat /etc/firewall/rules/allowips | grep -v "#")
do
iptables -I FORWARD -i $iflocalnet -s $ip -j ACCEPT
done

#Anti-Spoof Rule
iptables -A FORWARD -i $iflocalnet ! -s $localnet -j LOG --log-prefix "Firewall: Spoofed Packet "
iptables -A FORWARD -i $iflocalnet ! -s $localnet -j DROP

#Services-Accept (TCP)
for port in $(cat /etc/firewall/rules/allowportsforwardtcp | grep -v "#")
do
iptables -A FORWARD -p tcp -i $iflocalnet --dport $port -s $localnet -m state --state NEW --syn -j ACCEPT
done
#Services-Accept (UDP)
for port in $(cat /etc/firewall/rules/allowportsforwardudp | grep -v "#")
do
iptables -A FORWARD -p udp -i $iflocalnet --dport $port -s $localnet -m state --state NEW -j ACCEPT
done

#Redirects (Port Redirects - Services (From Nat-Prerouting) - Accept in Forward)
for iface in $ifwans
do
for dest in $(cat /etc/firewall/rules/allowportspreroutingtcp | grep -v '#')
do
port=$(echo $dest | cut -f 1 -d '*')
host=$(echo $dest | cut -f 2 -d '*')
iptables -A FORWARD -p tcp --dport $port -i $iface -d $host -m state --state NEW --syn -j ACCEPT
done
for dest in $(cat /etc/firewall/rules/allowportspreroutingudp | grep -v '#')
do
port=$(echo $dest | cut -f 1 -d '*')
host=$(echo $dest | cut -f 2 -d '*')
iptables -A FORWARD -p udp --dport $port -i $iface -d $host -m state --state NEW -j ACCEPT
done
done


#Services-Accept (ICMP)
iptables -A FORWARD -p icmp --icmp-type echo-request -s $localnet -i $iflocalnet -j ACCEPT

#Default LOG
iptables -A FORWARD ! -i lo -j LOG --log-prefix "Firewall: Drop Forward "
##################
#Nat - PreRouting
##################
#Proxy
iptables -t nat -A PREROUTING -p tcp --dport 80 -i $iflocalnet -s $localnet -j REDIRECT --to-port 3128
#Redirects (Port Redirects - Services)
for iface in $ifwans
do
for dest in $(cat /etc/firewall/rules/allowportspreroutingtcp | grep -v '#')
do
port=$(echo $dest | cut -f 1 -d '*')
host=$(echo $dest | cut -f 2 -d '*')
iptables -t nat -A PREROUTING -p tcp --dport $port -i $iface -j DNAT --to-dest $host
done
for dest in $(cat /etc/firewall/rules/allowportspreroutingudp | grep -v '#')
do
port=$(echo $dest | cut -f 1 -d '*')
host=$(echo $dest | cut -f 2 -d '*')
iptables -t nat -A PREROUTING -p udp --dport $port -i $iface -j LOG --log-prefix "VPN-1194 ..."
iptables -t nat -A PREROUTING -p udp --dport $port -i $iface -j DNAT --to-dest $host
done
done

##################
#Nat - PostRouting
##################
for iface in $ifwans
do
iptables -t nat -A POSTROUTING -o $iface -j MASQUERADE
done

}
stop (){
#Set permissive defaults
#Policy
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#Clean
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
#Masquerading
iptables -t nat -A POSTROUTING -j MASQUERADE

}
case $1 in
start) start;;
stop) stop;;
restart) stop;start;;
*) echo "Use";;
esac


Failover:


#!/bin/bash

#Executar no rc.local nohup > /dev/null /etc/firewall/failover &

#Arquivo de Log
LOGFILE=/etc/firewall/log

#Tempo de espera para teste de conexão
tempo_espera=30

#Número de pacote do ping
numero_pacotes=2

#Internet ifaces
iflink1=ens3
iflink2=enp5s5
iflink3=enp5s6

#Gw's
gwlink1=192.168.10.1
gwlink2=192.168.2.1
gwlink3=192.168.1.1

#Tables
tablelink1=200
tablelink2=201
tablelink3=202

#Ping destiny
endereco_ping_link1=8.8.8.8
endereco_ping_link2=8.8.4.4
endereco_ping_link3=1.1.1.1

#Arquivos balance
arquivo=/etc/firewall/loadbalance
arquivol1l2=/etc/firewall/loadbalancel1l2
arquivol1l3=/etc/firewall/loadbalancel1l3
arquivol2l3=/etc/firewall/loadbalancel2l3

#Não alterar
#Variáveis destinadas ao controle
i=0
link1=1
link2=1
link3=1

#Ativação banlanceamento de links
sh $arquivo > /dev/null

while [ $i -le 10 ];
do

#Determining Routes
ip route add 8.8.8.8/32 via $gwlink1
ip route add 8.8.4.4/32 via $gwlink2
ip route add 1.1.1.1/32 via $gwlink3

#Gets date
DATE=`date '+%d-%m-%Y %H:%M:%S'`

#########
#Link1###
#########
#Detecta se esta em link up antes de testar ping.
cmd_link1=$(ip addr show $iflink1 | grep state | awk '{print $9}')
if [ "$cmd_link1" != "DOWN" ]
then
cmd_link1_route=$(ip route show table $tablelink1 | awk '{print $2}')
if [ "$cmd_link1_route" != "via" ]
then
ip route add default dev $iflink1 via $gwlink1 table $tablelink1
fi
if (ping -I $iflink1 -c $numero_pacotes $endereco_ping_link1 > /dev/null)
then
link1="1"
else
link1="0"
fi
else
link1="0"
fi

#########
#Link2###
#########
#Detecta se esta em link up antes de testar ping.
cmd_link2=$(ip addr show $iflink2 | grep state | awk '{print $9}')
if [ "$cmd_link2" != "DOWN" ]
then
cmd_link2_route=$(ip route show table $tablelink2 | awk '{print $2}')
if [ "$cmd_link2_route" != "via" ]
then
ip route add default dev $iflink2 via $gwlink2 table $tablelink2
fi
if (ping -I $iflink2 -c $numero_pacotes $endereco_ping_link2 > /dev/null)
then
link2="1"
else
link2="0"
fi
else
link2="0"
fi

#########
#Link3###
#########
#Detecta se esta em link up antes de testar ping.
cmd_link3=$(ip addr show $iflink3 | grep state | awk '{print $9}')
if [ "$cmd_link3" != "DOWN" ]
then
cmd_link3_route=$(ip route show table $tablelink3 | awk '{print $2}')
if [ "$cmd_link3_route" != "via" ]
then
ip route add default dev $iflink3 via $gwlink3 table $tablelink3
fi
if (ping -I $iflink3 -c $numero_pacotes $endereco_ping_link3 > /dev/null)
then
link3="1"
else
link3="0"
fi
else
link3="0"
fi

#Testing comparations
if [ "$link1" = "1" ] && [ "$link2" = "1" ] && [ "$link3" = "1" ];then
sh $arquivo > /dev/null
elif [ "$link1" = "0" ] && [ "$link2" = "1" ] && [ "$link3" = "1" ];then
echo -e "------------------" >> $LOGFILE
echo -e "Evento de Queda..." >> $LOGFILE
echo -e "Link L1 Inativo!" >> $LOGFILE
echo -e $DATE >> $LOGFILE
echo -e "------------------" >> $LOGFILE
sh $arquivol2l3 > /dev/null
elif [ "$link1" = "1" ] && [ "$link2" = "0" ] && [ "$link3" = "1" ];then
echo -e "------------------" >> $LOGFILE
echo -e "Evento de Queda..." >> $LOGFILE
echo -e "Link L2 Invativo!" >> $LOGFILE
echo -e $DATE >> $LOGFILE
echo -e "------------------" >> $LOGFILE
sh $arquivol1l3 > /dev/null
elif [ "$link1" = "1" ] && [ "$link2" = "1" ] && [ "$link3" = "0" ];then
echo -e "------------------" >> $LOGFILE
echo -e "Evento de Queda..." >> $LOGFILE
echo -e "Link L3 Invativo!" >> $LOGFILE
echo -e $DATE >> $LOGFILE
echo -e "------------------" >> $LOGFILE
sh $arquivol1l2 > /dev/null
elif [ "$link1" = "1" ] && [ "$link2" = "0" ] && [ "$link3" = "0" ];then
echo -e "------------------" >> $LOGFILE
echo -e "Evento de Queda..." >> $LOGFILE
echo -e "Link L2/L3 Inativos!" >> $LOGFILE
echo -e $DATE >> $LOGFILE
echo -e "------------------" >> $LOGFILE
ip route del default
ip route add default via $gwlink1
ip route flush cache
elif [ "$link1" = "0" ] && [ "$link2" = "1" ] && [ "$link3" = "0" ];then
echo -e "------------------" >> $LOGFILE
echo -e "Evento de Queda..." >> $LOGFILE
echo -e "Link L1/L3 Inativos" >> $LOGFILE
echo -e $DATE >> $LOGFILE
echo -e "------------------" >> $LOGFILE
ip route del default
ip route add default via $gwlink2
ip route flush cache
elif [ "$link1" = "0" ] && [ "$link2" = "0" ] && [ "$link3" = "1" ];then
echo -e "------------------" >> $LOGFILE
echo -e "Evento de Queda..." >> $LOGFILE
echo -e "Link L1/L2 Inativos!" >> $LOGFILE
echo -e $DATE >> $LOGFILE
echo -e "------------------" >> $LOGFILE
ip route del default
ip route add default via $gwlink3
ip route flush cache
fi


sleep $tempo_espera


done




Ah, se tiver utilizando firewall com política "DROP" para "FORWARD", vai ter que liberar o fluxo de "PREROUTING" na chain "FORWARD" também (como exemplo citado no script de firewall).

Qualquer coisa vai postando pra ir vendo.

Abraço!