-
Como criar duas rotas
Bom dia pessoal.
Tenho Fedora Core onde futuramente, pretendo criar regras no para dividir o trafego entre duas placas de rede, só que não estou conseguindo criar as rotas, provavelmente estou fazendo algo errado. O cenario é o seguinte:
eth0 - ip 192.168.0.31 gw 192.168.0.1
eth1 - ip 192.168.0.32 gw 192.168.0.1
Criei as seguinte rotas:
192.168.0.32 via 192.168.0.1 dev eth1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
192.168.0.0/24 dev eth2 proto kernel scope link src 192.168.0.32
169.254.0.0/16 dev eth2 scope link
default via 192.168.0.1 dev eth0
Quando executo o comando ping direcionando para um determinada eth, exemplo:
ping -I eth0 www.terra.com.br
Funciona perfeitamente.
Mas se executo
ping -I eth1 www.terra.com.br
Não consigo pingar o site do terra.
para testar invertir as rotas, colocando a rota da eth1, como default ai consegui fazer a ping apontando para eth1, mas o ping para eth0 parou.
Resumindo só consigo pingar direcionando para uma detreminada eth se a rota for default.
Alguem poderia por favor me dar uma ajuda??
Agradeço desde já.
Wasley
-
cria um redirecionamento ou rotas no seu modem .
ae funcionará.
-
Oi Leandro,
Esqueci de comentar meus modem estão configurado como Brigde, quem faz a discagem e o papel de gateway é o meu Firewall linux, que tem o sistema operacional, Fedora Core .
Abraços
-
Não sei se vai ajudar, mas tenta lá:
Edite o arquivo /etc/iproute2/rt_tables e adicione ao final do arquivo
200 <TABELA> (substitua pelo nome da tabela de roteamento que você quer)
Organizando a sua pergunta, se você quer que o tráfego dos ips do 192.168.0.1 até o 32 saia por um gateway e do 192.168.0.33 acima vai sair por outro, então faça o seguinte:
iptables -t mangle -A POSTROUTING -m iprange --src-range 192.168.0.33-192.168.0.254 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -m iprange --dst-range 192.168.0.33-192.168.0.254 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -m iprange --src-range 192.168.0.33-192.168.0.254 -j MARK --set-mark 1
iptables -t mangle -A INPUT -m iprange --dst-range 192.168.0.33-192.168.0.254 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -m iprange --src-range 192.168.0.33-192.168.0.254 -j MARK --set-mark 1
iptables -t mangle -A FORWARD -m iprange --dst-range 192.168.0.33-192.168.0.254 -j MARK --set-mark 1
iptables -t mangle -A FORWARD -m iprange --src-range 192.168.0.33-192.168.0.254 -j MARK --set-mark 1
* isso é para marcar todos os pacotes de / para esse intervalo de ips. Não marcamos o 1 - 32 porque ele vai sair naturalmente pelo link principal.
Após marcados os pacotes, vamos indicar a tabela de entrada/saída que criamos antes:
ip route add default dev <INTERFACE DO SEGUNDO LINK> via <IP DO SEGUNDO LINK> table <TABELA>
ip rule add fwmark 1 lookup <TABELA>
se você quer separar as redes 192.168.0.* e a 192.168.1.*, só mude o -m iprange até o -j MARK onde tem --src-range para -s 192.168.1.0/24 e --dst-range para -d 192.168.1.0/24.
Tenho um servidor com 3 links diferentes e 4 redes distintas, está funcionando legal, não compromete a velocidade nem muitos recursos do computador.
Espero ter ajudado! :smokin:
-
Esqueci de mencionar, mas se você está usando os modems em bridge, facilite a sua vida, use os dois em modo router e faça uma DMZ para os endereços do server, dá na mesma e você foge de ter que sempre mexer no braço pra criar as rotas com IPs dinâmicos. Vai por mim, é melhor.
-
Você está adicionando estas rotas na mesma máquina que autentica? Se sim, não creio que seja possível visto que a conexão PPP fica associada à uma interface.
-
O Jim
estou fazendo teste em um rede local mesmo, mas assim que criar essa rota a ideia ´essamesmo, um maquina linux com dois links adsl.
-
Walsey,
Então existem algumas diferenças em relação ao setup de teste que você montou:
- As duas interfaces não estarão na mesma rede
- O gateway possivelmente não será o mesmo
-
Sim Jim, futuramente existira essa diferença.. o lanceé q aqui não tenho com testar com dois links adsl, por isso estou testando desta forma.
-
Vou me intrometer um pouco só pra avisar que esse teste dessa forma não vai funcionar porque suas duas interfaces estão na mesma rede e utilizam o mesmo gateway. Para testar isso é necessário alterar essas configurações.
Até mais...
-
magnun, não é intromissão alguma.
vou mudar testar e depois avio aqui. obrigado.
-
Pessoal minha rede esta assim agora
Eth0 - ip: 192.168.0.31 gw: 192.168.0.1
Eth1 - ip: 192.168.1.2 gw: 192.168.1.1
Minha rota default é: default via 192.168.0.1 dev eth0.
Quando executo
ping -I eth0 www.terra.com.br Ele responde
e quando pingo
ping -I eth1 www.terra.com.br Ele não responde.
Lembrando que se eu inverto a rota default para default via 192.168.1.1 dev eth1, o comando ping p eth1 começa a responder e o eth0 para.
Como faço para criar a rota, de forma que os dois consigam responder.
Obrigado e me desculpe pelo importuno
-
Coloca duas rotas default mas com metricas diferentes:
route add -net 0/0 gw 192.168.0.1 metric 0
route add -net 0/0 gw 192.168.1.1 metric 100
A menor métrica indica a rota que será utilizada por padrão quando você não informar a interface de saída.
-
Ola Magnun
Fiz conforme me orientou, agora as duas interface estão pingando, vou continuar com meus teste.
Agradeço demais a todos que me ajudaram ate o momento.
Abraços
-
Mais uma vez estou precisando da ajuda de vcs.
criei essa rota para direcionar os pacote da porta 80 para eth0,
iptables -t mangle -A PREROUTING -p tcp --destination-port 80 -j ROUTE --oif eth0
so que esta dando erro de argumento.
iptables v1.3.5: Unknown arg `--oif'
Procurei na net e não achei nada falando a respeito.
-
Eu pessoalmente desconhecia a opção -j ROUTE. Depois de pesquisar um pouco descobrir que são alguns patchs que podem ser aplicados para estender as funções do iptables.
Agora vem a notícia ruim... Acho que vc vai ter que compilar e instalar manualmente.
Agora a notícia boa. Existe algo que eles chamam de patch-o-matic, mas eu desconheço também. Achei esse link: Netfilter Extensions HOWTO
Só uma coisa, não é mais interessante vc usar o iproute2??? Eu acho ele mais simples...
Até mais...
-
Obrigado Magnun,
Vou procurar na net como faço essa rota usando iproute2.
-
Aqui na under mesmo tem muita coisa sobre isso. Segue o link de 2 posts.:
Servidor Proxy e Web na mesma maquina + com links diferentes ..
Balanceamento de carga entre links com iproute2 - mini-howto
O primeiro é bem parecido com o seu caso, é um cara tentando rotear a porta 80 por uma eth e o restante pela outra.
Até mais...
-
veja como fiocu meu script, se a ideia é essa mesmo
###################################################
# DEFININDO VARIAVEIS
###################################################
# VARIAVEL PARA IPTABLES
IPTABLES="/sbin/iptables"
# BUSCANDO INFORMACAO DA PLACA COM IP DINAMICO
FW0=`ifconfig eth0| grep "inet end."| awk '{print $3}'|cut -d":" -f2`
FW1=`ifconfig eth1| grep "inet end."| awk '{print $3}'|cut -d":" -f2`
# PLACA LOCAL
FW2="192.168.2.1/32"
# REDE INTERNA
LAN="192.168.2.0/24"
###################################################
# CARREGANDO MODULOS
###################################################
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
$DEPMOD -a
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE iptable_nat
###################################################
# HABILITANDO ROTEAMENTO
###################################################
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
###################################################
# LIMPEZA GERAL
###################################################
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
###################################################
#SETUP DE POLITICA
###################################################
####
# TABELA FILTER
####
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
###################################################
# REGRA DE ESTABILIDADE / DINAMICA DE ROTEAMENTO
###################################################
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
###################################################
# REMOVENDO REGRAS DA TABELAS
###################################################
ip route del default table link1 &> /dev/null
ip route del default table link2 &> /dev/null
####################################################
# REMOVENDO ROTA PADRAO
####################################################
ip route del default &> /dev/null
ip route del default &> /dev/null
ip route del default &> /dev/null
#####################################################
# INSERINDO ROTA DEFAULT PARA TABELAS
#####################################################
ip route add table link1 default via 192.168.0.1
ip route add table link2 default via 192.168.1.1
###################################################
# REDE INVALIDA (INTERNA) E LOCAL
###################################################
####
# INTERFACE LOOPBACK
####
$IPTABLES -A INPUT -i lo -j ACCEPT
####
# REDE INVALIDA
####
$IPTABLES -A FORWARD -i eth2 -d 0/0 -j ACCEPT
####
# REDE INTERNA ACESSANDO SERVIDOR
####
$IPTABLES -A INPUT -s $LAN -d $FW2 -j ACCEPT
####################################################
# MARCADO TRAFEGO DA PORTA 80
####################################################
$IPTABLES -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK --set-mark 20
$IPTABLES -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 10
#####################################################
# VINCULANDO TRAFEDO COM A TABELA
#####################################################
ip rule add fwmark 10 table 10 prio 20
ip rule add fwmark 20 table 20 prio 20
##################################################
# REGRAS PARA DNS
##################################################
####
# FORWARD PARA DNS
####
$IPTABLES -A FORWARD -p udp -s $LAN -d $FW2 -o eth0 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d $LAN -s $FW2 -i eth0 --sport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s $LAN -d $FW2 -o eth1 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d $LAN -s $FW2 -i eth1 --sport 53 -j ACCEPT
####
# NAT PARA DNS
####
$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 53 -o eth0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 53 -o eth1 -j MASQUERADE
###################################################
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
$IPTABLES -A OUTPUT -j ACCEPT
Deva como as rotas
ip route show table main
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
169.254.0.0/16 dev eth2 scope link
ip route show table link1
default via 192.168.0.1 dev eth0
ip route show table link2
default via 192.168.1.1 dev eth1
Agrdeço desde ja.
-
Parece que está tudo ok. Geralmente quando utilizamos iproute2 desabilitamos as rotas do kernel. Então é bom excluir aquelas rotas atribuídas com route add -net 0/0...
Pra testar ou vc faz uma captura de pacotes nos gateways pra ter certeza de por onde ele está sendo encaminhado ou vc faz um tcpdump nas portas de saída desse linux.
Até mais...
-
Com a modificações que fiz veja como ficou:
[root@srvteste scripts]# ip route show table link1
default via 192.168.0.1 dev eth0
[root@srvteste scripts]#
[root@srvteste scripts]# ip route show table link2
default via 192.168.1.1 dev eth1
[root@srvteste scripts]#
A rotas da tabela main é necessario exclui-las? (caso positivo como faço isso)
[root@srvteste scripts]# ip route show table main
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
]192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.31
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
169.254.0.0/16 dev eth1 scope link
[root@srvteste scripts]# ]
Apos tirar as rotas default da tabela main consigo pingar os dois gateway. mas não consigo pingar p fora, me retorna como se não existisse rota veja ai:
[root@srvteste scripts]# ping www.terra.com.br
ping: unknown host www.terra.com.br
[root@srvteste scripts]#
Agradeço desde ja.
WASLEY
-
Não precisa excluir as rotas da tabela main.
Quanto ao erro, isso é erro de DNS.. Tenta pingar pelo IP: 64.233.163.104 (esse é do google)
-
Ola Magnu
Eu creio que esse erro não seja do DNS, quando habilito uma rota default na tabela main consigo pingar o site terra e o endereço ip do google. veja os teste abaixo:
[root@srvteste scripts]# ip route add default dev eth0 via 192.168.0.1
[root@srvteste scripts]# ip route show table main
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.31
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
169.254.0.0/16 dev eth2 scope link
default via 192.168.0.1 dev eth0
[root@srvteste scripts]# ping www.terra.com.br
PING www.terra.com.br (200.154.56.80) 56(84) bytes of data.
64 bytes from www.terra.com.br (200.154.56.80): icmp_seq=1 ttl=247 time=37.4 ms
[root@srvteste scripts]# ping 64.233.163.104
PING 64.233.163.104 (64.233.163.104) 56(84) bytes of data.
64 bytes from 64.233.163.104: icmp_seq=1 ttl=55 time=29.0 ms
E quando não tenho rota default na tabela main, nem pelo endereço ip consigo pingar.
sem rota default
[root@srvteste scripts]# ip route show table main
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.31
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
169.254.0.0/16 dev eth2 scope link
[root@srvteste scripts]#
[root@srvteste scripts]# ping 64.233.163.104
connect: Network is unreachable
[root@srvteste scripts]#
[root@srvteste scripts]# ping www.terra.com.br
ping: unknown host www.terra.com.br
[root@srvteste scripts]#
-
Ele não estava pingando pq ele não resolveu o nome terra, olha a mensagem: "unknown host"
Ele não resolveu pq ele não tinha o gateway. Você tem que manter esse gateway, eu me enganei, como o ping é gerado localmente ele não passa pela regra de MARK do iptables.
-
Ok Magun,
Deixa eu ver se entendi, então as rotas tem de ficar assim:
Tabela Main
[root@srvteste scripts]# ip route show table main
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.31
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
169.254.0.0/16 dev eth2 scope link
default via 192.168.0.1 dev eth0
default via 192.168.1.1 dev eth1 metric 100
[root@srvteste scripts]#
Tabela Link1
[root@srvteste scripts]# ip route show table link1
default via 192.168.0.1 dev eth0
[root@srvteste scripts]#
Tabela link2
[root@srvteste scripts]# ip route show table link2
default via 192.168.1.1 dev eth1
[root@srvteste scripts]#
-
Como estamos utilizando iproute2 e marcação de pacotes acho que não precisa dessa regra na tabela main: default via 192.168.1.1 dev eth1 metric 100
-
Bom dia Magun,
Como vc disse tirei umas das rota default apontando para eth1 deixando apenas a essa rota, alem das rotas na tabela link1 e link2, ficou assim:
[root@srvteste wasley]# ip route show table main
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.31
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
169.254.0.0/16 dev eth2 scope link
default via 192.168.0.1 dev eth0
[root@srvteste wasley]#
[root@srvteste wasley]# ip route show table link1
default via 192.168.0.1 dev eth0
[root@srvteste wasley]# ip route show table link2
default via 192.168.1.1 dev eth1
[root@srvteste wasley]#
Desculpe minha ignorancia, mas se estou entendendo corretamente a logica, se a rota default incluida na tabela main cair a rota, as outras rotas pararam de funcionar inclusive a rota que esta saindo pela eth1 (rota essa cadastrada na tabela link2).
-
Cara, na verdade, essa rota da tabela main só server para tráfego gerado localmente (gerado pelo próprio Linux) uma vez que todo o restante do tráfego está sendo tratado pelas tabelas link1 e link2.
Se vc quiser confirmar isso, pega um rost que está sendo roteado pelo Linux e faz um tracert pra um destino na internet. Depois retire a regra da tabela main e realize o mesmo teste, o resultado deve ser o mesmo.
Até mais...
-
Boa Tarde,
Infelizmente pintou umas urgencias aqui no trabalho e tive que dar uma parada com as configurações, mas retomando.
Consegui criar um script onde o trafego da porta 80 esta saindo pelo interface eth1 e o trafego da porta 25 e 110 estão saindo pela interface eth0.
Para o trafego da porta 80 sair pela eth1 alem de outras configurações foi necessario criar uma NAT, da seguinte forma:
$IPTABLES -t nat -A POSTROUTING -s $LAN -o eth1 -p tcp --dport 80 -j MASQUERADE
Agora minha duvida, como faço para ao invez das conexões da porta 80 utilizarem essa NAT, elas saiam pelo squid na por 3128, ou seja, o trafego chega na porta 80 é redirecionado para porta 3128 (squid) e saindo pela interface eth1.
Segue abaixo o script completo:
Agradeço desde já. (a novela esta chegando ao fim :-))
###################################################
# DEFININDO VARIAVEIS
###################################################
# VARIAVEL PARA IPTABLES
IPTABLES="/sbin/iptables"
# BUSCANDO INFORMACAO DA PLACA COM IP DINAMICO
FW0=`ifconfig eth0| grep "inet end."| awk '{print $3}'|cut -d":" -f2`
FW1=`ifconfig eth1| grep "inet end."| awk '{print $3}'|cut -d":" -f2`
# PLACA LOCAL
FW2="192.168.2.1/32"
# REDE INTERNA
LAN="192.168.2.0/24"
###################################################
# CARREGANDO MODULOS
###################################################
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
$DEPMOD -a
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE iptable_nat
###################################################
# HABILITANDO ROTEAMENTO
###################################################
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
###################################################
# LIMPEZA GERAL
###################################################
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
###################################################
#SETUP DE POLITICA
###################################################
####
# TABELA FILTER
####
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
###################################################
# REGRA DE ESTABILIDADE / DINAMICA DE ROTEAMENTO
###################################################
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
###################################################
# REMOVENDO REGRAS DA TABELAS
###################################################
ip route del default table link1 &> /dev/null
ip route del default table link2 &> /dev/null
####################################################
# REMOVENDO ROTA PADRAO
####################################################
ip route del default &> /dev/null
ip route del default &> /dev/null
ip route del default &> /dev/null
####################################################
# ADICIONANDO ROTA DEFAULT
####################################################
ip route add default dev eth0 via 192.168.0.1 table main
#####################################################
# INSERINDO ROTA DEFAULT PARA TABELAS
#####################################################
ip route add table link1 default via 192.168.0.1
ip route add table link2 default via 192.168.1.1
#####################################################
# REDE INVALIDA (INTERNA) E LOCAL
#####################################################
####
# INTERFACE LOOPBACK
####
$IPTABLES -A INPUT -i lo -j ACCEPT
####
# REDE INVALIDA
####
$IPTABLES -A FORWARD -i eth2 -d 0/0 -j ACCEPT
####
# REDE INTERNA ACESSANDO SERVIDOR
####
$IPTABLES -A INPUT -s $LAN -d $FW2 -j ACCEPT
######################################################
# MARCADO TRAFEGO DA PORTA 80
######################################################
$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 20
$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i eth2 -j MARK --set-mark 10
######################################################
# VINCULANDO TRAFEDO COM A TABELA
######################################################
ip rule add fwmark 10 table 10 prio 20
ip rule add fwmark 20 table 20 prio 20
######################################################
# VIGORANDO REGRAS NAS TABELAS DE ROTEAMENTO
######################################################
ip route flush cached
######################################################
# NAT MASQUERADE PARA MAQUINAS ESPECIFICAS
######################################################
$IPTABLES -t nat -A POSTROUTING -s $LAN -o eth1 -p tcp --dport 80 -j MASQUERADE
###################################################
# REGRA PARA EMAIL
###################################################
####
# FORWARD PARA EMAILS
####
$IPTABLES -A FORWARD -p tcp -s $LAN -d $FW2 -o eth0 --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d $LAN -s $FW2 -i eth0 --sport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $LAN -d $FW2 -o eth0 --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d $LAN -s $FW2 -i eth0 --sport 110 -j ACCEPT
####
# NAT PARA EMAILS
####
$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport 25 -o eth0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport 110 -o eth0 -j MASQUERADE
######################################################
# REGRAS PARA DNS
######################################################
####
# FORWARD PARA DNS
####
$IPTABLES -A FORWARD -p udp -s $LAN -d $FW2 -o eth0 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d $LAN -s $FW2 -i eth0 --sport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s $LAN -d $FW2 -o eth1 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d $LAN -s $FW2 -i eth1 --sport 53 -j ACCEPT
####
# NAT PARA DNS
####
$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 53 -o eth0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 53 -o eth1 -j MASQUERADE
#####################################################
# BLOQUEIO GERAL
#####################################################
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
$IPTABLES -A OUTPUT -j ACCEPT
echo "SCRIPT IPTABLES EXECUTADO"
-
Consegui fazer o que tinha em mente, segue o script completo.
Gostaria de agradecer a ajuda de todos em especial Magnun, sem a ajuda de vcs não seria capaz.
# DEFININDO VARIAVEIS
# VARIAVEL PARA IPTABLES
IPTABLES="/sbin/iptables"
# BUSCANDO INFORMACAO DA PLACA COM IP DINAMICO
FW0=`ifconfig eth0| grep "inet end."| awk '{print $3}'|cut -d":" -f2`
FW1=`ifconfig eth1| grep "inet end."| awk '{print $3}'|cut -d":" -f2`
# PLACA LOCAL
FW2="192.168.2.1/32"
# REDE INTERNA
LAN="192.168.2.0/24"
# MAQUINA ADM
ADM="192.168.0.2/32"
# CARREGANDO MODULOS
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
$DEPMOD -a
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE iptable_nat
# HABILITANDO ROTEAMENTO
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
###################################################
# LIMPEZA GERAL
###################################################
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
###################################################
#SETUP DE POLITICA
###################################################
####
# TABELA FILTER
####
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
###################################################
# REGRA DE ESTABILIDADE / DINAMICA DE ROTEAMENTO
###################################################
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
###################################################
# LIBERAR PACOTES MARCIANOS
###################################################
for i in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 0 >$i
done
###################################################
# REMOVENDO REGRAS DA TABELAS
###################################################
ip route del default table link1 &> /dev/null
ip route del default table link2 &> /dev/null
####################################################
# REMOVENDO ROTA PADRAO
####################################################
ip route del default &> /dev/null
ip route del default &> /dev/null
ip route del default &> /dev/null
####################################################
# ADICIONANDO ROTA DEFAULT
####################################################
ip route add default dev eth0 via 192.168.0.1 table main
#####################################################
# INSERINDO ROTA DEFAULT PARA TABELAS
#####################################################
ip route add table link1 default via 192.168.0.1
ip route add table link2 default via 192.168.1.1
#####################################################
# REDE INVALIDA (INTERNA) E LOCAL
#####################################################
####
# INTERFACE LOOPBACK
####
$IPTABLES -A INPUT -i lo -j ACCEPT
####
# REDE INVALIDA
####
$IPTABLES -A FORWARD -i eth2 -d 0/0 -j ACCEPT
####
# REDE INTERNA ACESSANDO SERVIDOR
####
$IPTABLES -A INPUT -s $LAN -d $FW2 -j ACCEPT
$IPTABLES -A INPUT -s $ADM -d $FW0 -j ACCEPT
######################################################
# MARCADO TRAFEGO DA PORTA 25 E 110
######################################################
$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 25 -j MARK --set-mark 20
$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 25 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i eth2 -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 110 -j MARK --set-mark 20
$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 110 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i eth2 -j MARK --set-mark 10
######################################################
# VINCULANDO TRAFEDO COM A TABELA
######################################################
ip rule add fwmark 10 table 10 prio 20
ip rule add fwmark 20 table 20 prio 20
######################################################
# VIGORANDO REGRAS NAS TABELAS DE ROTEAMENTO
######################################################
ip route flush cached
######################################################
# NAT MASQUERADE REDIRECIONANDO PORTA 80 PARA SQUID
######################################################
$IPTABLES -t nat -A PREROUTING -s $LAN -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
###################################################
# REGRA PARA EMAIL
###################################################
####
# FORWARD PARA EMAILS
####
$IPTABLES -A FORWARD -p tcp -s $LAN -d $FW2 -o eth1 --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d $LAN -s $FW2 -i eth1 --sport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $LAN -d $FW2 -o eth1 --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d $LAN -s $FW2 -i eth1 --sport 110 -j ACCEPT
####
# NAT PARA EMAILS
####
$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport 25 -o eth1 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport 110 -o eth1 -j MASQUERADE
######################################################
# REGRAS PARA DNS
######################################################
####
# FORWARD PARA DNS
####
$IPTABLES -A FORWARD -p udp -s $LAN -d $FW2 -o eth0 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d $LAN -s $FW2 -i eth0 --sport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s $LAN -d $FW2 -o eth1 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d $LAN -s $FW2 -i eth1 --sport 53 -j ACCEPT
####
# NAT PARA DNS
####
$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 53 -o eth0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 53 -o eth1 -j MASQUERADE
#####################################################
# BLOQUEIO GERAL
#####################################################
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
$IPTABLES -A OUTPUT -j ACCEPT
echo "SCRIPT IPTABLES EXECUTADO"