Firewall com iproute2 para 2 links com ip fixo
Publicado por Eduardo Gomes (última atualização em 22/10/2009)
[ Hits: 9.857 ]
Aí está um firewall funcional para quem quer alta disponibilidade do seu site, e-mail, pop3 e ainda quer se conectar remoto com o Terminal Server.
Claro que tenho muito a agradecer ao Tiago, autor do artigo:
http://www.vivaolinux.com.br/artigo/Roteamento-de-entrada-saida-com-iproute-e-iptables
No qual pude tirar grandes proveitos.
#!/bin/bash IPTABLES=`which iptables` # ----------------------- WAN1_NAME="net" WAN1_IF="eth0" WAN1_IP="201.100.9.3" WAN1_GW="201.100.9.1" WAN1_NET="201.100.9.0/24" WAN1_MARK=201 WAN1_WEIGHT=8 # ----------------------- WAN2_NAME="gvt" WAN2_IF="eth1" WAN2_IP="200.13.6.35" WAN2_GW="200.13.6.33" WAN2_NET="200.13.6.0/24" WAN2_MARK=200 WAN2_WEIGHT=4 # ----------------------- LAN_IF="eth3" LAN_IP="10.10.2.3" LAN_NET="10.10.2.0/26" LAN_BCAST="10.10.2.62" # ----------------------- LAN2_IF="eth2" LAN2_IP="10.10.1.5" LAN2_NET="10.10.1.0/27" LAN2_BCAST="10.10.1.30" # ----------------------- LO_IF="lo" LO_IP="127.0.0.1" LO_NET="127.0.0.0/8" # ----------------------- case $1 in start) echo "|=====================================================|" echo "|:Script de Firewall - IPTABLES _ |" echo "|:Criado por: Eduardo Gomes °v° |" echo "|:Técnico em Informática /(_)\ |" echo "|:suportlinux@yahoo.com.br ^ ^ |" echo "|:Uso: /etc/init.d/firewall |" echo "|:$HOSTNAME:.............................ok: |" echo "|=====================================================|" $IPTABLES -F $IPTABLES -Z $IPTABLES -X $IPTABLES -F -t nat $IPTABLES -X -t nat $IPTABLES -F -t mangle $IPTABLES -X -t mangle $IPTABLES -Z -t mangle echo "|:As regras de firewall foram limpas com sucesso :|" $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -N REJECT-SSH $IPTABLES -A REJECT-SSH -j DROP -m recent --rcheck --name SSH --seconds 60 --hitcount 10 $IPTABLES -A REJECT-SSH -j LOG --log-prefix SSH-Bruteforce: $IPTABLES -A REJECT-SSH -j REJECT -p tcp --reject-with tcp-reset $IPTABLES -A REJECT-SSH -j REJECT echo "|:Regras de reject-and-log-SSH-Bruteforce ativas :|" $IPTABLES -N ssh $IPTABLES -N blacklist $IPTABLES -A blacklist -m recent --name blacklist --set $IPTABLES -A blacklist -j LOG --log-prefix 'SSH REJECTED: ' $IPTABLES -A blacklist -j REJECT $IPTABLES -A ssh -m recent --set --name couting1 $IPTABLES -A ssh -m recent --update --name couting1 --seconds 20 --hitcount 3 -j blacklist $IPTABLES -A ssh -j ACCEPT echo "|:Regras de blacklist SSH ativadas com sucesso :|" $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --name SSH --seconds 60 --hitcount 4 -j REJECT-SSH $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH echo "|:Kill SSH Brute-force attacks ativado com sucesso :|" echo "|=====================================================|" echo "|:Regras de input:.................................ok:|" $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT echo "|:.............ok:|" echo "|:Libera icmp mais com limite:.....................ok:|" $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT echo "|:.............ok:|" echo "|:Fechando o resto do INPUT:.......................ok:|" $IPTABLES -A INPUT -p icmp -j DROP $IPTABLES -A INPUT -j LOG --log-prefix "INPUT Barrado: " $IPTABLES -A INPUT -j REJECT $IPTABLES -P INPUT DROP echo "|:.............ok:|" if [ "$SYSCTL" = "" ] then echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter else $SYSCTL net.ipv4.conf.all.rp_filter="0" fi if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/accept_source_route else $SYSCTL net.ipv4.conf.all.accept_source_route="1" fi if [ "$SYSCTL" = "" ] then echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects else $SYSCTL net.ipv4.conf.all.secure_redirects="0" fi echo "|:Ativar redirecionamento no arquivo ip_forward:.....:|" echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "|:.............ok:|" echo "|:Regras de prerouting e redirecionamento:...........:|" echo "|:.............ok:|" echo "|:Implementando regras de QoS para o VOIP:...........:|" $IPTABLES -t mangle -A POSTROUTING -p udp --sport 5060 -j TOS --set-tos 16 $IPTABLES -t mangle -A POSTROUTING -p udp --sport 5061 -j TOS --set-tos 16 $IPTABLES -t mangle -A POSTROUTING -p udp --sport 10000:20000 -j TOS --set-tos 16 $IPTABLES -t mangle -A PREROUTING -p udp --dport 5060 -j TOS --set-tos 16 $IPTABLES -t mangle -A PREROUTING -p udp --dport 5061 -j TOS --set-tos 16 $IPTABLES -t mangle -A PREROUTING -p udp --dport 10000:20000 -j TOS --set-tos 16 echo "|:.............ok:|" echo "|:Implementando regras de HTB para o VOIP:...........:|" $IPTABLES -t mangle -A POSTROUTING -p udp --sport 10000:20000 -j MARK --set-mark 0x10 $IPTABLES -t mangle -A POSTROUTING -p udp --sport 5060 -j MARK --set-mark 0x10 $IPTABLES -t mangle -A PREROUTING -p udp --dport 10000:20000 -j MARK --set-mark 0x10 $IPTABLES -t mangle -A PREROUTING -p udp --dport 5060 -j MARK --set-mark 0x10 echo "|:.............ok:|" echo "|:Marcar pacotes para usar os Links:.................:|" echo "|:Marcar smtp com entrada no Link 1:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 25 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 1 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar smtp com entrada no Link 2:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 25 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 2 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar pop3 com entrada no Link 1:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 110 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 3 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar pop3 com entrada no Link 2:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 110 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 4 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar http com entrada no Link 1:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --sport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0 $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0 $IPTABLES -t mangle -A INPUT -i $WAN1_IF -p tcp --dport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --sport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --dport 80 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 5 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar http com entrada no Link 2:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --sport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0 $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0 $IPTABLES -t mangle -A INPUT -i $WAN2_IF -p tcp --dport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --sport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --dport 80 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 6 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar 443 com entrada no Link 1:..................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --sport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0 $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0 $IPTABLES -t mangle -A INPUT -i $WAN1_IF -p tcp --dport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --sport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --dport 443 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 7 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar 443 com entrada no Link 2:..................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --sport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0 $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0 $IPTABLES -t mangle -A INPUT -i $WAN2_IF -p tcp --dport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --sport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --dport 443 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 8 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar 8009 com entrada no Link 1:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --sport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0 $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0 $IPTABLES -t mangle -A INPUT -i $WAN1_IF -p tcp --dport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --sport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --dport 8009 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 9 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar 8009 com entrada no Link 2:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --sport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0 $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0 $IPTABLES -t mangle -A INPUT -i $WAN2_IF -p tcp --dport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --sport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --dport 8009 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 10 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar 8009 com entrada no Link 1:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --sport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0 $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -p tcp --dport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0 $IPTABLES -t mangle -A INPUT -i $WAN1_IF -p tcp --dport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --sport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN1_IF -p tcp --dport 8081 -d $WAN1_IP -m conntrack --ctorigdst $WAN1_IP -j MARK --set-mark 11 -m mark --mark 0 echo "|:.............ok:|" echo "|:Marcar 8009 com entrada no Link 2:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --sport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0 $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -p tcp --dport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0 $IPTABLES -t mangle -A INPUT -i $WAN2_IF -p tcp --dport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --sport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0 $IPTABLES -t mangle -A FORWARD -i $WAN2_IF -p tcp --dport 8081 -d $WAN2_IP -m conntrack --ctorigdst $WAN2_IP -j MARK --set-mark 12 -m mark --mark 0 echo "|:.............ok:|" echo "|:Tabela nat de entrada na porta 25 dos links:.......:|" $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-dest 10.10.1.8 $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to-dest 10.10.1.8 echo "|:.............ok:|" echo "|:Tabela nat de entrada na porta 80 dos links:.......:|" $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-dest 10.10.1.9 $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-dest 10.10.1.9 echo "|:.............ok:|" echo "|:Tabela nat de entrada na porta 443 dos links:......:|" $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-dest 10.10.1.8 $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to-dest 10.10.1.8 echo "|:.............ok:|" echo "|:Tabela nat de entrada dos links:...................:|" $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 8009 -j DNAT --to-dest 10.10.1.8 $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 8009 -j DNAT --to-dest 10.10.1.8 echo "|:.............ok:|" echo "|:Tabela nat de entrada na porta 8081 dos links:.....:|" $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 8081 -j DNAT --to-dest 10.10.2.5 $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 8081 -j DNAT --to-dest 10.10.2.5 echo "|:.............ok:|" echo "|:Regras de forward:...............................ok:|" $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP $IPTABLES -A FORWARD -m state --state INVALID -j DROP echo "|:.............ok:|" echo "|:IPs com previlegios especiais:...................ok:|" $IPTABLES -A FORWARD -s 10.10.2.4/32 -j ACCEPT $IPTABLES -A FORWARD -s 10.10.2.5/32 -j ACCEPT echo "|:.............ok:|" echo "|:Liberar portas de saída:.........................ok:|" $IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 22 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 25 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 25 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p udp --dport 53 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 81 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 81 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 82 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 82 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 443 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 443 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p udp --dport 5060 -j ACCEPT $IPTABLES -A FORWARD -p udp --dport 5060 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 8009 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 8009 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 8080 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 8080 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 8081 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 8081 --sport 1024:65535 -j ACCEPT $IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD Barrado: " #$IPTABLES -A FORWARD -j REJECT #$IPTABLES -P FORWARD DROP echo "|:Regras de output:................................ok:|" $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT echo "|:.............ok:|" echo "|:Implementando regras de QoS para o VOIP:...........:|" $IPTABLES -t mangle -A OUTPUT -p udp --dport 5060 -j TOS --set-tos 16 $IPTABLES -t mangle -A OUTPUT -p udp --dport 5061 -j TOS --set-tos 16 $IPTABLES -t mangle -A OUTPUT -p udp --dport 10000:20000 -j TOS --set-tos 16 $IPTABLES -t mangle -A OUTPUT -p udp --dport 5060 -j TOS --set-tos 16 $IPTABLES -t mangle -A OUTPUT -p udp --dport 5061 -j TOS --set-tos 16 $IPTABLES -t mangle -A OUTPUT -p udp --dport 10000:20000 -j TOS --set-tos 16 $IPTABLES -P OUTPUT ACCEPT echo "|:Salvar rotas de entrada dos links:.................:|" $IPTABLES -t mangle -A PREROUTING -i $WAN1_IF -j CONNMARK --save-mark $IPTABLES -t mangle -A PREROUTING -i $WAN2_IF -j CONNMARK --save-mark echo "|:.............ok:|" echo "|:Lembrando marca de entrada anterios dos links:.....:|" $IPTABLES -t mangle -A PREROUTING -i $LAN_IF -p tcp -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark $IPTABLES -t mangle -A PREROUTING -i $LAN2_IF -p tcp -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark echo "|:.............ok:|" $IPTABLES -t mangle -N MARK_NET $IPTABLES -t mangle -A MARK_NET -j MARK --set-mark $WAN1_MARK $IPTABLES -t mangle -A MARK_NET -j ACCEPT # ------------------------------------------------------------ $IPTABLES -t mangle -N MARK_GVT $IPTABLES -t mangle -A MARK_GVT -j MARK --set-mark $WAN2_MARK $IPTABLES -t mangle -A MARK_GVT -j ACCEPT # ------------------------------------------------------------ echo "|:Apaga tabelas de roteamento:.......................:|" ip route flush table net ip route flush table gvt echo "|:.............ok:|" # ------------------------------------------------------------ echo "|:Regras para direcionar marcas no roteamento:.......:|" ip rule add fwmark $WAN1_MARK table net ip rule add fwmark $WAN2_MARK table gvt echo "|:.............ok:|" # Copia rotas da tabela principal para as outras tabelas de roteamento #ip route show | grep -v ^default | while read rota; do #ip route add table net $rota #ip route add table gvt $rota #done # ------------------------------------------------------------ ip rule add from $WAN1_IP table net ip rule add from $WAN2_IP table gvt # ------------------------------------------------------------ echo "|:Indica quem é o gateway de cada link:..............:|" ip route add default via $WAN1_GW dev $WAN1_IF table net ip route add default via $WAN2_GW dev $WAN2_IF table gvt echo "|:.............ok:|" #echo "|:Tabela default:....................................:|" #ip route add default via $WAN1_GW dev $WAN1_IF #ip route add default via $WAN2_GW dev $WAN2_IF #echo "|:.............ok:|" echo "|=====================================================|" ip rule add fwmark 1 from 10.10.1.8 table net prio 19 echo "|:Efetuado á marcação do smtp com entrada pelo link 1:|" ip rule add fwmark 2 from 10.10.1.8 table gvt prio 20 echo "|:Efetuado á marcação do smtp com entrada pelo link 2:|" ip rule add fwmark 3 from 10.10.2.5 table net prio 21 echo "|:Efetuado á marcação do pop3 com entrada pelo link 1:|" ip rule add fwmark 4 from 10.10.2.5 table gvt prio 22 echo "|:Efetuado á marcação do pop3 com entrada pelo link 2:|" ip rule add fwmark 5 from 10.10.1.9 table net prio 23 echo "|:Efetuado á marcação do http com entrada pelo link 1:|" ip rule add fwmark 6 from 10.10.1.9 table gvt prio 24 echo "|:Efetuado á marcação do http com entrada pelo link 2:|" echo "|=====================================================|" ip rule add fwmark 7 from 10.10.1.8 table net prio 25 echo "|:Marcação na porta 3389 com entrada pelo link 1 :|" ip rule add fwmark 8 from 10.10.1.8 table gvt prio 26 echo "|:Marcação na porta 3389 com entrada pelo link 2 :|" ip rule add fwmark 9 from 10.10.1.8 table net prio 25 echo "|:Marcação na porta 8009 com entrada pelo link 1 :|" ip rule add fwmark 10 from 10.10.1.8 table gvt prio 26 echo "|:Marcação na porta 8009 com entrada pelo link 2 :|" ip rule add fwmark 11 from 10.10.2.5 table net prio 25 echo "|:Marcação na porta 8081 com entrada pelo link 1 :|" ip rule add fwmark 12 from 10.10.2.5 table gvt prio 26 echo "|:Marcação na porta 8080 com entrada pelo link 2 :|" echo "|:Marcações efetuadas com sucesso :|" echo "|=====================================================|" ip route flush cache echo "|:Atualizado o cache de roteamento com sucesso :|" # ------------------------------------------------------------ echo "|:ATIVA O MASCARAMENTO DE SAÍDA:.....................:|" $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE echo "|:.............ok:|" ;; stop) echo "|:Desativar o firewall:..............................:|" $IPTABLES -F $IPTABLES -Z $IPTABLES -X $IPTABLES -F -t nat $IPTABLES -X -t nat $IPTABLES -F -t mangle $IPTABLES -X -t mangle $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT echo "|:.............ok:|" ;; stats) $IPTABLES -nL ;; restart) $0 stop $0 start ;; nat) $IPTABLES -L -v -t nat -n ;; mangle) $IPTABLES -t mangle -L ;; *) echo "Usage: $0 [start|stop|stats|restart|nat|mangle]" ;; esac
Scripts recomendados
POSTFIX AUTOMÁTICO COM MYSQL E IPTABLES - EXCLUINDO USUÁRIO
Script para conectar a um servidor ssh
Veja os 10 últimos tópicos das comunidades
Tabela de cores em shellscript
Comentários
Nenhum comentário foi encontrado.
Patrocínio
Site hospedado pelo provedor RedeHost.
Destaques
Artigos
Passkeys: A Evolução da Autenticação Digital
Instalação de distro Linux em computadores, netbooks, etc, em rede com o Clonezilla
Título: Descobrindo o IP externo da VPN no Linux
Armazenando a senha de sua carteira Bitcoin de forma segura no Linux
Enviar mensagem ao usuário trabalhando com as opções do php.ini
Dicas
Como colorir os logs do terminal com ccze
Instalação Microsoft Edge no Linux Mint 22
Como configurar posicionamento e movimento de janelas no Lubuntu (Openbox) com atalhos de teclado
Máquinas Virtuais com IP estático acessando Internet no Virtualbox
Tópicos
Não consigo por nenhuma distribuição do Linux ubunto (1)
logins simultaneos no windows para acessar o samba (5)
Tela GNU GRUP versão 2.12 ao reiniciar. Como posso resolver? (1)
Top 10 do mês
-
Xerxes
1° lugar - 68.360 pts -
Fábio Berbert de Paula
2° lugar - 47.211 pts -
Mauricio Ferrari
3° lugar - 15.298 pts -
Buckminster
4° lugar - 14.311 pts -
Andre (pinduvoz)
5° lugar - 13.906 pts -
Alberto Federman Neto.
6° lugar - 13.850 pts -
Diego Mendes Rodrigues
7° lugar - 13.677 pts -
Daniel Lara Souza
8° lugar - 12.719 pts -
edps
9° lugar - 11.922 pts -
Alessandro de Oliveira Faria (A.K.A. CABELO)
10° lugar - 11.374 pts
Scripts
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
