Problema de acesso no Site Sptrans

renato_pacheco
(usa Debian)

Enviado em 06/10/2010 - 14:32h

Foi mal, kra. Fiz errado. A ordem correta é essa:

$IPT -A FORWARD -p tcp --dport 809 -j LOG --log-level info --log-prefix "FORWARD 809 "
$IPT -A FORWARD -p tcp --dport 809 -j ACCEPT

chris-zinho
(usa Debian)

Enviado em 06/10/2010 - 15:49h

Renato, coloquei da forma conforme q vc orientou e ainda está marcando como TODOS OS PACOTES.

renato_pacheco
(usa Debian)

Enviado em 06/10/2010 - 17:05h

Kra, tem jeito d vc por suas regras d iptables aki?

chris-zinho
(usa Debian)

Enviado em 06/10/2010 - 17:14h

Segue abaixo o meu script de firewall:

#!/bin/bash
#
#Firewall
##Definicao de variaveis
modprobe ip_tables
modprobe iptable_nat
modprobe ipt_MASQUERADE
set -x
IPT=$(which iptables)
ET0="eth0"
ET1="eth1"
ET2="eth2"
SPEEDY="192.168.0.1"
#speedy_cbx="189.47.207.1"
#speedy_cfx="189.18.245.1"
#gvt="201.86.123.17"
GVT="201.86.123.17"
NET="0/0"
PA="1024:65535"
REDE="192.168.0.0/24"
REDE2="192.168.2.0/24"
ECH=$(which echo)

##Fechando as Politicas
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

## Registro de logs
$IPT -A INPUT -p tcp --syn -j LOG --log-prefix="[TODOS OS PACOTES]"

## Liberando loopback
$IPT -A INPUT -s 127.0.0.1 -j ACCEPT

## Liberando PING
$IPT -A FORWARD -p icmp -j ACCEPT
$IPT -A INPUT -p icmp -j ACCEPT

## Liberando SQUID, HTTP, XMPP, RRDTOOL, OPENFIRE, NSCLIENT, FWLOGWTACH
$IPT -A INPUT -p tcp -s $REDE -m multiport --dports 3128,80,5223,8080,9090,1248,333 -j ACCEPT
$IPT -A INPUT -p tcp -s $REDE2 -m multiport --dports 3128,80,5223,8080,9090,1248,333 -j ACCEPT
#$IPT -A INPUT -p tcp -s $REDE2 -m multiport --dports 3128,80,5223 -j ACCEPT

## Setando Marcas (Carimbando os pacotes) - HTTP
$IPT -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 2
$IPT -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 3
$IPT -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 3

## Liberando SPTRANS (Compra de Vale Transporte)
#$IPT -A FORWARD -p tcp -s 192.168.0.125 --dport 809 -j ACCEPT ## Rose Farias
#$IPT -A FORWARD -s 192.168.0.125 -p tcp --dport 809 -j ACCEPT
#$IPT -A FORWARD -s 192.168.0.225 -p tcp --dport 809 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 809 -j LOG --log-level info --log-prefix "FORWARD 809 "
$IPT -A FORWARD -p tcp --dport 809 -j ACCEPT
#$IPT -A FORWARD -p tcp --dport 8080 -j ACCEPT

## Liberando SSH, SSH (Cobraxco04)
$IPT -A INPUT -p tcp -s 192.168.0.40 -m multiport --dports 22,22354 -j ACCEPT ## Fabio Paixao
$IPT -A INPUT -p tcp -s 192.168.0.92 -m multiport --dports 22,22354 -j ACCEPT ## Felipe Silva
$IPT -A INPUT -p tcp -s 192.168.0.122 -m multiport --dports 22,22354 -j ACCEPT ## Anderson Oliveira
$IPT -A INPUT -p tcp -s 192.168.0.74 -m multiport --dports 22,22354 -j ACCEPT ## Christian Barbosa

## Liberando DNS
#$IPT -A INPUT -p udp --dport 53 --sport $PA -j ACCEPT
$IPT -A INPUT -p udp -s $REDE --dport 53 -j ACCEPT
$IPT -A INPUT -p udp -s $REDE2 --dport 53 -j ACCEPT

## Libera envio de emails pelo OCOMON
$IPT -A INPUT -p tcp --dport 8080 -j ACCEPT
$IPT -A INPUT -p tcp --sport 25 -j ACCEPT

## Liberando HTTPS, POP, SMTP, POP (SSL), SMTP (SSL),
$IPT -A FORWARD -p tcp -s $REDE -m multiport --dports 443,110,25,465,995,809 -j ACCEPT
$IPT -A FORWARD -p tcp -s $REDE2 -m multiport --dports 443,110,25,465,995,809 -j ACCEPT

## Setando Marcas (Carimbando os pacotes) - HTTPS, POP, SMTP
$IPT -t mangle -A PREROUTING -i eth0 -p tcp --dport 443 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -i eth0 -p tcp --dport 110 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -i eth0 -p tcp --dport 25 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -i eth0 -p tcp --dport 465 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -i eth0 -p tcp --dport 995 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -i eth0 -p tcp --dport 1863 -j MARK --set-mark 2

$IPT -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark 2
$IPT -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 2
$IPT -t mangle -A OUTPUT -p tcp --dport 110 -j MARK --set-mark 2
$IPT -t mangle -A OUTPUT -p tcp --dport 465 -j MARK --set-mark 2
$IPT -t mangle -A OUTPUT -p tcp --dport 995 -j MARK --set-mark 2
$IPT -t mangle -A OUTPUT -p tcp --dport 1863 -j MARK --set-mark 2

$IPT -t mangle -A PREROUTING -i eth2 -p tcp --dport 443 -j MARK --set-mark 3
$IPT -t mangle -A PREROUTING -i eth2 -p tcp --dport 110 -j MARK --set-mark 3
$IPT -t mangle -A PREROUTING -i eth2 -p tcp --dport 25 -j MARK --set-mark 3

$IPT -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark 3
$IPT -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 3
$IPT -t mangle -A OUTPUT -p tcp --dport 110 -j MARK --set-mark 3

## Carimbando as Flags (marks)
ip rule add fwmark 2 table 20 prio 20
ip rule add fwmark 3 table 21 prio 21

## Liberando Acesso Externo ao Ocomon
#$IPT -A FORWARD -p tcp -s $NET -d 201.86.123.22 -m multiport --dports 80,8080 -j ACCEPT
#$IPT -t nat -A PREROUTING -p tcp -i $SPEEDY --dport 8080 -j DNAT --to 192.168.0.215
$IPT -t nat -A PREROUTING -p tcp -i $GVT --dport 8080 -j DNAT --to 192.168.0.215
#$IPT -t nat -A PREROUTING -p tcp -i $peedy_cbx --dport 8080 -j DNAT --to 192.168.0.215

## MSN
#$IPT -A FORWARD -p tcp -s 192.168.0.40 --dport 1863 -j ACCEPT ## Fabio Paixao
#$IPT -A FORWARD -p tcp -s 192.168.0.78 --dport 1863 -j ACCEPT ## Flavia Elias
#$IPT -A FORWARD -p tcp -s 192.168.0.92 --dport 1863 -j ACCEPT ## Felipe Silva
#$IPT -A FORWARD -p tcp -s 192.168.0.122 --dport 1863 -j ACCEPT ## Anderson Oliveira
#$IPT -A FORWARD -p tcp -s 192.168.0.225 --dport 1863 -j ACCEPT ## Christian
#$IPT -A FORWARD -i eth0 -p tcp --dport 1863 -j ACCEPT
#$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 1863 -j DNAT --to-destination 192.168.0.225
#$IPT -t nat -A PREROUTING -i eth0 -p udp --dport 1863 -j DNAT --to-destination 192.168.0.225
$IPT -A INPUT -p tcp -s 192.168.0.225 -m multiport --dports 6891:9601,1863,5190 -j ACCEPT ## Christian Note
$IPT -A INPUT -p udp -s 192.168.0.225 -m multiport --dports 6891:9601,1863,5190 -j ACCEPT ## Christian Note

## Liberando SKYPE
$IPT -A FORWARD -p tcp -s 192.168.0.40 --dport 49648 -j ACCEPT ## Fabio Paixao
$IPT -A FORWARD -p tcp -s 192.168.0.92 --dport 49648 -j ACCEPT ## Felipe Silva
$IPT -A FORWARD -p tcp -s 192.168.0.122 --dport 49648 -j ACCEPT ## Anderson Oliveira
$IPT -A FORWARD -p tcp -s 192.168.0.172 --dport 49648 -j ACCEPT ## Liliane Souza
$IPT -A FORWARD -p tcp -s 192.168.0.109 --dport 49648 -j ACCEPT ## Thais Lefundes
$IPT -A FORWARD -p tcp -s 192.168.0.74 --dport 49648 -j ACCEPT ## Christian
$IPT -A FORWARD -p tcp -s 192.168.0.104 --dport 49648 -j ACCEPT ## Katia Campanha

## YAHOO MESSENGER
$IPT -A FORWARD -p tcp -s 192.168.0.40 --dport 5050 -j ACCEPT ## Fabio Paixao
#$IPT -A FORWARD -p tcp -s 192.168.0.92 --dport 5050 -j ACCEPT ## Felipe Silva
#$IPT -A FORWARD -p tcp -s 192.168.0.122 --dport 5050 -j ACCEPT ## Anderson Oliveira

## GOOGLE TALK
$IPT -A FORWARD -p tcp -s 192.168.0.40 --dport 5222 -j ACCEPT ## Fabio Paixao
#$IPT -A FORWARD -p tcp -s 192.168.0.92 --dport 5222 -j ACCEPT ## Felipe Silva
#$IPT -A FORWARD -p tcp -s 192.168.0.122 --dport 5222 -j ACCEPT ## Anderson Oliveira

## LIBERANDO TRILLIAN
$IPT -A FORWARD -p tcp -s 192.168.0.40 --dport 3158 -j ACCEPT ## Fabio Paixao

## LIBERANDO TEAMVIEWER
$IPT -A FORWARD -p tcp -s $NET -d 192.168.0.40 --dport 5938 -j ACCEPT ## Fabio Paixao
$IPT -A FORWARD -p tcp --sport --dport 5938 -j ACCEPT ## Fabio Paixao
$IPT -A FORWARD -p tcp -s $NET -d 192.168.2.200 --dport 5938 -j ACCEPT ## Cameras Coflex
$IPT -A FORWARD -p tcp -s 192.168.2.200 -d $NET --dport 5938 -j ACCEPT ## Cameras Coflex
$IPT -A FORWARD -p tcp -s $NET -d 192.168.0.74 --dport 5938 -j ACCEPT ## Christian
$IPT -A FORWARD -p tcp --sport --dport 5938 -j ACCEPT ## Fabio Paixao
#$IPT -A FORWARD -p tcp -s 192.168.0.74 -d $NET --dport 5938 -j ACCEPT ## Christian

### LIBERANDO VNC ACESSO EM SANTOS

$IPT -A FORWARD -p tcp -s 200.155.126.253 --dport 5900 -j ACCEPT ## Libera o acesso externo para interno
$IPT -t nat -A PREROUTING -p tcp -i eth0 --dport 5900 -j DNAT --to 192.168.0.74:5900

$IPT -A FORWARD -p tcp -s 192.168.0.92 -d 201.93.182.97 -m multiport --dports 4550,5550,6550 -j ACCEPT ## Felipe Silva
#$IPT -A FORWARD -p tcp -s 192.168.0.122 -d 201.93.182.97 -m multiport --dports 4550,5550,6550 -j ACCEPT ## Anderson Oliveira
#$IPT -A FORWARD -p tcp -s 192.168.0.74 -d 201.93.182.97 -m multiport --dports 4550,5550,6550 -j ACCEPT ## Christian

## Liberando Acesso as cameras de santos
$IPT -A FORWARD -p tcp -s 192.168.0.40 -d 201.93.182.97 -m multiport --dports 4550,5550,6550 -j ACCEPT ## Fabio Paixao
$IPT -A FORWARD -p tcp -s 192.168.0.92 -d 201.93.182.97 -m multiport --dports 4550,5550,6550 -j ACCEPT ## Felipe Silva
$IPT -A FORWARD -p tcp -s 192.168.0.122 -d 201.93.182.97 -m multiport --dports 4550,5550,6550 -j ACCEPT ## Anderson Oliveira
$IPT -A FORWARD -p tcp -s 192.168.0.74 -d 201.93.182.97 -m multiport --dports 4550,5550,6550 -j ACCEPT ## Christian

## Balanceamento dos pacotes
#ip route add default via $speedy_cbx dev eth2 table 20
ip route add default via $SPEEDY dev eth0 table 20
ip route add default via $GVT dev eth1 table 21

#Regras criada para teste Christian
#ip route flush table gvt # Limpa as rotas no cache da tabela GVT
#ip route flush table speedy_cbx # Limpa as rotas no cache da tabela Speedy_Cobrax
#ip route flush table speedy_cfx # Limpa as rotas no cache da tabela Speedy_Coflex

#ip route add 201.86.123.0/24 dev eth1 src 201.86.123.22 table gvt
#ip route add default via 201.86.123.17 table gvt

#ip route add 192.168.0.0/24 dev eth2 src 189.47.207.211 table speedy_cbx
#ip route add default via 189.47.207.1 table speedy_cbx

#ip route add 192.168.2.0/24 dev eth2:0 src 189.18.245.166 table speedy_cfx
#ip route add default via 189.18.245.1 table speedy_cfx

#ip rule add from 201.86.123.22 table gvt
#ip rule add from 189.47.207.211 table speedy_cbx
#ip rule add from 189.18.245.1 table speedy_cfx

#Esta regra abaixo eh responsavel pelo balanceamento, vamos dividir a saida com peso 2:1:1, vamos supor que a gvt 2x mais rapida com link de 1 mega, link da speedy com 4 mega, e outro link speedyt com 4 mega.

#ip route add default scope global nexthop via 201.86.123.22 dev eth1 weight 2 nexthop via 189.47.207.211 dev eth2 weight 1 nexthop via 189.18.245.1 dev eth2:0 weight 1

## Limpando Cache
ip route flush cache

## Estabelecendo Conexoes
$IPT -A FORWARD -p tcp -s 192.168.0.40 --dport $PA -j ACCEPT
$IPT -A FORWARD -p udp -s 192.168.0.40 --dport $PA -j ACCEPT
$IPT -A FORWARD -p tcp -s 192.168.2.200 --dport $PA -j ACCEPT
$IPT -A FORWARD -p udp -s 192.168.2.200 --dport $PA -j ACCEPT
$IPT -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#Compartilhando pacotes entre as interfaces
$ECH "1" >/proc/sys/net/ipv4/ip_forward
$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o eth1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o eth2 -j MASQUERADE

renato_pacheco
(usa Debian)

Enviado em 06/10/2010 - 21:20h

Seus problemas "se acabaram-se"!

Descobri o problema. Testei em ksa e funfou. Libere a parada (além do FORWARD):

$IPT -A INPUT -p tcp --sport 809 -j ACCEPT

chris-zinho
(usa Debian)

Enviado em 07/10/2010 - 09:19h

Renato, obg mais uma vez pelo empenho, porém infelizmente não funcionou, segue o log.

1286453681.243 400 192.168.0.225 TCP_MISS/200 7005 GET http://linkhelp.clients.google.com/tbproxy/lh/fixurl?sourceid=navclient&url=http%3A%2F%2Flv.sbe.... - DIRECT/72.14.253.100 text/html
1286453681.772 380 192.168.0.225 TCP_MISS/200 1491 GET http://toolbarqueries.google.com.br/tbr?client=navclient-auto&swwk=397&iqrn=ASeC&orig=0v... - DIRECT/173.194.34.104 text/html
1286453681.893 509 192.168.0.225 TCP_MISS/204 359 GET http://csi.gstatic.com/csi?v=3&s=linkdoctor&action=opt&srt=510&tran=15&e=&rt... - DIRECT/74.125.127.139 text/html

renato_pacheco
(usa Debian)

Enviado em 07/10/2010 - 10:02h

Vc sempre mostra o log do squid e, neste caso, ele num tem nada a v, pq o squid só filtra porta 80. A não ser q ele não seja transparente, mas vc já liberou a porta no squid. O q vc tem q liberar é:

$IPT -A FORWARD -p tcp --dport 809 -j ACCEPT
$IPT -A INPUT -p tcp --sport 809 -j ACCEPT

E tente liberar essa tb:

$IPT -A FORWARD -p tcp --sport 809 -j ACCEPT

chris-zinho
(usa Debian)

Enviado em 07/10/2010 - 11:17h

Infelizmente ainda nd... o mais estranho vc me mencionou q eu estou apenas t informando sobre a porta 80 e pq no meu firewall não está informando outras portas, vc sabe me dizer?

renato_pacheco
(usa Debian)

Enviado em 07/10/2010 - 11:21h

Pra ele informar, vc tem q criar regras d log no iptables (o -j LOG ...).

chris-zinho
(usa Debian)

Enviado em 07/10/2010 - 17:15h

Estranho, bom mas d td forma, acho q eu já havia setado esta informação para do LOG, veja se de fato está correto, por favor?

#!/bin/bash
#
#Firewall
##Definicao de variaveis
modprobe ip_tables
modprobe iptable_nat
modprobe ipt_MASQUERADE
set -x
IPT=$(which iptables)
ET0="eth0"
ET1="eth1"
ET2="eth2"
SPEEDY="192.168.0.1"
#speedy_cbx="189.47.207.1"
#speedy_cfx="189.18.245.1"
#gvt="201.86.123.17"
GVT="201.86.123.17"
NET="0/0"
PA="1024:65535"
REDE="192.168.0.0/24"
REDE2="192.168.2.0/24"
ECH=$(which echo)

##Fechando as Politicas
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP


# Protecoes contra pacotes invalidos
$IPT -A INPUT -m state --state INVALID -j REJECT

# Registro de logs
$IPT -A INPUT -p tcp --dport 333 --syn -j LOG --log-prefix="[TENTATIVA ACESSO FWLOGWATCH]"
$IPT -A INPUT -p tcp --dport 23 --syn -j LOG --log-prefix="[TENTATIVA ACESSO TELNET]"
$IPT -A INPUT -p tcp --dport 10000 --syn -j LOG --log-prefix="[TENTATIVA ACESSO WEBMIN]"
$IPT -A FORWARD -m multiport -p tcp --dport 5800,5900,6000 -j LOG --log-prefix="[ACESSO VNC]"
$IPT -A INPUT -p tcp --dport 22 --syn -j LOG --log-prefix="[TENTATIVA ACESSO SSH]"
$IPT -A INPUT -p tcp --dport 2222 --syn -j LOG --log-prefix="[TENTATIVA ACESSO SSH]"
$IPT -A INPUT -p tcp --dport 21 --syn -j LOG --log-prefix="[TENTATIVA ACESSO FTP]"
$IPT -A INPUT -p tcp --dport 809 --syn -j LOG --log-prefix="[TENTATIVA ACESSO SPTRANS]"
$IPT -A FORWARD -p tcp --dport 809 -j LOG --log-prefix="[TODOS OS PACOTES]"
#$IPT -A INPUT -p tcp --syn -j LOG --log-prefix="[TODOS OS PACOTES]"


## Liberando loopback
$IPT -A INPUT -s 127.0.0.1 -j ACCEPT

## Liberando PING
$IPT -A FORWARD -p icmp -j ACCEPT
$IPT -A INPUT -p icmp -j ACCEPT

## Liberando SQUID, HTTP, XMPP, RRDTOOL, OPENFIRE, NSCLIENT, FWLOGWTACH
$IPT -A INPUT -p tcp -s $REDE -m multiport --dports 3128,80,5223,8080,9090,1248,333 -j ACCEPT
$IPT -A INPUT -p tcp -s $REDE2 -m multiport --dports 3128,80,5223,8080,9090,1248,333 -j ACCEPT
#$IPT -A INPUT -p tcp -s $REDE2 -m multiport --dports 3128,80,5223 -j ACCEPT

## Setando Marcas (Carimbando os pacotes) - HTTP
$IPT -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 2
$IPT -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 3
$IPT -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 3

## Liberando SPTRANS (Compra de Vale Transporte)
#$IPT -A FORWARD -p tcp -s 192.168.0.125 --dport 809 -j ACCEPT ## Rose Farias
#$IPT -A FORWARD -s 192.168.0.125 -p tcp --dport 809 -j ACCEPT
#$IPT -A FORWARD -s 192.168.0.225 -p tcp --dport 809 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 809 -j LOG --log-level info --log-prefix="FORWARD 809"
$IPT -A INPUT -p tcp --sport 809 -j ACCEPT
$IPT -A FORWARD -p tcp --sport 809 -j ACCEPT

## Liberando SSH, SSH (Cobraxco04)
$IPT -A INPUT -p tcp -s 192.168.0.40 -m multiport --dports 22,22354 -j ACCEPT ## Fabio Paixao
$IPT -A INPUT -p tcp -s 192.168.0.92 -m multiport --dports 22,22354 -j ACCEPT ## Felipe Silva
$IPT -A INPUT -p tcp -s 192.168.0.122 -m multiport --dports 22,22354 -j ACCEPT ## Anderson Oliveira
$IPT -A INPUT -p tcp -s 192.168.0.74 -m multiport --dports 22,22354 -j ACCEPT ## Christian Barbosa

## Liberando DNS
#$IPT -A INPUT -p udp --dport 53 --sport $PA -j ACCEPT
$IPT -A INPUT -p udp -s $REDE --dport 53 -j ACCEPT
$IPT -A INPUT -p udp -s $REDE2 --dport 53 -j ACCEPT

## Libera envio de emails pelo OCOMON
$IPT -A INPUT -p tcp --dport 8080 -j ACCEPT
$IPT -A INPUT -p tcp --sport 25 -j ACCEPT

## Liberando HTTPS, POP, SMTP, POP (SSL), SMTP (SSL),
$IPT -A FORWARD -p tcp -s $REDE -m multiport --dports 443,110,25,465,995,809 -j ACCEPT
$IPT -A FORWARD -p tcp -s $REDE2 -m multiport --dports 443,110,25,465,995,809 -j ACCEPT

## Setando Marcas (Carimbando os pacotes) - HTTPS, POP, SMTP
$IPT -t mangle -A PREROUTING -i eth0 -p tcp --dport 443 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -i eth0 -p tcp --dport 110 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -i eth0 -p tcp --dport 25 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -i eth0 -p tcp --dport 465 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -i eth0 -p tcp --dport 995 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -i eth0 -p tcp --dport 1863 -j MARK --set-mark 2

$IPT -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark 2
$IPT -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 2
$IPT -t mangle -A OUTPUT -p tcp --dport 110 -j MARK --set-mark 2
$IPT -t mangle -A OUTPUT -p tcp --dport 465 -j MARK --set-mark 2
$IPT -t mangle -A OUTPUT -p tcp --dport 995 -j MARK --set-mark 2
$IPT -t mangle -A OUTPUT -p tcp --dport 1863 -j MARK --set-mark 2

$IPT -t mangle -A PREROUTING -i eth2 -p tcp --dport 443 -j MARK --set-mark 3
$IPT -t mangle -A PREROUTING -i eth2 -p tcp --dport 110 -j MARK --set-mark 3
$IPT -t mangle -A PREROUTING -i eth2 -p tcp --dport 25 -j MARK --set-mark 3

$IPT -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark 3
$IPT -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 3
$IPT -t mangle -A OUTPUT -p tcp --dport 110 -j MARK --set-mark 3

## Carimbando as Flags (marks)
ip rule add fwmark 2 table 20 prio 20
ip rule add fwmark 3 table 21 prio 21

## Liberando Acesso Externo ao Ocomon
#$IPT -A FORWARD -p tcp -s $NET -d 201.86.123.22 -m multiport --dports 80,8080 -j ACCEPT
#$IPT -t nat -A PREROUTING -p tcp -i $SPEEDY --dport 8080 -j DNAT --to 192.168.0.215
$IPT -t nat -A PREROUTING -p tcp -i $GVT --dport 8080 -j DNAT --to 192.168.0.215
#$IPT -t nat -A PREROUTING -p tcp -i $peedy_cbx --dport 8080 -j DNAT --to 192.168.0.215

## MSN
#$IPT -A FORWARD -p tcp -s 192.168.0.40 --dport 1863 -j ACCEPT ## Fabio Paixao
#$IPT -A FORWARD -p tcp -s 192.168.0.78 --dport 1863 -j ACCEPT ## Flavia Elias
#$IPT -A FORWARD -p tcp -s 192.168.0.92 --dport 1863 -j ACCEPT ## Felipe Silva
#$IPT -A FORWARD -p tcp -s 192.168.0.122 --dport 1863 -j ACCEPT ## Anderson Oliveira
#$IPT -A FORWARD -p tcp -s 192.168.0.225 --dport 1863 -j ACCEPT ## Christian
#$IPT -A FORWARD -i eth0 -p tcp --dport 1863 -j ACCEPT
#$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 1863 -j DNAT --to-destination 192.168.0.225
#$IPT -t nat -A PREROUTING -i eth0 -p udp --dport 1863 -j DNAT --to-destination 192.168.0.225
$IPT -A INPUT -p tcp -s 192.168.0.225 -m multiport --dports 6891:9601,1863,5190 -j ACCEPT ## Christian Note
$IPT -A INPUT -p udp -s 192.168.0.225 -m multiport --dports 6891:9601,1863,5190 -j ACCEPT ## Christian Note

## Liberando SKYPE
$IPT -A FORWARD -p tcp -s 192.168.0.40 --dport 49648 -j ACCEPT ## Fabio Paixao
$IPT -A FORWARD -p tcp -s 192.168.0.92 --dport 49648 -j ACCEPT ## Felipe Silva
$IPT -A FORWARD -p tcp -s 192.168.0.122 --dport 49648 -j ACCEPT ## Anderson Oliveira
$IPT -A FORWARD -p tcp -s 192.168.0.172 --dport 49648 -j ACCEPT ## Liliane Souza
$IPT -A FORWARD -p tcp -s 192.168.0.109 --dport 49648 -j ACCEPT ## Thais Lefundes
$IPT -A FORWARD -p tcp -s 192.168.0.74 --dport 49648 -j ACCEPT ## Christian
$IPT -A FORWARD -p tcp -s 192.168.0.104 --dport 49648 -j ACCEPT ## Katia Campanha

## YAHOO MESSENGER
$IPT -A FORWARD -p tcp -s 192.168.0.40 --dport 5050 -j ACCEPT ## Fabio Paixao
#$IPT -A FORWARD -p tcp -s 192.168.0.92 --dport 5050 -j ACCEPT ## Felipe Silva
#$IPT -A FORWARD -p tcp -s 192.168.0.122 --dport 5050 -j ACCEPT ## Anderson Oliveira

## GOOGLE TALK
$IPT -A FORWARD -p tcp -s 192.168.0.40 --dport 5222 -j ACCEPT ## Fabio Paixao
#$IPT -A FORWARD -p tcp -s 192.168.0.92 --dport 5222 -j ACCEPT ## Felipe Silva
#$IPT -A FORWARD -p tcp -s 192.168.0.122 --dport 5222 -j ACCEPT ## Anderson Oliveira

## LIBERANDO TRILLIAN
$IPT -A FORWARD -p tcp -s 192.168.0.40 --dport 3158 -j ACCEPT ## Fabio Paixao

## LIBERANDO TEAMVIEWER
$IPT -A FORWARD -p tcp -s $NET -d 192.168.0.40 --dport 5938 -j ACCEPT ## Fabio Paixao
$IPT -A FORWARD -p tcp --sport --dport 5938 -j ACCEPT ## Fabio Paixao
$IPT -A FORWARD -p tcp -s $NET -d 192.168.2.200 --dport 5938 -j ACCEPT ## Cameras Coflex
$IPT -A FORWARD -p tcp -s 192.168.2.200 -d $NET --dport 5938 -j ACCEPT ## Cameras Coflex
$IPT -A FORWARD -p tcp -s $NET -d 192.168.0.74 --dport 5938 -j ACCEPT ## Christian
$IPT -A FORWARD -p tcp --sport --dport 5938 -j ACCEPT ## Fabio Paixao
#$IPT -A FORWARD -p tcp -s 192.168.0.74 -d $NET --dport 5938 -j ACCEPT ## Christian

### LIBERANDO VNC ACESSO EM SANTOS

#$IPT -A FORWARD -p tcp -s 200.155.126.253 --dport 5900 -j ACCEPT ## Libera o acesso externo para interno
#$IPT -t nat -A PREROUTING -p tcp -i eth0 --dport 5900 -j DNAT --to 192.168.0.74:5900
$IPT -A FORWARD -s $REDE -p tcp -m multiport --dport 5800,5900,6000 -j ACCEPT
#$IPT -A FORWARD -p tcp -s 192.168.0.92 -d 201.93.182.97 -m multiport --dports 4550,5550,6550 -j ACCEPT ## Felipe Silva
#$IPT -A FORWARD -p tcp -s 192.168.0.122 -d 201.93.182.97 -m multiport --dports 4550,5550,6550 -j ACCEPT ## Anderson Oliveira
#$IPT -A FORWARD -p tcp -s 192.168.0.74 -d 201.93.182.97 -m multiport --dports 4550,5550,6550 -j ACCEPT ## Christian


## Liberando Acesso as cameras de santos
$IPT -A FORWARD -p tcp -s 192.168.0.40 -d 201.93.182.97 -m multiport --dports 4550,5550,6550 -j ACCEPT ## Fabio Paixao
$IPT -A FORWARD -p tcp -s 192.168.0.92 -d 201.93.182.97 -m multiport --dports 4550,5550,6550 -j ACCEPT ## Felipe Silva
$IPT -A FORWARD -p tcp -s 192.168.0.122 -d 201.93.182.97 -m multiport --dports 4550,5550,6550 -j ACCEPT ## Anderson Oliveira
$IPT -A FORWARD -p tcp -s 192.168.0.74 -d 201.93.182.97 -m multiport --dports 4550,5550,6550 -j ACCEPT ## Christian

## Balanceamento dos pacotes
#ip route add default via $speedy_cbx dev eth2 table 20
ip route add default via $SPEEDY dev eth0 table 20
ip route add default via $GVT dev eth1 table 21

#Regras criada para teste Christian
#ip route flush table gvt # Limpa as rotas no cache da tabela GVT
#ip route flush table speedy_cbx # Limpa as rotas no cache da tabela Speedy_Cobrax
#ip route flush table speedy_cfx # Limpa as rotas no cache da tabela Speedy_Coflex

#ip route add 201.86.123.0/24 dev eth1 src 201.86.123.22 table gvt
#ip route add default via 201.86.123.17 table gvt

#ip route add 192.168.0.0/24 dev eth2 src 189.47.207.211 table speedy_cbx
#ip route add default via 189.47.207.1 table speedy_cbx

#ip route add 192.168.2.0/24 dev eth2:0 src 189.18.245.166 table speedy_cfx
#ip route add default via 189.18.245.1 table speedy_cfx

#ip rule add from 201.86.123.22 table gvt
#ip rule add from 189.47.207.211 table speedy_cbx
#ip rule add from 189.18.245.1 table speedy_cfx

#Esta regra abaixo eh responsavel pelo balanceamento, vamos dividir a saida com peso 2:1:1, vamos supor que a gvt 2x mais rapida com link de 1 mega, link da speedy com 4 mega, e outro link speedyt com 4 mega.

#ip route add default scope global nexthop via 201.86.123.22 dev eth1 weight 2 nexthop via 189.47.207.211 dev eth2 weight 1 nexthop via 189.18.245.1 dev eth2:0 weight 1

## Limpando Cache
ip route flush cache

## Estabelecendo Conexoes
$IPT -A FORWARD -p tcp -s 192.168.0.40 --dport $PA -j ACCEPT
$IPT -A FORWARD -p udp -s 192.168.0.40 --dport $PA -j ACCEPT
$IPT -A FORWARD -p tcp -s 192.168.2.200 --dport $PA -j ACCEPT
$IPT -A FORWARD -p udp -s 192.168.2.200 --dport $PA -j ACCEPT
$IPT -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#Compartilhando pacotes entre as interfaces
$ECH "1" >/proc/sys/net/ipv4/ip_forward
$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o eth1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o eth2 -j MASQUERADE

renato_pacheco
(usa Debian)

Enviado em 07/10/2010 - 17:26h

Duas coisas:

- Nessa linha "$IPT -A FORWARD -p tcp --dport 809 -j LOG --log-prefix="[TODOS OS PACOTES]"", troque o TODOS OS PACOTES para FORWARD 809;
- Remova essa linha mais abaixo: "$IPT -A FORWARD -p tcp --dport 809 -j LOG --log-level info --log-prefix="FORWARD 809""
- O FORWARD da porta 809 deve ser a porta destino, ficando assim: $IPT -A FORWARD -p tcp --dport 809 -j ACCEPT
- Libere a porta 53/TCP (DNS):
$IPT -A INPUT -p tcp -s $REDE --dport 53 -j ACCEPT
$IPT -A INPUT -p tcp -s $REDE2 --dport 53 -j ACCEPT

Acho q por enquanto é só...

chris-zinho
(usa Debian)

Enviado em 07/10/2010 - 17:37h

Alterado, porém ainda nd, ele dá a mensagem "Ops! O internet Explorer não conseguiu se conectar a lv.sbe.sptrans.com.br:809....