adyfeitosa
(usa Outra)
Enviado em 30/04/2014 - 21:08h
Caros,
Boa noite!
Gostaria de uma ajuda para efetuar esse loadbalance.
Trabalho com Ubuntu 12.04.
O compartilhamento da internet no rc.local e uso o squid, este é o meu cenario.
**************************************************************
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# eth0 -> Sem
# eth1 -> Velox (192.168.2.100/24)
# eth2 -> GVT (192.168.254.100/24)
# eth3 -> Rede Interna (192.168.1.100/24)
# Limpando o Cache
service squid3 stop
rm -rf /var/cache/squid3/*
cd /var/cache/
chown proxy /var/cache/squid3
chgrp proxy /var/cache/squid3
squid3 -z
service squid3 start
cd /etc/
# Carregando os modulos basicos:
echo -n "Carregando os modulos..."
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_state
modprobe ipt_MASQUERADE
echo " [OK]"
# Resetando o Firewall:
echo -n "Resetando o firewall..."
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
echo " [OK]"
# Habilitando o roteamento de pacotes:
echo -n "Habilitando o roteamento..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo " [OK]"
## Estabelece relação de confiança entre maquinas da rede local eth1(rede local)
iptables -A INPUT -i eth3 -s 192.168.1.0/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth3 -m state --state NEW -j ACCEPT
echo " [OK]"
# Liberando resposta dos servidores DNS:
echo -n "Liberando servidores DNS..."
iptables -A INPUT -p udp -s 192.168.1.0/24 --sport 53 -d 200.222.145.84 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.0/24 --sport 53 -d 200.175.5.139 -j ACCEPT
# iptables -A INPUT -p udp -s 192.168.0.0/24 --sport 53 -d $DNS2 -j ACCEPT
echo " [OK]"
######################## "liberando o INPUT externo" ##########################
iptables -A INPUT -i eth1 -p tcp -m multiport --dport 80,443 -j ACCEPT
iptables -A INPUT -i eth2 -p tcp -m multiport --dport 80,443 -j ACCEPT
############################ Redirecionamentos #################################
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.2:80
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.2:3389
iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.2:80
iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.2:3389
############################ Compartilhamento Internet #########################
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth1 -j MASQUERADE
iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth2 -j MASQUERADE
iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth2 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth2 -p tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 443 -j REDIRECT --to-port 3128
echo -n "Liberando DNS para rede interna..."
iptables -A FORWARD -p udp -s 192.168.1.0/24 -d 200.222.145.84 --dport 53 -j ACCEPT
# iptables -A FORWARD -p udp -s 192.168.254.0/24 -d $DNS2 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.222.145.84 --sport 53 -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.1.0/24 -d 200.175.5.139 --dport 53 -j ACCEPT
# iptables -A FORWARD -p udp -s 192.168.254.0/24 -d $DNS2 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.175.5.139 --sport 53 -d 192.168.1.0/24 -j ACCEPT
echo " [OK]"
# Manter Conexões Estabelecidas
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Liberando o Tráfego na Interface loopback
iptables -A INPUT -i lo -j ACCEPT
################################## LOG ###################################
iptables -A INPUT -p tcp -m multiport ! --dports 0:1056 -j DROP
iptables -A INPUT -p udp -j DROP
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -m limit --limit 3/m --limit-burst 3 -j LOG --log-prefix "LOG-FW: "
############################ Drop Input #################################
## Fechando portas não abertas acima ##"
iptables -A INPUT -i eth1 -j REJECT
iptables -A INPUT -i eth2 -j REJECT
###################"Firewall Ativo" ######################################
#echo nameserver 192.168.254.200 > /etc/resolv.conf
echo nameserver 8.8.8.8 > /etc/resolv.conf
echo nameserver 8.8.4.4 >> /etc/resolv.conf
echo nameserver 200.222.145.84 >> /etc/resolv.conf
echo nameserver 200.175.5.139 >> /etc/resolv.conf
exit 0
**************************************************************
Configuração do SQUID
************************************
######################### Autor: Ady Feitosa ###############
http_port 192.168.1.100:3128 transparent
visible_hostname assempnet
##############Configuração do Cache###############
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
hosts_file /etc/hosts
##############Configuração do Cache###############
cache_mgr adyfeitosa@yahoo.com.br
cache_effective_user proxy
cache_effective_group proxy
mail_program mail
httpd_suppress_version_string off
cache_mem 1024 MB
maximum_object_size_in_memory 128 kb
maximum_object_size 1024 MB
minimum_object_size 0 kb
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/cache/squid3/squid1 4000 16 256
cache_dir ufs /var/cache/squid3/squid2 4000 16 256
cache_dir ufs /var/cache/squid3/squid3 4000 16 256
cache_dir ufs /var/cache/squid3/squid4 4000 16 256
cache_dir ufs /var/cache/squid3/squid5 4000 16 256
cache_dir diskd /var/cache/squid3 20480 64 256 Q1=64 Q2=72
# O cache dividido ganha um pouco de desempenho, pois tem menos subdiretórios para gravar/ler
###############Logs do SQUID##################
error_directory /usr/share/squid3/errors/Portuguese
cache_access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
#############Atualização do cache#################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 10080
################## DNS ###########################
dns_nameservers 8.8.8.8 8.8.4.4 200.175.5.139
##################################################
# rede interna = 5rcc
acl minharede src 192.168.1.0/255.255.255.0
# rede sem fio = 5rcc
acl redesemfio src 192.168.254.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025 65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 8999 # serpro
acl Safe_ports port 23000 # serpro
acl Safe_ports port 8443 # serpro
acl Safe_ports port 443 # telnet serpro
acl Safe_ports port 23 # telnet serpro
acl Safe_ports port 8880 # hpopenview embratel
acl Safe_ports port 5222 # msn do expresso (jabber)
acl Safe_ports port 13000 13005 # sites do dgp
acl Safe_ports port 500 # vpn
acl Safe_ports port 1194 # vpn
acl Safe_ports port 4500 # vpn
acl Safe_ports port 8080 # localhost
acl Safe_ports port 8081 # baixaki
acl Safe_ports port 1863 7001 # MSN
acl Safe_ports port 12005 # Agenda
acl Safe_ports port 10122 # SITE RGT
acl Safe_ports port 3142 # serv rep
acl Safe_ports port 49245
acl Safe_ports port 2631 # Caixa
acl Safe_ports port 81 # Dominio Sistemas
acl Safe_ports port 25 # pop/smtp
acl Safe_ports port 110 # pop/smtp
acl Safe_ports port 587 # pop/smtp
acl Safe_ports port 465 # pop/smtp
acl Safe_ports port 587 # pop/smtp
acl Safe_ports port 20080 #
acl Safe_ports port 3456 #
acl Safe_ports port 8181 #MetropolisWEB
acl Safe_ports port 8183 #
acl Safe_ports port 8185 #
acl Safe_ports port 8187 #
acl Safe_ports port 8189 #
acl Safe_ports port 8000 8999 #
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
#http_access deny !minharede
# horarios
#acl manha time MTWHF 08:00-12:00
#acl tarde time MTWH 13:00-18:00
# Para final de semana Usar AS (S = Domingo e A = Sabado)
# ACL de liberacao e Negacao de acesso aos usuario
#acl dominiosliberados dstdomain "/etc/squid3/arquivos/dominios_liberados.txt"
acl dominiosbloqueados dstdomain "/etc/squid3/arquivos/dominios_bloqueados.txt"
acl palavrasbloqueadas dstdom_regex "/etc/squid3/arquivos/palavras_bloqueadas.txt"
acl extensaobloqueadas url_regex -i "/etc/squid3/arquivos/extensao_bloqueadas.txt"
acl radioOnlinebloqueados rep_mime_type -i "/etc/squid3/arquivos/radioOnline_bloqueados.txt"
# Privilegios e Permissoes
#sites pribidos sempre PARA TODOS
acl proibidao url_regex "/etc/squid3/arquivos/proibidao.txt"
#sites pribidos sempre PARA ALGUNS
acl msn_bloq url_regex "/etc/squid3/arquivos/msn_bloqueado.txt"
# Libera IPs para Acesso MSN
acl msn_liberaip src "/etc/squid3/arquivos/libera_msn_ip.txt"
#libera site exceções
acl exceto dstdomain .caixa.gov.br/*
www.caixa.gov.br/* .internetbanking.caixa.gov.br/* .domicioimveis.com.br/* .goldencross.com.br/*
# proibe acesso simultaneo do usuario com a mesma conta em mais de uma maquina e desativa navegacao por um minuto
authenticate_ip_ttl 1 minutes
#acl usuariodup max_user_ip -s 1
# libera site por meio de IP destino ex: 200.193.140.78
acl ips_dst_liberados dst "/etc/squid3/arquivos/ips_dst_liberados.txt"
acl chat_liberado url_regex "/etc/squid3/arquivos/chat_liberado.txt"
# bloqueia acesso de sites por meio de IP ex:
http://200.193.140.98
#acl todos_ips url_regex -i ^(http|https|ftp)+://[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
http_access allow exceto
http_access allow chat_liberado
http_access deny proibidao
http_access deny extensaobloqueadas
http_access deny palavrasbloqueadas
http_access deny radioOnlinebloqueados
http_access deny dominiosbloqueados
http_access deny msn_bloq !msn_liberaip !exceto !chat_liberado !ips_dst_liberados
http_access allow minharede
#http_access deny minharede redesemfio
http_reply_access allow all
http_access deny all
**************************************************************