AJuda LoadBalance Brazilfw e DansGuardian

1. AJuda LoadBalance Brazilfw e DansGuardian

rockshock25
(usa Outra)

Enviado em 20/07/2015 - 10:28h

Bom dia amigos.me chamo alexandre e estou com um pequeno problema aki

Estou usando este codigo no meu script de inicialização porem quando eu coloco ele e as rotas . o meu dans guardian desativa para
estes ips da rotas .e libera os sites bloqueados .
sabem se tem algum erro q estou fazendo e se podem me ajudar ? grato

Script

#!/bin/sh

caminho="/partition/bloquear/"



###############limpa os treco tudo

#rm -f ${caminho}ipsexo

##rm -f ${caminho}limpar_restricao



#vai ficar assim

#dig +short www.f****.com >> ${caminho}ipsexo

#enquanto le o arquivo executa a descoberta de ips

sort ${caminho}sexo | while read p; do



dig +short $p >> ${caminho}ipsexo







done



#remover linha iguais, copiando e colando em cima do mesmo arquivo

sort ${caminho}ipsexo | uniq >> ${caminho}tempipsexo ; rm -f ${caminho}ipsexo ; mv ${caminho}tempipsexo ${caminho}ipsexo

sed '/timed out/d' ${caminho}ipsexo >> ${caminho}tempipsexo ; rm -f ${caminho}ipsexo ; mv ${caminho}tempipsexo ${caminho}ipsexo



#verifica a existencia de regras anteriores e as deleta em FORWARD

iptables -t filter -L >> ${caminho}verifica

if grep -q "RESTRICAO" "${caminho}verifica"

then {

##########Apagar regras de redirecionar para a chain RESTRICAO

sort ${caminho}iplocalantigo | while read IPantigo; do

/usr/sbin/iptables -D FORWARD -p tcp -s $IPantigo --dport 20:79 -j RESTRICAO

/usr/sbin/iptables -D FORWARD -s $IPantigo -p tcp --dport 81:909 -j RESTRICAO

/usr/sbin/iptables -D FORWARD -s $IPantigo -p tcp --dport 914:8179 -j RESTRICAO

/usr/sbin/iptables -D FORWARD -s $IPantigo -p tcp --dport 8182:65535 -j RESTRICAO



done

#apagar cópia iplocalantigo

rm -f ${caminho}iplocalantigo

}

fi

if grep -q "RESTRICAO" "${caminho}verifica"

then {

###########Apagar Chain RESTRICAO

/usr/sbin/iptables -t filter -F RESTRICAO

/usr/sbin/iptables -t filter -X RESTRICAO

}

fi

###########Criar nova chain com nome RESTRICAO

/usr/sbin/iptables -t filter -N RESTRICAO

rm -f ${caminho}verifica

###########Politica padrão da chain RESTRICAO é accept

iptables -t filter -A RESTRICAO -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

iptables -t nat -I PREROUTING -s 192.168.0.2 -j ACCEPT

iptables -t nat -I POSTROUTING -s 192.168.0.2 -j MASQUERADE

iptables -I FORWARD -s 192.168.0.2 -j ACCEPT

iptables -t nat -I PREROUTING -s 192.168.0.10 -j ACCEPT

iptables -t nat -I POSTROUTING -s 192.168.0.10 -j MASQUERADE

iptables -I FORWARD -s 192.168.0.10 -j ACCEPT

iptables -t nat -I PREROUTING -s 192.168.0.11 -j ACCEPT

iptables -t nat -I POSTROUTING -s 192.168.0.11 -j MASQUERADE

iptables -I FORWARD -s 192.168.0.11 -j ACCEPT

iptables -t nat -I PREROUTING -s 192.168.0.12 -j ACCEPT

iptables -t nat -I POSTROUTING -s 192.168.0.12 -j MASQUERADE

iptables -I FORWARD -s 192.168.0.12 -j ACCEPT

iptables -t nat -I PREROUTING -s 192.168.0.21 -j ACCEPT

iptables -t nat -I POSTROUTING -s 192.168.0.21 -j MASQUERADE

iptables -I FORWARD -s 192.168.0.21 -j ACCEPT

iptables -t nat -I PREROUTING -s 192.168.0.22 -j ACCEPT

iptables -t nat -I POSTROUTING -s 192.168.0.22 -j MASQUERADE

iptables -I FORWARD -s 192.168.0.22 -j ACCEPT

iptables -A FORWARD -j DROPDNS

iptables -A FORWARD -m state --state INVALID -j DROP

iptables -A FORWARD -m state --state established,related -j ACCEPT

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu







###########Destinos bloqueados da RESTRICAO

sort ${caminho}ipsexo | while read IP2; do

/usr/sbin/iptables -I RESTRICAO -d $IP2 -j REJECT

done



sort ${caminho}iplocal | while read IP; do

###########Redirecionar para a chain RESTRICAO, os ips locais

/usr/sbin/iptables -I FORWARD -p tcp -s $IP --dport 20:79 -j RESTRICAO >> ${caminho}FORWARD

/usr/sbin/iptables -I FORWARD -s $IP -p tcp --dport 81:909 -j RESTRICAO >> ${caminho}FORWARD

/usr/sbin/iptables -I FORWARD -s $IP -p tcp --dport 914:8179 -j RESTRICAO >> ${caminho}FORWARD

/usr/sbin/iptables -I FORWARD -s $IP -p tcp --dport 8182:65535 -j RESTRICAO >> ${caminho}FORWARD

done



#faz copia de segurança

cp ${caminho}iplocal ${caminho}iplocalantigo

Rotas

yes dynamic network source internet,internet2 192.168.0.2 0.0.0.0 9      #Discard

yes dynamic network source internet,internet2 192.168.0.2.0.0.0 22       #SSH    

yes dynamic network source internet,internet2 192.168.0.2 0.0.0.0 80      #WWW     

yes dynamic network source internet,internet2 192.168.0.2 0.0.0.0 443     #HTTPS



yes dynamic network source internet,internet2 192.168.0.10 0.0.0.0 9      #Discard

yes dynamic network source internet,internet2 192.168.0.10.0.0.0 22       #SSH    

yes dynamic network source internet,internet2 192.168.0.10 0.0.0.0 80      #WWW     

yes dynamic network source internet,internet2 192.168.0.10 0.0.0.0 443     #HTTPS



yes dynamic network source internet,internet2 192.168.0.11 0.0.0.0 9      #Discard

yes dynamic network source internet,internet2 192.168.0.11.0.0.0 22       #SSH    

yes dynamic network source internet,internet2 192.168.0.11 0.0.0.0 80      #WWW     

yes dynamic network source internet,internet2 192.168.0.11 0.0.0.0 443     #HTTPS



yes dynamic network source internet,internet2 192.168.0.12 0.0.0.0 9      #Discard

yes dynamic network source internet,internet2 192.168.0.12.0.0.0 22       #SSH    

yes dynamic network source internet,internet2 192.168.0.12 0.0.0.0 80      #WWW     

yes dynamic network source internet,internet2 192.168.0.12 0.0.0.0 443     #HTTPS



yes dynamic network source internet,internet2 192.168.0.21 0.0.0.0 9      #Discard

yes dynamic network source internet,internet2 192.168.0.21.0.0.0 22       #SSH    

yes dynamic network source internet,internet2 192.168.0.21 0.0.0.0 80      #WWW     

yes dynamic network source internet,internet2 192.168.0.21 0.0.0.0 443     #HTTPS



yes dynamic network source internet,internet2 192.168.0.22 0.0.0.0 9      #Discard

yes dynamic network source internet,internet2 192.168.0.22.0.0.0 22       #SSH    

yes dynamic network source internet,internet2 192.168.0.22 0.0.0.0 80      #WWW     

yes dynamic network source internet,internet2 192.168.0.22 0.0.0.0 443     #HTTPS