Firewall com iproute2 para 2 links com ip fixo
Publicado por Eduardo Gomes (última atualização em 22/10/2009)
[ Hits: 9.806 ]
Aí está um firewall funcional para quem quer alta disponibilidade do seu site, e-mail, pop3 e ainda quer se conectar remoto com o Terminal Server.
Claro que tenho muito a agradecer ao Tiago, autor do artigo:
http://www.vivaolinux.com.br/artigo/Roteamento-de-entrada-saida-com-iproute-e-iptables
No qual pude tirar grandes proveitos.
#!/bin/bash IPTABLES=`which iptables` # ----------------------- WAN1_NAME="net" WAN1_IF="eth0" WAN1_IP="201.100.9.3" WAN1_GW="201.100.9.1" WAN1_NET="201.100.9.0/24" WAN1_MARK=201 WAN1_WEIGHT=8 # ----------------------- WAN2_NAME="gvt" WAN2_IF="eth1" WAN2_IP="200.13.6.35" WAN2_GW="200.13.6.33" WAN2_NET="200.13.6.0/24" WAN2_MARK=200 WAN2_WEIGHT=4 # ----------------------- LAN_IF="eth3" LAN_IP="10.10.2.3" LAN_NET="10.10.2.0/26" LAN_BCAST="10.10.2.62" # ----------------------- LAN2_IF="eth2" LAN2_IP="10.10.1.5" LAN2_NET="10.10.1.0/27" LAN2_BCAST="10.10.1.30" # ----------------------- LO_IF="lo" LO_IP="127.0.0.1" LO_NET="127.0.0.0/8" # ----------------------- case $1 in start) echo "|=====================================================|" echo "|:Script de Firewall - IPTABLES _ |" echo "|:Criado por: Eduardo Gomes °v° |" echo "|:Técnico em Informática /(_)\ |" echo "|:suportlinux@yahoo.com.br ^ ^ |" echo "|:Uso: /etc/init.d/firewall |" echo "|:$HOSTNAME:.............................ok: |" echo "|=====================================================|" $IPTABLES -F $IPTABLES -Z $IPTABLES -X $IPTABLES -F -t nat $IPTABLES -X -t nat $IPTABLES -F -t mangle $IPTABLES -X -t mangle $IPTABLES -Z -t mangle echo "|:As regras de firewall foram limpas com sucesso :|" $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -N REJECT-SSH $IPTABLES -A REJECT-SSH -j DROP -m recent --rcheck --name SSH --seconds 60 --hitcount 10 $IPTABLES -A REJECT-SSH -j LOG --log-prefix SSH-Bruteforce: $IPTABLES -A REJECT-SSH -j REJECT -p tcp --reject-with tcp-reset $IPTABLES -A REJECT-SSH -j REJECT echo "|:Regras de reject-and-log-SSH-Bruteforce ativas :|" $IPTABLES -N ssh $IPTABLES -N blacklist $IPTABLES -A blacklist -m recent --name blacklist --set $IPTABLES -A blacklist -j LOG --log-prefix 'SSH REJECTED: ' $IPTABLES -A blacklist -j REJECT $IPTABLES -A ssh -m recent --set --name couting1 $IPTABLES -A ssh -m recent --update --name couting1 --seconds 20 --hitcount 3 -j blacklist $IPTABLES -A ssh -j ACCEPT echo "|:Regras de blacklist SSH ativadas com sucesso :|" $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --name SSH --seconds 60 --hitcount 4 -j REJECT-SSH $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH echo "|:Kill SSH Brute-force attacks ativado com sucesso :|" echo "|=====================================================|" echo "|:Regras de input:.................................ok:|" $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT echo "|:.............ok:|" echo "|:Libera icmp mais com limite:.....................ok:|" $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT echo "|:.............ok:|" echo "|:Fechando o resto do INPUT:.......................ok:|" $IPTABLES -A INPUT -p icmp -j DROP $IPTABLES -A INPUT -j LOG --log-prefix "INPUT Barrado: " $IPTABLES -A INPUT -j REJECT $IPTABLES -P INPUT DROP echo "|:.............ok:|" if [ "$SYSCTL" = "" ] then echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter else $SYSCTL net.ipv4.conf.all.rp_filter="0" fi if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/accept_source_route else $SYSCTL net.ipv4.conf.all.accept_source_route="1" fi if [ "$SYSCTL" = "" ] then echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects else $SYSCTL net.ipv4.conf.all.secure_redirects="0" fi echo "|:Ativar redirecionamento no arquivo ip_forward:.....:|" echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "|:.............ok:|" echo "|:Regras de prerouting e redirecionamento:...........:|" echo "|:.............ok:|" echo "|:Implementando regras de QoS para o VOIP:...........:|" $IPTABLES -t mangle -A POSTROUTING -p udp --sport 5060 -j TOS --set-tos 16 $IPTABLES -t mangle -A POSTROUTING -p udp --sport 5061 -j TOS --set-tos 16 $IPTABLES -t mangle -A POSTROUTING -p udp --sport 10000:20000 -j TOS --set-tos 16 $IPTABLES -t mangle -A PREROUTING -p udp --dport 5060 -j TOS --set-tos 16 $IPTABLES -t mangle -A PREROUTING -p udp --dport 5061 -j TOS --set-tos 16 $IPTABLES -t mangle -A PREROUTING -p udp --dport 10000:20000 -j TOS --set-tos 16 echo "|:.............ok:|" echo "|:Implementando regras de HTB para o VOIP:...........:|" $IPTABLES -t mangle -A POSTROUTING -p udp --sport 10000:20000 -j MARK --set-mark 0x10 $IPTABLES -t mangle -A POSTROUTING -p udp --sport 5060 -j MARK --set-mark 0x10 $IPTABLES -t mangle -A PREROUTING -p udp --dport 10000:20000 -j MARK --set-mark 0x10 $IPTABLES -t mangle -A PREROUTING -p udp --dport 5060 -j MARK --set-mark 0x10 echo "|:.............ok:|" echo "|:Marcar pacotes para usar os Links:.................:|" echo "|:Marcar smtp com entrada no Link 1:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 25 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 1 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar smtp com entrada no Link 2:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 25 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 2 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar pop3 com entrada no Link 1:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 110 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 3 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar pop3 com entrada no Link 2:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 110 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 4 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar http com entrada no Link 1:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --sport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0 $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0 $IPTABLES -t mangle -A INPUT -i $WAN1_IF -p tcp --dport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --sport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --dport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar http com entrada no Link 2:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --sport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0 $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0 $IPTABLES -t mangle -A INPUT -i $WAN2_IF -p tcp --dport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --sport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --dport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar 443 com entrada no Link 1:..................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --sport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0 $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0 $IPTABLES -t mangle -A INPUT -i $WAN1_IF -p tcp --dport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --sport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --dport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar 443 com entrada no Link 2:..................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --sport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0 $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0 $IPTABLES -t mangle -A INPUT -i $WAN2_IF -p tcp --dport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --sport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --dport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar 8009 com entrada no Link 1:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --sport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0 $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0 $IPTABLES -t mangle -A INPUT -i $WAN1_IF -p tcp --dport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --sport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --dport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar 8009 com entrada no Link 2:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --sport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0 $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0 $IPTABLES -t mangle -A INPUT -i $WAN2_IF -p tcp --dport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --sport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --dport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar 8009 com entrada no Link 1:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --sport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0 $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0 $IPTABLES -t mangle -A INPUT -i $WAN1_IF -p tcp --dport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --sport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --dport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar 8009 com entrada no Link 2:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --sport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0 $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0 $IPTABLES -t mangle -A INPUT -i $WAN2_IF -p tcp --dport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --sport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --dport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0 echo "|:.............ok:|" echo "|:Tabela nat de entrada na porta 25 dos links:.......:|" $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-dest 10.10.1.8 $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to-dest 10.10.1.8 echo "|:.............ok:|" echo "|:Tabela nat de entrada na porta 80 dos links:.......:|" $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-dest 10.10.1.9 $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-dest 10.10.1.9 echo "|:.............ok:|" echo "|:Tabela nat de entrada na porta 443 dos links:......:|" $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-dest 10.10.1.8 $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to-dest 10.10.1.8 echo "|:.............ok:|" echo "|:Tabela nat de entrada dos links:...................:|" $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 8009 -j DNAT --to-dest 10.10.1.8 $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 8009 -j DNAT --to-dest 10.10.1.8 echo "|:.............ok:|" echo "|:Tabela nat de entrada na porta 8081 dos links:.....:|" $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 8081 -j DNAT --to-dest 10.10.2.5 $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 8081 -j DNAT --to-dest 10.10.2.5 echo "|:.............ok:|" echo "|:Regras de forward:...............................ok:|" $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP $IPTABLES -A FORWARD -m state --state INVALID -j DROP echo "|:.............ok:|" echo "|:IPs com previlegios especiais:...................ok:|" $IPTABLES -A FORWARD -s 10.10.2.4/32 -j ACCEPT $IPTABLES -A FORWARD -s 10.10.2.5/32 -j ACCEPT echo "|:.............ok:|" echo "|:Liberar portas de saída:.........................ok:|" $IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 22 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 25 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 25 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p udp --dport 53 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 81 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 81 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 82 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 82 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 443 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 443 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p udp --dport 5060 -j ACCEPT $IPTABLES -A FORWARD -p udp --dport 5060 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 8009 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 8009 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 8080 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 8080 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 8081 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 8081 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD Barrado: " #$IPTABLES -A FORWARD -j REJECT #$IPTABLES -P FORWARD DROP echo "|:Regras de output:................................ok:|" $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT echo "|:.............ok:|" echo "|:Implementando regras de QoS para o VOIP:...........:|" $IPTABLES -t mangle -A OUTPUT -p udp --dport 5060 -j TOS --set-tos 16 $IPTABLES -t mangle -A OUTPUT -p udp --dport 5061 -j TOS --set-tos 16 $IPTABLES -t mangle -A OUTPUT -p udp --dport 10000:20000 -j TOS --set-tos 16 $IPTABLES -t mangle -A OUTPUT -p udp --dport 5060 -j TOS --set-tos 16 $IPTABLES -t mangle -A OUTPUT -p udp --dport 5061 -j TOS --set-tos 16 $IPTABLES -t mangle -A OUTPUT -p udp --dport 10000:20000 -j TOS --set-tos 16 $IPTABLES -P OUTPUT ACCEPT echo "|:Salvar rotas de entrada dos links:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -j CONNMARK --save-mark $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -j CONNMARK --save-mark echo "|:.............ok:|" echo "|:Lembrando marca de entrada anterios dos links:.....:|" $IPTABLES -t mangle -A PREROUTING -i $LAN_IF -p tcp -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark $IPTABLES -t mangle -A PREROUTING -i $LAN2_IF -p tcp -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark echo "|:.............ok:|" $IPTABLES -t mangle -N MARK_NET $IPTABLES -t mangle -A MARK_NET -j MARK --set-mark $WAN1_MARK $IPTABLES -t mangle -A MARK_NET -j ACCEPT # ------------------------------------------------------------ $IPTABLES -t mangle -N MARK_GVT $IPTABLES -t mangle -A MARK_GVT -j MARK --set-mark $WAN2_MARK $IPTABLES -t mangle -A MARK_GVT -j ACCEPT # ------------------------------------------------------------ echo "|:Apaga tabelas de roteamento:.......................:|" ip route flush table net ip route flush table gvt echo "|:.............ok:|" # ------------------------------------------------------------ echo "|:Regras para direcionar marcas no roteamento:.......:|" ip rule add fwmark $WAN1_MARK table net ip rule add fwmark $WAN2_MARK table gvt echo "|:.............ok:|" # Copia rotas da tabela principal para as outras tabelas de roteamento #ip route show | grep -v ^default | while read rota; do #ip route add table net $rota #ip route add table gvt $rota #done # ------------------------------------------------------------ ip rule add from $WAN1_IP table net ip rule add from $WAN2_IP table gvt # ------------------------------------------------------------ echo "|:Indica quem é o gateway de cada link:..............:|" ip route add default via $WAN1_GW dev $WAN1_IF table net ip route add default via $WAN2_GW dev $WAN2_IF table gvt echo "|:.............ok:|" #echo "|:Tabela default:....................................:|" #ip route add default via $WAN1_GW dev $WAN1_IF #ip route add default via $WAN2_GW dev $WAN2_IF #echo "|:.............ok:|" echo "|=====================================================|" ip rule add fwmark 1 from 10.10.1.8 table net prio 19 echo "|:Efetuado á marcação do smtp com entrada pelo link 1:|" ip rule add fwmark 2 from 10.10.1.8 table gvt prio 20 echo "|:Efetuado á marcação do smtp com entrada pelo link 2:|" ip rule add fwmark 3 from 10.10.2.5 table net prio 21 echo "|:Efetuado á marcação do pop3 com entrada pelo link 1:|" ip rule add fwmark 4 from 10.10.2.5 table gvt prio 22 echo "|:Efetuado á marcação do pop3 com entrada pelo link 2:|" ip rule add fwmark 5 from 10.10.1.9 table net prio 23 echo "|:Efetuado á marcação do http com entrada pelo link 1:|" ip rule add fwmark 6 from 10.10.1.9 table gvt prio 24 echo "|:Efetuado á marcação do http com entrada pelo link 2:|" echo "|=====================================================|" ip rule add fwmark 7 from 10.10.1.8 table net prio 25 echo "|:Marcação na porta 3389 com entrada pelo link 1 :|" ip rule add fwmark 8 from 10.10.1.8 table gvt prio 26 echo "|:Marcação na porta 3389 com entrada pelo link 2 :|" ip rule add fwmark 9 from 10.10.1.8 table net prio 25 echo "|:Marcação na porta 8009 com entrada pelo link 1 :|" ip rule add fwmark 10 from 10.10.1.8 table gvt prio 26 echo "|:Marcação na porta 8009 com entrada pelo link 2 :|" ip rule add fwmark 11 from 10.10.2.5 table net prio 25 echo "|:Marcação na porta 8081 com entrada pelo link 1 :|" ip rule add fwmark 12 from 10.10.2.5 table gvt prio 26 echo "|:Marcação na porta 8080 com entrada pelo link 2 :|" echo "|:Marcações efetuadas com sucesso :|" echo "|=====================================================|" ip route flush cache echo "|:Atualizado o cache de roteamento com sucesso :|" # ------------------------------------------------------------ echo "|:ATIVA O MASCARAMENTO DE SAÍDA:.....................:|" $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE echo "|:.............ok:|" ;; stop) echo "|:Desativar o firewall:..............................:|" $IPTABLES -F $IPTABLES -Z $IPTABLES -X $IPTABLES -F -t nat $IPTABLES -X -t nat $IPTABLES -F -t mangle $IPTABLES -X -t mangle $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT echo "|:.............ok:|" ;; stats) $IPTABLES -nL ;; restart) $0 stop $0 start ;; nat) $IPTABLES -L -v -t nat -n ;; mangle) $IPTABLES -t mangle -L ;; *) echo "Usage: $0 [start|stop|stats|restart|nat|mangle]" ;; esac
Raiz Quadrada (Square Root) para Bash
POSTFIX AUTOMÁTICO COM MYSQL E IPTABLES - RESTAURANDO MBOX VIA SSH
Nenhum comentário foi encontrado.
Enviar mensagem ao usuário trabalhando com as opções do php.ini
Meu Fork do Plugin de Integração do CVS para o KDevelop
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Compartilhamento de Rede com samba em modo Público/Anônimo de forma simples, rápido e fácil
Cups: Mapear/listar todas as impressoras de outro Servidor CUPS de forma rápida e fácil
Criando uma VPC na AWS via CLI
Tem como instalar o gerenciador AMD Adrenalin no Ubuntu 24.04? (7)