[LUG.ro Mix] Iptables-dos conexiones pppoe y balance de carga (todo en uno:D)
guillermo nardoni
lugro-mix@lugro.org.ar
Sun, 29 May 2005 21:11:54 -0300 (ART)
Hola como andan muchachios, bueno les comento mi caso
a ver que me
aconsejan.
tengo dos conexiones pppoe
ppp0 (dhcp de arnet conectado a eth1 para pppoe)(2 mb)
ppp1 (dhcp de ciudad (flash) conectado a eth2 para
pppoe) (512 k)
eth0:
subred= 192.168.0.0
ip: 192.168.0.1
nm: 255.255.255.0
dns: 200.45.191.35
dns: 200.45.191.40
eth1:
subred: 10.0.0.0
ip: 10.0.0.1
nm: 255.0.0.0
eth2:
subnet: 10.0.1.0
ip: 10.0.1.1
nm: 255.0.0.0
hay un server interno (DMZ)
dmz: conectado por eth0
ipdmz: 192.168.0.99
nm: 255.255.255.0
gateway: 192.168.0.1
dns: 200.45.191.35
dns: 200.45.191.40
servicios:
ports: 80, 6667, 7777, 2106
la cuestión es que quiero hacer balance de carga entre
las dos conexiones
pppoe hay 15 terminales colgadas de las dos conexiones
, las cualestienen
salidas a internet.-
agredecería una sugerencia aquí dejo el archivos
fw.nat que tengo
actualmente (hoy por hoy, está ruteando todo por la
conexión ppp0) .-
y por último y prometo no joder por un largo tiempo
jejejejeej, que puedo
hacer cuando las conexiones se cortar y se vuelven a
levantar?, como las ips
son dinámicas no me sirve tengo que descar y cargar a
mano nuevamente el
firewall con los comandos fw.nat stop y fw.nat start
respectivamente.-
desde ya muchísimas gracias-
Guillermo de Rosario-
ARCHIVO FW.NAT (PARA RUTEAR ENTRE OTRAS COSAS:d)
#!/bin/sh
case "$1" in
start)
echo "Limpiando Todas las Reglas del Firewall...."
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -t mangle -F
GAMES_PORT="27015:27030"
LOCAL_PORT="27015"
DMZ_LOCAL_IP="192.168.0.1"
GAMES2_PORT="7777 2106 6667:7000"
INET_IFACE="ppp0"
INET_IFACE2="ppp0"
#INET_IP="`ifconfig $INET_IFACE | grep inet | cut -d :
-f 2 | \ cut -d '
' -f 1` "
INET_IP="`ifconfig $INET_IFACE | grep 'inet addr' |
awk '{print $2}' |
sed -e 's/.*://'`"
INET_IP2="`ifconfig $INET_IFACE2 | grep 'inet addr' |
awk '{print $2}' |
sed -e 's/.*://'`"
#HTTP_IP="`ifconfig $INET_IFACE | grep inet | cut -d :
-f 2 | \ cut -d '
' -f 1` "
HTTP_IP="`ifconfig $INET_IFACE | grep 'inet addr' |
awk '{print $2}' |
sed -e 's/.*://'`"
#DNS_IP="`ifconfig $INET_IFACE | grep inet | cut -d :
-f 2 | \ cut -d ' ' -f
1`"
DNS_IP="`ifconfig $INET_IFACE | grep 'inet addr' | awk
'{print $2}' | sed -e
's/.*://'`"
#GAMES_IP="`ifconfig $INET_IFACE | grep inet | cut -d
: -f 2 | \ cut -d '
' -f 1`"
GAMES_IP="`ifconfig $INET_IFACE | grep 'inet addr' |
awk '{print $2}' |
sed -e 's/.*://'`"
echo "Direccion Internet Interfaz ppp0 = $INET_IP"
echo "Direccion Internet Interfaz ppp0 http =
$HTTP_IP"
echo "Direccion Internet Interfaz ppp0 dns = $DNS_IP"
echo "Direccion Internet Interfaz ppp0 games =
$GAMES_IP"
echo "Direccion Internet Interfaz ppp1 = $INET_IP2"
echo "Direccion Internet Interfaz ppp1 http =
$HTTP_IP"
echo "Direccion Internet Interfaz ppp1 dns = $DNS_IP"
echo "Direccion Internet Interfaz ppp1 games =
$GAMES_IP"
#INET_IP="194.236.50.152"
#HTTP_IP="194.236.50.153"
#DNS_IP="194.236.50.154"
#INET_IFACE="eth0"
LAN_IP="192.168.0.1/255.255.255.0"
LAN_IFACE="eth1"
echo "Direccion Internet HOST LINUX Interfaz
$LAN_IFACE = $LAN_IP"
#DMZ_HTTP_IP="192.168.1.2"
#DMZ_DNS_IP="192.168.1.3"
#DMZ_GAMES_IP="192.168.1.4"
#DMZ_IP="192.168.1.1"
#DMZ_IFACE="eth0:2"
#echo $DMZ_IFACE
DMZ_HTTP_IP="192.168.0.99"
DMZ_DNS_IP="192.168.0.3"
DMZ_GAMES_IP="192.168.0.201"
DMZ2_GAMES_IP="192.168.0.99"
DMZ_IP="192.168.0.1"
DMZ_IFACE="eth1"
echo "Interfaz DMZ = $DMZ_IFACE"
echo "Direccion Internet Interfaz $DMZ_IFACE dns =
$DMZ_DNS_IP"
echo "Direccion Internet Interfaz $DMZ_IFACE games =
$DMZ_GAMES_IP"
echo "Direccion Internet Interfaz $DMZ_IFACE games =
$DMZ2_GAMES_IP"
echo "Direccion Internet Interfaz $DMZ_IFACE http =
$DMZ_HTTP_IP"
echo "Direccion Internet Interfaz $DMZ_IFACE ip =
$DMZ_IP"
LO_IFACE="lo"
LO_IP="127.0.0.1"
IPTABLES="/sbin/iptables"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "Establezo reglas por defecto"
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -N bad_tcp_packets
$IPTABLES -N allowed
$IPTABLES -N icmp_packets
echo "NEW sin SYC?. - Rechazo el paquete"
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags
SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state
--state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state
--state NEW -j DROP
$IPTABLES -A allowed -p tcp --syn -j ACCEPT
$IPTABLES -A allowed -p tcp -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p tcp -j DROP
$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 8
-j ACCEPT
$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type
11 -j ACCEPT
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
$IPTABLES -A INPUT -p icmp -i $INET_IFACE -j
icmp_packets
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j
ACCEPT
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d
$DMZ_GAMES_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d
$DMZ2_GAMES_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_DNS_IP
-j ACCEPT
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d
$DMZ_HTTP_IP -j ACCEPT
#$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j
ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 23 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j
ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j
ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j
ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j
ACCEPT
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67
--sport 68 -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state
ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute
--limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died:
"
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# DMZ section
#
# General rules
#
#$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j
ACCEPT
#$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m
state \
#--state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j
ACCEPT
#$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m
state \
#--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j
ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -j
ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j
ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j
ACCEPT
#
# HTTP server
#
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o
$DMZ_IFACE -d $DMZ_HTTP_IP \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o
$DMZ_IFACE -d $DMZ_HTTP_IP \
-j icmp_packets
#
# DNS server
#
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o
$DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o
$DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o
$DMZ_IFACE -d $DMZ_DNS_IP \
-j icmp_packets
#
# GAMES PARA LA INTERNET
#
#
# GAMES SERVER
# PUERTOS GAMES_PORT(VER)
#
for i in $GAMES_PORT; do
echo " HACIENDO PREROUTING DEL PUERTO $i DE JUEGOS"
echo " IP INTERNET=$INET_IP IP
DMZ_GAMES=$DMZ_GAMES_IP"
$IPTABLES -t nat -A PREROUTING -d $INET_IP -p tcp
--dport $i \
-j DNAT --to-destination $DMZ_GAMES_IP
$IPTABLES -t nat -A PREROUTING -d $INET_IP -p udp
--dport $i \
-j DNAT --to-destination $DMZ_GAMES_IP
done
for i in $LOCAL_PORT; do
echo " HACIENDO PREROUTING DEL PUERTO $i DE JUEGOS"
echo " IP INTERNET=$INET_IP IP
DMZ_LOCAL=$DMZ_LOCAL_IP"
$IPTABLES -t nat -A PREROUTING -d $INET_IP -p tcp
--dport $i \
-j DNAT --to-destination $DMZ_LOCAL_IP
$IPTABLES -t nat -A PREROUTING -d $INET_IP -p udp
--dport $i \
-j DNAT --to-destination $DMZ_LOCAL_IP
done
for i in $GAMES2_PORT; do
echo " HACIENDO PREROUTING DEL PUERTO $i DE JUEGOS"
echo " IP INTERNET=$INET_IP2 IP DMZ2_GAMES =
$DMZ2_GAMES_IP"
echo $DMZ2_GAMES_IP
$IPTABLES -t nat -A PREROUTING -d $INET_IP2 -p tcp
--dport $i \
-j DNAT --to-destination $DMZ2_GAMES_IP
$IPTABLES -t nat -A PREROUTING -d $INET_IP2 -p udp
--dport $i \
-j DNAT --to-destination $DMZ2_GAMES_IP
done
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 21 -i $INET_IFACE
-j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 22 -i $INET_IFACE
-j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 23 -i $INET_IFACE
-j ACCEPT
$IPTABLES -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute
--limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet
died: "
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p all -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p all -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p all -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute
--limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet
died: "
# PARA LA LAN HAGO SQUID PARA CACHEAR
#
$IPTABLES -t nat -A PREROUTING -p tcp -i $LAN_IFACE
--dport 80 -j
REDIRECT --to-port 3128
$IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE
-d $HTTP_IP --dport 80
\
-j DNAT --to-destination $DMZ_HTTP_IP
#
# PARA JUEGOS
#
#
#$IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE
-d $GAMES_IP --dport
27015 \
#-j DNAT --to-destination $DMZ_GAMES_IP
#
#$IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE
-d $GAMES_IP --dport
27016 \
#-j DNAT --to-destination $DMZ_GAMES_IP
#
#IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE
-d $GAMES_IP --dport
27017 \
#-j DNAT --to-destination $DMZ_GAMES_IP
#
$IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE
-d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p udp -i $INET_IFACE
-d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
echo "HACIENDO POSTROUTING DE LA LAN (SALIDAS A
INTERNET)"
$IPTABLES -t nat -A POSTROUTING -p tcp -s 0/0 --dport
21 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp -s 0/0 --dport
20 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 22 -j
MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 23 -j
MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT
--to-source $INET_IP
for i in $GAMES_PORT; do
echo " HACIENDO POSTROUTING DEL PUERTO $i DE JUEGOS"
echo " IP INTERNET=$INET_IP IP
DMZ_GAMES=$DMZ_GAMES_IP"
$IPTABLES -t nat -A POSTROUTING -p tcp -d
192.168.0.0/255.255.255.0 \
--dport $i -j SNAT --to-source $INET_IP
$IPTABLES -t nat -A POSTROUTING -p udp -d
192.168.0.0/255.255.255.0 \
--dport $i -j SNAT --to-source $INET_IP
done
for i in $LOCAL_PORT; do
echo " HACIENDO POSTROUTING DEL PUERTO $i DE JUEGOS"
echo " IP INTERNET=$INET_IP IP
DMZ_LOCAL=$DMZ_LOCAL_IP"
$IPTABLES -t nat -A POSTROUTING -p tcp -d
192.168.0.0/255.255.255.0 \
--dport $i -j SNAT --to-source $INET_IP
$IPTABLES -t nat -A POSTROUTING -p udp -d
192.168.0.0/255.255.255.0 \
--dport $i -j SNAT --to-source $INET_IP
done
for i in $GAMES2_PORT; do
echo " HACIENDO POSTROUTING DEL PUERTO $i DE JUEGOS"
echo " IP INTERNET=$INET_IP2 IP
DMZ2_GAMES=$DMZ2_GAMES_IP"
$IPTABLES -t nat -A POSTROUTING -p tcp -d
192.168.0.0/255.255.255.0 \
--dport $i -j SNAT --to-source $INET_IP2
$IPTABLES -t nat -A POSTROUTING -p udp -d
192.168.0.0/255.255.255.0 \
--dport $i -j SNAT --to-source $INET_IP2
done
echo "1" > /proc/sys/net/ipv4/ip_forward
;;
stop)
echo "Apagando el Servicio de Firewall y Routing..."
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t mangle -F
;;
*)
echo "modo de uso: ./fw.nat {start|stop}"
exit 1
;;
esac
exit 0
___________________________________
A tu celular ¿no le falta algo?
Usá Yahoo! Messenger y Correo Yahoo! en tu teléfono celular.
Más información en http://movil.yahoo.com.ar