emerson2703
(usa CentOS)
Enviado em 29/07/2009 - 17:49h
Colega,
Tenho um firewall, funcionando com eth0 (192.168.0.0) rede local, e a eth1 internet, estou querendo colocar mais uma placa de rede eth2 rede local (10.101.0.0), mais gostaria de saber como que eu faço para que a eth0 e a eth2 acesse a internet na eth1, utilizo iptables e squid:
Iptables:
# Generated by iptables-save v1.3.5 on Sat Jul 11 14:45:48 2009
*nat
:PREROUTING ACCEPT [247:25323]
:POSTROUTING ACCEPT [7:415]
:OUTPUT ACCEPT [7:415]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
# Bloqueio de MSN
-j DROP
-A PREROUTING -p tcp -m tcp --dport 1863 -m mac --mac-source 00:1B:77:A5:1E:0E -j DROP
-A PREROUTING -p tcp -m tcp --dport 1863 -m mac --mac-source 00:19:7E:36:26:33 -j DROP
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Sat Jul 11 14:45:48 2009
# Generated by iptables-save v1.3.5 on Sat Jul 11 14:45:48 2009
*filter
:INPUT DROP [3:287]
:FORWARD DROP [216:10833]
:OUTPUT DROP [14:1170]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Liberacao de Internet e Sistema
-A FORWARD -p tcp -m tcp --dport 1863 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
# Liberacao de Envio e Recebimento de E-mail
-A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 465 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
# Liberacao Conexao Remota (Teminal Server, VNC e Puty)
-A FORWARD -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -d 192.168.0.110 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 4901 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Sat Jul 11 14:45:48 2009
Squid
http_port 3128 transparent
visible_hostname Firewall-Lauro
cache_mem 376 MB
maximum_object_size_in_memory 128 KB
maximum_object_size 4096 KB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 12288 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1
acl Libera_IP src "/etc/squid/Libera_IP.txt"
acl IP_Liberado src "/etc/squid/IP_Liberado.txt"
acl Sites_Liberados url_regex -i "/etc/squid/Sites_Liberados.txt"
always_direct allow all
http_access deny Libera_IP
http_access allow IP_Liberado
http_access allow Sites_Liberados
http_access deny all