Balanceamento de 2 links no Linux Mandriva

djdu
(usa Mandriva)

Enviado em 05/05/2010 - 15:22h

Gente, como eu faço o balancemento de 2 links de internet no link sendo que:

eth0: 192.168.0.1 rede local
eth0:1: 192.168.1.1 Alias para nova rede
eth1: 10.0.0.1 (Internet Sercomtel)
eth2: 189.58.111.50 (Internet GVT)

Eu quero que a rede 192.168.0.0 acesse a internet atraves da eth1
E que a rede 192.168.1.0 acesse a internet atraves da eth2

Se não for or meio de balanceamento, como posso fazer isso, de qualquer maneira???

tlaloc
(usa Gentoo)

Enviado em 05/05/2010 - 15:30h

No IPTables, basta direcionar o tráfego interno vindo de 192.168.0.0 para sair pela eth1 e todo tráfego interno vindo de 192.168.1.0 para sair pela eth2.
Faça também as regras para o caminho inverso (o que chegar pela eth1 não pode ir para 192.168.1.0 e vice-versa).

(Y)

djdu
(usa Mandriva)

Enviado em 05/05/2010 - 15:48h

ai é que ta, sou meio leigo nisso ainda, to aprendendo, como escrevo a sintaxe de tudo isso?

tlaloc
(usa Gentoo)

Enviado em 05/05/2010 - 16:33h

Posta aí suas regras que já criou até agora. (Y)

djdu
(usa Mandriva)

Enviado em 05/05/2010 - 19:07h

#!/bin/bash
# Firewall
# Layer7

# Limpa regras existentes ----------------------------------------------------
iptables -F
iptables -t nat -F

# Carregando Modulos ---------------------------------------------------------
modprobe ipt_layer7
modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

# Patch do iptables
iptables=/usr/local/sbin/iptables

# Regras de Compartilhamento da Internet -------------------------------------

# Ativando IPV4
echo 1 > /proc/sys/net/ipv4/ip_forward

# Forca sair pelo proxy
#/usr/local/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128

# Liberando Internet por Rede -------------------------------------------------
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE

# Filtros para portas ---------------------------------------------------------

# Liberando

# INPUT
iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT # ftp
iptables -A INPUT -p udp --dport 20:21 -j ACCEPT # ftp
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # ssh
iptables -A INPUT -p udp --dport 22 -j ACCEPT # ssh
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # http
iptables -A INPUT -p udp --dport 80 -j ACCEPT # http
iptables -A INPUT -p tcp --dport 5631:5632 -j ACCEPT # PcAnywhere
iptables -A INPUT -p udp --dport 5631:5632 -j ACCEPT # PcAnywhere
iptables -A INPUT -p tcp --dport 50000 -j ACCEPT # VPN
iptables -A INPUT -p tcp --dport 5222 -j ACCEPT
iptables -A INPUT -p tcp --dport 12034 -j ACCEPT # SisNet (Sec.Saude)
iptables -A INPUT -p udp --dport 12034 -j ACCEPT # SisNet (Sec.Saude)
iptables -A INPUT -p tcp --dport 25 -j ACCEPT # Smtp
iptables -A INPUT -p tcp --dport 110 -j ACCEPT # Pop
iptables -A INPUT -p tcp --dport 443 -j ACCEPT #
iptables -A INPUT -p tcp --dport 143 -j ACCEPT # Webmail

# FORWARD
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT # Smtp
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT # Pop

# Regras de segurança contra ataques conhecidos -------------------------------

# Proteçao contra Syn-flood
iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# Proteçao contra port scanner
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

# Proteçao contra o ping da morte
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Protecao contra pacotes danificados
#iptables -A FORWARD -m unclean -j DROP
#iptables -A INPUT -m unclean -j DROP

# Se nao quiser responder a pings
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Bloqueando maquinas por MAC -------------------------------------------------

#/usr/local/sbin/iptables -A INPUT -m mac --mac-source 00:e0:18:73:6d:fe -j DROP

#Regras de Redirecionamentos --------------------------------------------------

#iptables -t nat -A PREROUTING -p tcp -d 200.155.38.122 --dport 5900 -j DNAT --to 192.168.0.202:5900
#iptables -t nat -A PREROUTING -p udp -d 200.155.38.122 --dport 5900 -j DNAT --to 192.168.0.202:5900

# Bloqueando na Camada 7

iptables -I FORWARD -m layer7 --l7proto edonkey -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto edonkey -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto armagetron -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto armagetron -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto aim -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto aim -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto ares -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto ares -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto bittorrent -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto bittorrent -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto counterstrike-source -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto counterstrike-source -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto doom3 -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto doom3 -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto gnutella -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto gnutella -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto halflife2-deathmatch -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto halflife2-deathmatch -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto hotline -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto hotline -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto jabber -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto jabber -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto kugoo -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto kugoo -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto msn-filetransfer -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto msn-filetransfer -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto msnmessenger -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto msnmessenger -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto napster -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto napster -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto quake1 -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto quake1 -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto quake-halflife -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto quake-halflife -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto skypeout -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto skypeout -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto skypetoskype -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto skypetoskype -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto subspace -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto subspace -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto teamfortress2 -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto teamfortress2 -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto worldofwarcraft -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto worldofwarcraft -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto yahoo -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto yahoo -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto xboxlive -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto xboxlive -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto goboogy -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto goboogy -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto cvs -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto cvs -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto battlefield1942 -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto battlefield1942 -s any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto battlefield2 -d any/0 -j DROP
iptables -I FORWARD -m layer7 --l7proto battlefield2 -s any/0 -j DROP

# Regras para MSN -------------------------------------------------------------

# Liberando para alguns IPs
#iptables -A FORWARD -s 192.168.0.1 -p tcp --dport 1863 -j ACCEPT # Mail

# Bloqueando o Resto da Rede
iptables -A OUTPUT -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -p tcp --dport 1863 -j REJECT

# Abrindo Redes --------------------------------------------------------------

iptables -A INPUT -p tcp --syn -s 192.168.0.0/255.255.255.0 -j ACCEPT

# Fecha o resto --------------------------------------------------------------

iptables -A INPUT -p tcp --syn -j DROP
#$iptables -A INPUT -p udp -j DROP

# Menssagem do Firewall ------------------------------------------------------
echo ...Starting Firewall Layer7 ok!