iptables nat nao funciona com 2 links

1. iptables nat nao funciona com 2 links

mlcaffaro
(usa CentOS)

Enviado em 21/03/2018 - 10:06h

Olá pessoal , tudo bem?

Tenho um servidor com 2 links e estao funcionando certinho, com balanceamento dos links e tudo certo. Porem gostaria de fazer um nat e o mesmo nao funciona, so funciona se eu apagar um rota default, sendo que tenho 2 pois uso 2 links. Alguem sabe como faço para fazer o nat na linha de firewall escrito cameras funcionar nesse tipo de firewall com 2 gateways? Segue abaixo o rc.firewall.

Se puderem me dizer o que esta errado agradeço.

Obrigado

#!/bin/sh
# Variaveis
# -------------------------------------------------------
iptables=/sbin/iptables
IP_MATRIZ='222.222.222.66'
IP_MATRIZ2='222.222.222.67'
IP_MATRIZ_GVT='333.333.333.82'
EMPRESAX_NET='232.232.232.232'
EMPRESAX_BRT='332.332.332.332'
IP_MATRIZNET='312.312.312.312'

# Internet - Embratel
IF_EMBRATEL=eth0
IP_EMBRATEL='192.168.15.50'
GW_EMBRATEL='192.168.15.1'

# Internet - NET
IF_NET=eth1
IP_NET='192.168.0.2'
GW_NET='192.168.0.1'

# LAN
IF_LAN=eth2
IP_LAN='192.168.150.1'
LAN='192.168.150.0/24'
IP_RELOGIO='192.168.150.220'
IP_CAMERAS='192.168.150.254'

IP_WTS='192.168.150.2'
IP_IMP='192.168.150.250'

# VPN
IF_VPN='tap0'

# loopback
IF_LO=lo
IP_LO='127.0.0.1'

# Protocolos Layer7 bloqueados (separar por espaco) - listagem em /etc/l7-protocols/protocols
#PROTOCOLOS_L7FILTER='bittorrent edonkey fasttrack gnutella openft yahoo'
#IPS_MSN='192.168.150.86 192.168.150.87 192.168.150.140'
IPS_PROXY=`cat /etc/squid/controle/ips_proxy | awk '{print $1}' | grep -v "#"`
IPS_FACE=`cat /etc/squid/controle/ips_face`
IPS_TEAM=`cat /etc/squid/controle/ips_team`

# Ativa modulos
# -------------------------------------------------------
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_state
/sbin/modprobe ipt_MASQUERADE

# Ativa roteamento no kernel
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Ativa o rp_filter (protecao contra IP spoofing)
# -------------------------------------------------------
for rp in /proc/sys/net/ipv4/conf/*/rp_filter
do echo "1" > $rp
done

# Zera regras
# -------------------------------------------------------
$iptables -F
$iptables -X
$iptables -F -t nat
$iptables -X -t nat
$iptables -F -t mangle
$iptables -X -t mangle

# Determina a politica padrao
# -------------------------------------------------------
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP

#########################################################
# Tabela FILTER
#########################################################

for ipsproxy in $IPS_PROXY;do
$iptables -A FORWARD -s $LAN -d $ipsproxy -p tcp --dport 80 -j ACCEPT
$iptables -A FORWARD -s $LAN -d $ipsproxy -p tcp --dport 443 -j ACCEPT
$iptables -A FORWARD -s $LAN -d $ipsproxy -p tcp --dport 8080 -j ACCEPT
done

for ipsface in $IPS_FACE;do
$iptables -A FORWARD -s $LAN -d $ipsface -p tcp --dport 443 -j DROP
$iptables -A FORWARD -s $LAN -d $ipsface -p udp --dport 443 -j DROP
$iptables -A INPUT -s $LAN -d $ipsface -p tcp --dport 443 -j DROP
$iptables -A INPUT -s $LAN -d $ipsface -p udp --dport 443 -j DROP
done
# Skype
$iptables -A FORWARD -d 23.61.133.0/16 -p tcp -j ACCEPT
$iptables -A FORWARD -d 23.62.0.0/16 -p tcp -j ACCEPT
$iptables -A FORWARD -d 65.54.165.0/16 -p tcp -j ACCEPT
$iptables -A FORWARD -d 65.54.187.0/8 -p tcp -j ACCEPT
$iptables -A FORWARD -d 72.247.1.0/16 -p tcp -j ACCEPT
$iptables -A FORWARD -d 91.190.218.0/16 -p tcp -j ACCEPT
$iptables -A FORWARD -d 46.241.0.0/16 -p tcp -j ACCEPT
$iptables -A FORWARD -d 213.199.0.0/16 -p tcp -j ACCEPT
$iptables -A FORWARD -d 91.190.0.0/16 -p tcp -j ACCEPT
$iptables -A FORWARD -d 23.61.133.0/16 -p tcp -j ACCEPT
$iptables -A FORWARD -d 186.133.0.0/16 -p tcp -j ACCEPT

$iptables -A FORWARD -s $LAN -d 65.54.186.10 -p tcp --dport 443 -j ACCEPT

# Site https sintegra
$iptables -A FORWARD -s $LAN -d 200.198.128.49 -p tcp --dport 443 -j ACCEPT
$iptables -A FORWARD -s $LAN -d 186.233.144.135 -p tcp --dport 443 -j ACCEPT

# Bloqueia acesso web sem passar pelo proxy
#$iptables -A FORWARD -s $LAN -p tcp --dport 80 -j DROP
#$iptables -A FORWARD -s $LAN -p tcp --dport 443 -j DROP

#$iptables -A FORWARD -s $LAN -p tcp --dport 8080 -j DROP

# Dropa pacotes TCP indesejaveis
# -------------------------------------------------------
#$iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "NEW sem syn "
$iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

# Aceita os pacotes que realmente devem entrar
# -------------------------------------------------------
$iptables -A INPUT ! -i $IF_EMBRATEL -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

# Protecao contra syn-flood
# -------------------------------------------------------
$iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT

# Protecao contra ping da morte
# -------------------------------------------------------
$iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Protecao contra port scanners
# -------------------------------------------------------
$iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

# Libera acesso externo a determinadas portas
# -------------------------------------------------------
$iptables -A INPUT -p tcp --dport 22 -i $IF_EMBRATEL -j ACCEPT
$iptables -A INPUT -p tcp --dport 22 -i $IF_NET -j ACCEPT
$iptables -A INPUT -p tcp --dport 80 -i $IF_EMBRATEL -j ACCEPT
$iptables -A INPUT -p tcp --dport 80 -i $IF_NET -j ACCEPT
$iptables -A INPUT -p tcp --dport 515 -i $IF_EMBRATEL -j ACCEPT
$iptables -A INPUT -p tcp --dport 515 -i $IF_NET -j ACCEPT
$iptables -A INPUT -p tcp --dport 631 -i $IF_EMBRATEL -j ACCEPT
$iptables -A INPUT -p tcp --dport 631 -i $IF_NET -j ACCEPT
$iptables -A INPUT -p tcp --dport 5666 -i $IF_EMBRATEL -j ACCEPT
$iptables -A INPUT -p tcp --dport 5666 -i $IF_NET -j ACCEPT
$iptables -A INPUT -p tcp --dport 8001 -i $IF_EMBRATEL -j ACCEPT
$iptables -A INPUT -p tcp --dport 8001 -i $IF_NET -j ACCEPT
$iptables -A INPUT -p tcp --dport 8000 -i $IF_EMBRATEL -j ACCEPT
$iptables -A INPUT -p tcp --dport 8000 -i $IF_NET -j ACCEPT

$iptables -A INPUT -p tcp --dport 8001 -i $IF_EMBRATEL -j ACCEPT
$iptables -A INPUT -p tcp --dport 8001 -i $IF_NET -j ACCEPT
$iptables -A INPUT -p tcp --dport 8181 -i $IF_EMBRATEL -j ACCEPT
$iptables -A INPUT -p tcp --dport 8181 -i $IF_NET -j ACCEPT

# Pacotes de localhost para IPs locais
# -------------------------------------------------------
#$iptables -A INPUT -p all -i $IF_LO -s $IP_LO -j ACCEPT
#$iptables -A INPUT -p all -i $IF_LO -s $IP_LAN -j ACCEPT
#$iptables -A INPUT -p all -i $IF_LO -s $IP_VPN -j ACCEPT
#$iptables -A INPUT -p all -i $IF_LO -s $IP_EMBRATEL -j ACCEPT
#$iptables -A INPUT -p all -i $IF_LO -s $IP_NET -j ACCEPT

# Rejeita tudo e loga
# -------------------------------------------------------
$iptables -N REJEITADOS
$iptables -A REJEITADOS -j DROP
$iptables -A INPUT -p all -i $IF_EMBRATEL -j REJEITADOS
$iptables -A INPUT -p all -i $IF_NET -j REJEITADOS

#########################################################
# Roteamento
#########################################################
ip route add $IP_NET via $GW_NET table gvt
ip route add $IP_EMBRATEL via $GW_EMBRATEL table embratel

ip rule add from $IP_NET table gvt
ip rule add from $IP_EMBRATEL table embratel

ip route add default via $GW_NET table gvt
ip route add default via $GW_EMBRATEL table embratel

ip rule add fwmark 2 table 20 prio 20

#ip route add default via $GW_NET dev $IF_NET table 20
ip route add default via $GW_EMBRATEL dev $IF_EMBRATEL table 20
# Adiciona segundo gateway
ip route append default via $GW_NET dev $IF_NET
ip route append default via $GW_EMBRATEL dev $IF_EMBRATEL

# Roteia pelo IP de destino
#ip route add $IP_MATRIZ via $GW_EMBRATEL dev $IF_EMBRATEL
#ip route add $IP_MATRIZ2 via $GW_EMBRATEL dev $IF_EMBRATEL
#ip route add 177.101.144.114 via $GW_EMBRATEL dev $IF_EMBRATEL

ip route add $IP_MATRIZ via $GW_NET dev $IF_NET
ip route add $IP_MATRIZ2 via $GW_NET dev $IF_NET

ip route flush cache

iptables -t mangle -A PREROUTING -s 192.168.150.254 -j MARK --set-mark 2

#########################################################
# Tabela NAT
#########################################################

# Ativa mascaramento
# -------------------------------------------------------
$iptables -t nat -A POSTROUTING -o $IF_EMBRATEL -j MASQUERADE
$iptables -t nat -A POSTROUTING -o $IF_NET -j MASQUERADE
#$iptables -t nat -A POSTROUTING -o $IF_VPN -j MASQUERADE

#########################################################
# Altera rota para o novo IP da GVT
#########################################################
$iptables -t nat -A PREROUTING -d $IP_MATRIZ -p tcp --dport 3389 -j DNAT --to $IP_MATRIZ_GVT
$iptables -t nat -A PREROUTING -i $IF_LAN -d $IP_MATRIZ -p tcp --dport 3389 -j DNAT --to $IP_MATRIZ_GVT

# Proxy transparente (acertado para Conectividade Social)
# -------------------------------------------------------
# Caixa
$iptables -t nat -A PREROUTING -s $LAN -d 200.201.174.0/24 -j RETURN
$iptables -t nat -A PREROUTING -s $LAN -d 200.201.173.0/24 -j RETURN
$iptables -t nat -A PREROUTING -s $LAN -d 200.201.166.0/24 -j RETURN
#$iptables -t nat -A PREROUTING -i $IF_LAN -s $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128

# Redireciona portas para outros servidores
# -------------------------------------------------------

$iptables -t nat -A PREROUTING -i $IF_LAN -d $IP_MATRIZ -p tcp --dport 3389 -j DNAT --to $IP_MATRIZ_GVT:3388
$iptables -t nat -A PREROUTING -i $IF_LAN -d $IP_MATRIZ -p tcp --dport 3388 -j DNAT --to $IP_MATRIZ_GVT:3388
$iptables -t nat -A PREROUTING -i $IF_LAN -d 192.168.200.252 -p tcp -j DNAT --to 192.168.200.238

# Relogio ponto
$iptables -t nat -A PREROUTING -i $IF_EMBRATEL -p udp --dport 3000 -j DNAT --to-destination $IP_RELOGIO
#$iptables -t nat -A PREROUTING -i $IF_NET -p udp --dport 3000 -j DNAT --to-destination $IP_RELOGIO
$iptables -t nat -A PREROUTING -i $IF_EMBRATEL -p udp --dport 65535 -j DNAT --to-destination $IP_RELOGIO
#$iptables -t nat -A PREROUTING -i $IF_NET -p udp --dport 65535 -j DNAT --to-destination $IP_RELOGIO

#$iptables -t nat -A PREROUTING -i $IF_EMBRATEL -p tcp --dport 3000 -j DNAT --to-destination $IP_RELOGIO
$iptables -t nat -A PREROUTING -i $IF_NET -p tcp --dport 3000 -j DNAT --to-destination $IP_RELOGIO
#$iptables -t nat -A PREROUTING -i $IF_EMBRATEL -p tcp --dport 65535 -j DNAT --to-destination $IP_RELOGIO
$iptables -t nat -A PREROUTING -i $IF_NET -p tcp --dport 65535 -j DNAT --to-destination $IP_RELOGIO

# impressora
$iptables -t nat -A PREROUTING -i $IF_EMBRATEL -p tcp --dport 9100 -j DNAT --to-destination $IP_IMP
$iptables -t nat -A PREROUTING -i $IF_NET -p tcp --dport 9100 -j DNAT --to-destination $IP_IMP

# Cameras
$iptables -t nat -A PREROUTING -p tcp --dport 8001 -j DNAT --to-destination $IP_CAMERAS:8001
$iptables -t nat -A PREROUTING -p tcp --dport 8181 -j DNAT --to-destination $IP_CAMERAS:8080

$iptables -t nat -A PREROUTING -i $IF_EMBRATEL -p tcp --dport 3389 -j DNAT --to-destination $IP_CAMERAS
$iptables -t nat -A PREROUTING -i $IF_NET -p tcp --dport 3389 -j DNAT --to-destination $IP_CAMERAS

0 0

Quote