irton.morenz
(usa Debian)
Enviado em 03/07/2008 - 14:45h
Ola. Sou novato em Linux e estou tentando configurar um servidor linux na empresa onde trabalho, até agora algumas configurações basicas foram feitas e no momento estou precisando de ajuda.
A Distribuição linux é o Debian.
As placas de redes estão configuradas da seguinte forma:
eth0=velox empresarial
eth1=minha rede
eth2=intranet
Aqui vão algumas configurações:
arquivo /etc/network/interfaces:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
#allow-hotplug eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 192.168.100.2
netmask 255.255.255.0
network 192.168.100.0
broadcast 192.168.100.255
iface eth2 inet static
address 10.2.28.1
netmask 255.255.252.0
gateway 10.2.31.254
Arquivo /etc/hosts
127.0.0.1 localhost servidor
192.168.100.2 servidor.caadex servidor
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
Arquivo /etc/resolv.conf
# generated by NetworkManager, do not edit!
search velox.com.br
# DNS intranet
nameserver 10.1.24.101
# DNS Velox
nameserver 192.168.254.254
Arquivo /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
//fetch-glue no;
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
// query-source address * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
// listen-on {any;};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Arquivo /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
key "server" {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret "Pqj4pUe34RFzM0I08JUVkqMmu8pkyok3xC/xfaKKfs1Q9WIsa/gLQzVM 7sbH+gQZqFnQHWfnTSAB899meJdvOg==";
};
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };
// From the release notes:
// Because many of our users are uncomfortable receiving undelegated answers
// from root or top level domains, other than a few for whom that behaviour
// has been trusted and expected for quite some length of time, we have now
// introduced the "root-delegations-only" feature which applies delegation-only
// logic to all top level domains, and to the root domain. An exception list
// should be specified, including "MUSEUM" and "DE", and any other top level
// domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { "DE"; "MUSEUM"; };
include "/etc/bind/named.conf.local";
Arquivo /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
//ZONA PARA O DOMINIO CAADEX
zone"caadex"{
type master;
file "/etc/bind/caadex.db";
allow-update { key server;};
};
zone"100.168.192.in-addr.arpa"{
type master;
file "/etc/bind/caadex.rev";
allow-update { key server;};
};
Arquivo /etc/bind/caadex.db
;
; BIND reverse data file for broadcast zone
;
;$ORIGIN caadex
$TTL 604800
@ IN SOA caadex. root.caadex. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS caadex.
servidor IN A 192.168.100.2
Arquivo /etc/bind/caadex.rev
;
; BIND reverse data file for broadcast zone
;
$ORIGIN 100.168.192.in-addr.arpa.
$TTL 604800
@ IN SOA caadex. root.caadex. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS caadex.
2 IN PTR servidor.caadex.
Arquivo /etc/dhcp3/dhcpd.conf
# Identifica o servidor DNS
server-identifier servidor.caadex;
# Ativa o DHCP dinâmico
ddns-update-style interim;
# Indica o endereço do servidor DNS
option domain-name-servers 192.168.100.2;
key server {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret Pqj4pUe34RFzM0I08JUVkqMmu8pkyok3xC/xfaKKfs1Q9WIsa/gLQzVM 7sbH+gQZqFnQHWfnTSAB899meJdvOg==;
};
# Para atualização automática do Domínio
# indica quais são as zonas onde irá registar os novos endereços.
zone caadex {
primary 192.168.100.2;
key server;
}
# Para a atualização automática do reverso
zone 100.168.192.in-addr.arpa {
primary 192.168.100.2;
key server;
}
use-host-decl-names on;
# Arquivo de Configuração do DHCPD
# Valores GLOBAIS
log-facility local7;
# tempo de reserva
default-lease-time 86400;
# tempo máximo de reserva
max-lease-time 172800;
#domínio
option domain-name "caadex";
## servidores de nomes
option domain-name-servers 192.168.100.2;
## indica a mascara
option subnet-mask 255.255.255.0;
## SUBNET 192.168.100
##configuração da sub-rede 192.168.100
## define a subrede e a máscara
## define o range de endereços a serem emprestados
## define o default gateway
## define o endereço de broadcast
subnet 192.168.100.0 netmask 255.255.255.0 {
range 192.168.100.11 192.168.100.254;
option routers 192.168.100.2;
option broadcast-address 192.168.100.255;
}
Arquivo /etc/init.d/iptables
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
# Limpando as tabelas
iptables -F
iptables -t nat -F
iptables -t mangle -F
# Impedindo comunicação entre as redes velox e CTA
iptables -A FORWARD -i eth0 -o eth2 -j DROP
iptables -A FORWARD -i eth2 -o eth0 -j DROP
# Macarando conexões da rede
# se sua conexao estiver na interface ppp0 basta trocar o eth0 por ppp0
# a interface ppp0 é usada tb em dial-up, entao, neste caso, troque o eth0
# por ppp0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
Bem. Gostaria de saber como faço para que minha rede, quando conectar a internet saia pelo velox (eth0), e quando conectar um endereço intranet saia pela intranet(eth2).
Com estas configurações estou conseguindo compartilhar a internet com minha rede 192.168.100.0/24. Porém só consigo conectar paginas pela intranet se desativar a eth0(velox).
O que devo fazer para conseguir conetcar ambas ao mesmo tempo, sem que a intarnet(eth2) tenha acesso ao velox(eth0) e o velox(eth0) tenha acesso a intranet(eth2).
por favor se alguem souber me ajude.
já pesquisei em varios tutoriais e forum e não encontrei nada que funcionasse.
pode ser que tenha alguma coisa errada na minha configuração se tiver me diga onde.
desde já agradeço.