Firewall com iproute2 para 2 links com ip fixo

Publicado por Eduardo Gomes (última atualização em 22/10/2009)

[ Hits: 9.806 ]

Download 4246.rc.firewall




Aí está um firewall funcional para quem quer alta disponibilidade do seu site, e-mail, pop3 e ainda quer se conectar remoto com o Terminal Server.

Claro que tenho muito a agradecer ao Tiago, autor do artigo:

http://www.vivaolinux.com.br/artigo/Roteamento-de-entrada-saida-com-iproute-e-iptables

No qual pude tirar grandes proveitos.

  



Esconder código-fonte

#!/bin/bash
IPTABLES=`which iptables`
# -----------------------
WAN1_NAME="net"
WAN1_IF="eth0"
WAN1_IP="201.100.9.3"
WAN1_GW="201.100.9.1"
WAN1_NET="201.100.9.0/24"
WAN1_MARK=201
WAN1_WEIGHT=8
# -----------------------
WAN2_NAME="gvt"
WAN2_IF="eth1"
WAN2_IP="200.13.6.35"
WAN2_GW="200.13.6.33"
WAN2_NET="200.13.6.0/24"
WAN2_MARK=200
WAN2_WEIGHT=4
# -----------------------
LAN_IF="eth3"
LAN_IP="10.10.2.3"
LAN_NET="10.10.2.0/26"
LAN_BCAST="10.10.2.62"
# -----------------------
LAN2_IF="eth2"
LAN2_IP="10.10.1.5"
LAN2_NET="10.10.1.0/27"
LAN2_BCAST="10.10.1.30"
# -----------------------
LO_IF="lo"
LO_IP="127.0.0.1"
LO_NET="127.0.0.0/8"
# -----------------------
case $1 in 
   start)
      echo "|=====================================================|"
      echo "|:Script de Firewall - IPTABLES             _                                                             |"
      echo "|:Criado por: Eduardo Gomes             °v°                                                            |"
      echo "|:Técnico em Informática                  /(_)\                                                           |"
      echo "|:suportlinux@yahoo.com.br               ^ ^                                                           |"
      echo "|:Uso: /etc/init.d/firewall                                                                                     |"
      echo "|:$HOSTNAME:.............................ok:                                                                 |"
      echo "|=====================================================|"
      $IPTABLES -F
      $IPTABLES -Z
      $IPTABLES -X
      $IPTABLES -F -t nat
      $IPTABLES -X -t nat
      $IPTABLES -F -t mangle
      $IPTABLES -X -t mangle
      $IPTABLES -Z -t mangle
      echo "|:As regras de firewall foram limpas com sucesso     :|"
      $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      $IPTABLES -N REJECT-SSH
      $IPTABLES -A REJECT-SSH -j DROP -m recent --rcheck --name SSH --seconds 60 --hitcount 10
      $IPTABLES -A REJECT-SSH -j LOG --log-prefix SSH-Bruteforce:
      $IPTABLES -A REJECT-SSH -j REJECT -p tcp --reject-with tcp-reset
      $IPTABLES -A REJECT-SSH -j REJECT
      echo "|:Regras de reject-and-log-SSH-Bruteforce ativas     :|"
      $IPTABLES -N ssh
      $IPTABLES -N blacklist
      $IPTABLES -A blacklist -m recent --name blacklist --set
      $IPTABLES -A blacklist -j LOG --log-prefix 'SSH REJECTED: '
      $IPTABLES -A blacklist -j REJECT
      $IPTABLES -A ssh -m recent --set --name couting1
      $IPTABLES -A ssh -m recent --update --name couting1 --seconds 20 --hitcount 3 -j blacklist
      $IPTABLES -A ssh -j ACCEPT
      echo "|:Regras de blacklist SSH ativadas com sucesso       :|"
      $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --name SSH --seconds 60 --hitcount 4 -j REJECT-SSH
      $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
      echo "|:Kill SSH Brute-force attacks ativado com sucesso   :|"
      echo "|=====================================================|"
      echo "|:Regras de input:.................................ok:|"
      $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
      $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
      $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
      $IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT
      echo "|:.............ok:|"
      echo "|:Libera icmp mais com limite:.....................ok:|"
      $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
      $IPTABLES -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT
      echo "|:.............ok:|"
      echo "|:Fechando o resto do INPUT:.......................ok:|"
      $IPTABLES -A INPUT -p icmp -j DROP
      $IPTABLES -A INPUT -j LOG --log-prefix "INPUT Barrado: "
      $IPTABLES -A INPUT -j REJECT
      $IPTABLES -P INPUT DROP
      echo "|:.............ok:|"
      if [ "$SYSCTL" = "" ]
      then
      echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
      else
      $SYSCTL net.ipv4.conf.all.rp_filter="0"
      fi
      if [ "$SYSCTL" = "" ]
      then
      echo "1" > /proc/sys/net/ipv4/conf/all/accept_source_route
      else
      $SYSCTL net.ipv4.conf.all.accept_source_route="1"
      fi
      if [ "$SYSCTL" = "" ]
      then
      echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects
      else
      $SYSCTL net.ipv4.conf.all.secure_redirects="0"
      fi
      echo "|:Ativar redirecionamento no arquivo ip_forward:.....:|"
      echo "1" > /proc/sys/net/ipv4/ip_forward
      echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
      echo "|:.............ok:|"
      echo "|:Regras de prerouting e redirecionamento:...........:|"
      echo "|:.............ok:|"
      echo "|:Implementando regras de QoS para o VOIP:...........:|"
      $IPTABLES -t mangle -A POSTROUTING -p udp --sport 5060 -j TOS --set-tos 16
      $IPTABLES -t mangle -A POSTROUTING -p udp --sport 5061 -j TOS --set-tos 16
      $IPTABLES -t mangle -A POSTROUTING -p udp --sport 10000:20000 -j TOS --set-tos 16
      $IPTABLES -t mangle -A PREROUTING -p udp --dport 5060 -j TOS --set-tos 16
      $IPTABLES -t mangle -A PREROUTING -p udp --dport 5061 -j TOS --set-tos 16
      $IPTABLES -t mangle -A PREROUTING -p udp --dport 10000:20000 -j TOS --set-tos 16
      echo "|:.............ok:|"
      echo "|:Implementando regras de HTB para o VOIP:...........:|"
      $IPTABLES -t mangle -A POSTROUTING -p udp --sport 10000:20000 -j MARK --set-mark 0x10
      $IPTABLES -t mangle -A POSTROUTING -p udp --sport 5060 -j MARK --set-mark 0x10
      $IPTABLES -t mangle -A PREROUTING -p udp --dport 10000:20000 -j MARK --set-mark 0x10
      $IPTABLES -t mangle -A PREROUTING -p udp --dport 5060 -j MARK --set-mark 0x10
      echo "|:.............ok:|"
      echo "|:Marcar pacotes para usar os Links:.................:|"
      echo "|:Marcar smtp com entrada no Link 1:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 25 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 1 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar smtp com entrada no Link 2:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 25 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 2 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar pop3 com entrada no Link 1:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 110 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 3 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar pop3 com entrada no Link 2:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 110 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 4 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar http com entrada no Link 1:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --sport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0
      $IPTABLES -t mangle -A INPUT -i $WAN1_IF -p tcp --dport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --sport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --dport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar http com entrada no Link 2:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --sport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0
      $IPTABLES -t mangle -A INPUT -i $WAN2_IF -p tcp --dport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --sport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --dport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar 443 com entrada no Link 1:..................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --sport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0
      $IPTABLES -t mangle -A INPUT -i $WAN1_IF -p tcp --dport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --sport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --dport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar 443 com entrada no Link 2:..................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --sport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0
      $IPTABLES -t mangle -A INPUT -i $WAN2_IF -p tcp --dport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --sport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --dport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar 8009 com entrada no Link 1:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --sport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0
      $IPTABLES -t mangle -A INPUT -i $WAN1_IF -p tcp --dport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --sport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --dport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar 8009 com entrada no Link 2:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --sport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0
      $IPTABLES -t mangle -A INPUT -i $WAN2_IF -p tcp --dport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --sport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --dport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar 8009 com entrada no Link 1:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --sport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0
      $IPTABLES -t mangle -A INPUT -i $WAN1_IF -p tcp --dport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --sport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --dport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Marcar 8009 com entrada no Link 2:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --sport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0
      $IPTABLES -t mangle -A INPUT -i $WAN2_IF -p tcp --dport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --sport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0
      $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --dport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0
      echo "|:.............ok:|"
      echo "|:Tabela nat de entrada na porta 25 dos links:.......:|"
      $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-dest 10.10.1.8
      $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to-dest 10.10.1.8
      echo "|:.............ok:|"
      echo "|:Tabela nat de entrada na porta 80 dos links:.......:|"
      $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-dest 10.10.1.9
      $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-dest 10.10.1.9
      echo "|:.............ok:|"
      echo "|:Tabela nat de entrada na porta 443 dos links:......:|"
      $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-dest 10.10.1.8
      $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to-dest 10.10.1.8
      echo "|:.............ok:|"
      echo "|:Tabela nat de entrada dos links:...................:|"
      $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 8009 -j DNAT --to-dest 10.10.1.8
      $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 8009 -j DNAT --to-dest 10.10.1.8
      echo "|:.............ok:|"
      echo "|:Tabela nat de entrada na porta 8081 dos links:.....:|"
      $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 8081 -j DNAT --to-dest 10.10.2.5
      $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 8081 -j DNAT --to-dest 10.10.2.5
      echo "|:.............ok:|"
      echo "|:Regras de forward:...............................ok:|"
      $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
      $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
      $IPTABLES -A FORWARD -m state --state INVALID -j DROP
      echo "|:.............ok:|"
      echo "|:IPs com previlegios especiais:...................ok:|"
      $IPTABLES -A FORWARD -s 10.10.2.4/32 -j ACCEPT
      $IPTABLES -A FORWARD -s 10.10.2.5/32 -j ACCEPT
      echo "|:.............ok:|"
      echo "|:Liberar portas de saída:.........................ok:|"
      $IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 22 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 25 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 25 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT
      $IPTABLES -A FORWARD -p udp --dport 53 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 81 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 81 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 82 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 82 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 443 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 443 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p udp --dport 5060 -j ACCEPT
      $IPTABLES -A FORWARD -p udp --dport 5060 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 8009 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 8009 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 8080 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 8080 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 8081 -j ACCEPT
      $IPTABLES -A FORWARD -p tcp --dport 8081 --sport 1024:65535 -j ACCEPT
      $IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD Barrado: "
      #$IPTABLES -A FORWARD -j REJECT
      #$IPTABLES -P FORWARD DROP
      echo "|:Regras de output:................................ok:|"
      $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      echo "|:.............ok:|"
      echo "|:Implementando regras de QoS para o VOIP:...........:|"
      $IPTABLES -t mangle -A OUTPUT -p udp --dport 5060 -j TOS --set-tos 16
      $IPTABLES -t mangle -A OUTPUT -p udp --dport 5061 -j TOS --set-tos 16
      $IPTABLES -t mangle -A OUTPUT -p udp --dport 10000:20000 -j TOS --set-tos 16
      $IPTABLES -t mangle -A OUTPUT -p udp --dport 5060 -j TOS --set-tos 16
      $IPTABLES -t mangle -A OUTPUT -p udp --dport 5061 -j TOS --set-tos 16
      $IPTABLES -t mangle -A OUTPUT -p udp --dport 10000:20000 -j TOS --set-tos 16
      $IPTABLES -P OUTPUT ACCEPT
      echo "|:Salvar rotas de entrada dos links:.................:|"
      $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -j CONNMARK --save-mark
      $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -j CONNMARK --save-mark
      echo "|:.............ok:|"
      echo "|:Lembrando marca de entrada anterios dos links:.....:|"
      $IPTABLES -t mangle -A PREROUTING -i $LAN_IF -p tcp -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
      $IPTABLES -t mangle -A PREROUTING -i $LAN2_IF -p tcp -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
      echo "|:.............ok:|"
      $IPTABLES -t mangle -N MARK_NET
      $IPTABLES -t mangle -A MARK_NET -j MARK --set-mark $WAN1_MARK
      $IPTABLES -t mangle -A MARK_NET -j ACCEPT
      # ------------------------------------------------------------
      $IPTABLES -t mangle -N MARK_GVT
      $IPTABLES -t mangle -A MARK_GVT -j MARK --set-mark $WAN2_MARK
      $IPTABLES -t mangle -A MARK_GVT -j ACCEPT
      # ------------------------------------------------------------
      echo "|:Apaga tabelas de roteamento:.......................:|"
      ip route flush table net
      ip route flush table gvt
      echo "|:.............ok:|"
      # ------------------------------------------------------------
      echo "|:Regras para direcionar marcas no roteamento:.......:|"
      ip rule add fwmark $WAN1_MARK table net
      ip rule add fwmark $WAN2_MARK table gvt
      echo "|:.............ok:|"

      # Copia rotas da tabela principal para as outras tabelas de roteamento
      #ip route show | grep -v ^default | while read rota; do
      #ip route add table net $rota
      #ip route add table gvt $rota
      #done

      # ------------------------------------------------------------
      ip rule add from $WAN1_IP table net
      ip rule add from $WAN2_IP table gvt
      # ------------------------------------------------------------
      echo "|:Indica quem é o gateway de cada link:..............:|"
      ip route add default via $WAN1_GW dev $WAN1_IF table net
      ip route add default via $WAN2_GW dev $WAN2_IF table gvt
      echo "|:.............ok:|"

      #echo "|:Tabela default:....................................:|"
      #ip route add default via $WAN1_GW dev $WAN1_IF
      #ip route add default via $WAN2_GW dev $WAN2_IF
      #echo "|:.............ok:|"

      echo "|=====================================================|"
      ip rule add fwmark 1 from 10.10.1.8 table net prio 19
      echo "|:Efetuado á marcação do smtp com entrada pelo link 1:|"
      ip rule add fwmark 2 from 10.10.1.8 table gvt prio 20
      echo "|:Efetuado á marcação do smtp com entrada pelo link 2:|"
      ip rule add fwmark 3 from 10.10.2.5 table net prio 21
      echo "|:Efetuado á marcação do pop3 com entrada pelo link 1:|"
      ip rule add fwmark 4 from 10.10.2.5 table gvt prio 22
      echo "|:Efetuado á marcação do pop3 com entrada pelo link 2:|"
      ip rule add fwmark 5 from 10.10.1.9 table net prio 23
      echo "|:Efetuado á marcação do http com entrada pelo link 1:|"
      ip rule add fwmark 6 from 10.10.1.9 table gvt prio 24
      echo "|:Efetuado á marcação do http com entrada pelo link 2:|"
      echo "|=====================================================|"
      ip rule add fwmark 7 from 10.10.1.8 table net prio 25
      echo "|:Marcação na porta 3389 com entrada pelo link 1     :|"
      ip rule add fwmark 8 from 10.10.1.8 table gvt prio 26
      echo "|:Marcação na porta 3389 com entrada pelo link 2     :|"
      ip rule add fwmark 9 from 10.10.1.8 table net prio 25
      echo "|:Marcação na porta 8009 com entrada pelo link 1     :|"
      ip rule add fwmark 10 from 10.10.1.8 table gvt prio 26
      echo "|:Marcação na porta 8009 com entrada pelo link 2     :|"
      ip rule add fwmark 11 from 10.10.2.5 table net prio 25
      echo "|:Marcação na porta 8081 com entrada pelo link 1     :|"
      ip rule add fwmark 12 from 10.10.2.5 table gvt prio 26
      echo "|:Marcação na porta 8080 com entrada pelo link 2     :|"
      echo "|:Marcações efetuadas com sucesso                    :|"
      echo "|=====================================================|"
      ip route flush cache
      echo "|:Atualizado o cache de roteamento com sucesso       :|"
      # ------------------------------------------------------------
      echo "|:ATIVA O MASCARAMENTO DE SAÍDA:.....................:|"
      $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
      $IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE
      echo "|:.............ok:|"
   ;;
   stop)
      echo "|:Desativar o firewall:..............................:|"
      $IPTABLES -F
      $IPTABLES -Z
      $IPTABLES -X
      $IPTABLES -F -t nat
      $IPTABLES -X -t nat
      $IPTABLES -F -t mangle
      $IPTABLES -X -t mangle
      $IPTABLES -P INPUT ACCEPT
      $IPTABLES -P FORWARD ACCEPT
      echo "|:.............ok:|"
   ;;
   stats)
      $IPTABLES -nL
   ;;
   restart)
      $0 stop
      $0 start
   ;;
   nat)
      $IPTABLES -L -v -t nat -n
   ;;
   mangle)
      $IPTABLES -t mangle -L
   ;;
   *)
      echo "Usage: $0 [start|stop|stats|restart|nat|mangle]"
   ;;
esac

Scripts recomendados

Init Service for Slackware

Instalação Xfce4.10 no Debian

backup rsync

Raiz Quadrada (Square Root) para Bash

POSTFIX AUTOMÁTICO COM MYSQL E IPTABLES - RESTAURANDO MBOX VIA SSH


  

Comentários

Nenhum comentário foi encontrado.


Contribuir com comentário




Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts