Configurando squid-iptables-iproute [RESOLVIDO]
1. Configurando squid-iptables-iproute [RESOLVIDO]
sergio_sousa
(usa Ubuntu)
Enviado em 31/01/2014 - 14:46h
Bom pessoal do VOL, estou com um probleminha aqui no meu servidor proxy com squid, iptable e iproute, tenho um servidor com 3 placas de rede, onde em duas entra dois links, um adsl e outro um link dedicado, preciso que meu servidor receba esses 2 links e saia pela terceira placa, que é minha rede local. Sou iniciante no assunto, mais já consegui fazer um funcionar, está navegando certinho mais o outro que é o link dedicado, que vai servir só para acessar o sistema esse falta acessar e ai alguém pode mim ajudar?Segue abaixo meu script de firewall.
Lembrando que esses IPS são fictícios.
# squid server IP
SQUID_SERVER="192.168.0.254"
# Acrescentou
GW_SERVER1="10.10.10.254"
GW_SERVER2="100.126.34.114"
# Interface connected to Internet LINK1
LINK1="eth0"
## Interface connected to Internet LINK2
# Acrescentou
LINK2="eth1"
# Interface connected to LAN
LAN_IN="eth2"
# Squid port
SQUID_PORT="3128"
flush_rules()
{
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -Z
}
add_rules()
{
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#For win xp ftp client
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp --dport 137 -j ACCEPT
iptables -A INPUT -p udp --dport 138 -j ACCEPT
iptables -A INPUT -p tcp --dport 139 -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $LINK1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $LINK1 -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# Acrescentou
iptables -t nat -A POSTROUTING -o $LINK1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o $LINK2 -j MASQUERADE
iptables -t mangle -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i $LAN_IN -p tcp --dport 443 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i $LAN_IN -p tcp --dport 25 -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -i $LAN_IN -p tcp --dport 110 -j MARK --set-mark 3
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $LINK1 -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# Acrescentou
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -p tcp --dport 110 -j MARK --set-mark 3
ip rule add fwmark 2 table 20 prio 20
ip rule add fwmark 3 table 21 prio 20
ip route add default via $GW_SERVER1 dev $LINK1 table 20
ip route add default via $GW_SERVER2 dev $LINK2 table 21
ip route flush cache
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
}
case $1 in
start)
echo -n Starting Firewall...
add_rules
echo "Done"
;;
stop)
echo -n Stoping Firewall...
flush_rules
echo "Done"
;;
restart)
echo -n Restarting Firewall...
flush_rules
add_rules
echo "Done"
;;
status)
echo "============================ Firewall rules:"
iptables -L -n
echo "============================ Masquerade tables:"
iptables -t nat -L -n
echo "============================ Mangle table:"
iptables -t mangle -L -n
;;
*)
echo Usar: "$0 { status | start | stop | restart }"
;;
esac