- Como criar duas rotas
+ Responder ao Tópico
-
Com a modificações que fiz veja como ficou:
[root@srvteste scripts]# ip route show table link1
default via 192.168.0.1 dev eth0
[root@srvteste scripts]#
[root@srvteste scripts]# ip route show table link2
default via 192.168.1.1 dev eth1
[root@srvteste scripts]#
A rotas da tabela main é necessario exclui-las? (caso positivo como faço isso)
[root@srvteste scripts]# ip route show table main
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
]192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.31
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
169.254.0.0/16 dev eth1 scope link
[root@srvteste scripts]# ]
Apos tirar as rotas default da tabela main consigo pingar os dois gateway. mas não consigo pingar p fora, me retorna como se não existisse rota veja ai:
[root@srvteste scripts]# ping www.terra.com.br
ping: unknown host www.terra.com.br
[root@srvteste scripts]#
Agradeço desde ja.
WASLEY
-
Não precisa excluir as rotas da tabela main.
Quanto ao erro, isso é erro de DNS.. Tenta pingar pelo IP: 64.233.163.104 (esse é do google)
-
Ola Magnu
Eu creio que esse erro não seja do DNS, quando habilito uma rota default na tabela main consigo pingar o site terra e o endereço ip do google. veja os teste abaixo:
[root@srvteste scripts]# ip route add default dev eth0 via 192.168.0.1
[root@srvteste scripts]# ip route show table main
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.31
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
169.254.0.0/16 dev eth2 scope link
default via 192.168.0.1 dev eth0
[root@srvteste scripts]# ping www.terra.com.br
PING www.terra.com.br (200.154.56.80) 56(84) bytes of data.
64 bytes from www.terra.com.br (200.154.56.80): icmp_seq=1 ttl=247 time=37.4 ms
[root@srvteste scripts]# ping 64.233.163.104
PING 64.233.163.104 (64.233.163.104) 56(84) bytes of data.
64 bytes from 64.233.163.104: icmp_seq=1 ttl=55 time=29.0 ms
E quando não tenho rota default na tabela main, nem pelo endereço ip consigo pingar.
sem rota default
[root@srvteste scripts]# ip route show table main
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.31
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
169.254.0.0/16 dev eth2 scope link
[root@srvteste scripts]#
[root@srvteste scripts]# ping 64.233.163.104
connect: Network is unreachable
[root@srvteste scripts]#
[root@srvteste scripts]# ping www.terra.com.br
ping: unknown host www.terra.com.br
[root@srvteste scripts]#
-
Ele não estava pingando pq ele não resolveu o nome terra, olha a mensagem: "unknown host"
Ele não resolveu pq ele não tinha o gateway. Você tem que manter esse gateway, eu me enganei, como o ping é gerado localmente ele não passa pela regra de MARK do iptables.
-
Ok Magun,
Deixa eu ver se entendi, então as rotas tem de ficar assim:
Tabela Main
[root@srvteste scripts]# ip route show table main
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.31
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
169.254.0.0/16 dev eth2 scope link
default via 192.168.0.1 dev eth0
default via 192.168.1.1 dev eth1 metric 100
[root@srvteste scripts]#
Tabela Link1
[root@srvteste scripts]# ip route show table link1
default via 192.168.0.1 dev eth0
[root@srvteste scripts]#
Tabela link2
[root@srvteste scripts]# ip route show table link2
default via 192.168.1.1 dev eth1
[root@srvteste scripts]#
-
Como estamos utilizando iproute2 e marcação de pacotes acho que não precisa dessa regra na tabela main: default via 192.168.1.1 dev eth1 metric 100
-
Bom dia Magun,
Como vc disse tirei umas das rota default apontando para eth1 deixando apenas a essa rota, alem das rotas na tabela link1 e link2, ficou assim:
[root@srvteste wasley]# ip route show table main
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.31
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
169.254.0.0/16 dev eth2 scope link
default via 192.168.0.1 dev eth0
[root@srvteste wasley]#
[root@srvteste wasley]# ip route show table link1
default via 192.168.0.1 dev eth0
[root@srvteste wasley]# ip route show table link2
default via 192.168.1.1 dev eth1
[root@srvteste wasley]#
Desculpe minha ignorancia, mas se estou entendendo corretamente a logica, se a rota default incluida na tabela main cair a rota, as outras rotas pararam de funcionar inclusive a rota que esta saindo pela eth1 (rota essa cadastrada na tabela link2).
Última edição por wasley; 12-08-2009 às 11:59.
-
Cara, na verdade, essa rota da tabela main só server para tráfego gerado localmente (gerado pelo próprio Linux) uma vez que todo o restante do tráfego está sendo tratado pelas tabelas link1 e link2.
Se vc quiser confirmar isso, pega um rost que está sendo roteado pelo Linux e faz um tracert pra um destino na internet. Depois retire a regra da tabela main e realize o mesmo teste, o resultado deve ser o mesmo.
Até mais...
-
Boa Tarde,
Infelizmente pintou umas urgencias aqui no trabalho e tive que dar uma parada com as configurações, mas retomando.
Consegui criar um script onde o trafego da porta 80 esta saindo pelo interface eth1 e o trafego da porta 25 e 110 estão saindo pela interface eth0.
Para o trafego da porta 80 sair pela eth1 alem de outras configurações foi necessario criar uma NAT, da seguinte forma:
$IPTABLES -t nat -A POSTROUTING -s $LAN -o eth1 -p tcp --dport 80 -j MASQUERADE
Agora minha duvida, como faço para ao invez das conexões da porta 80 utilizarem essa NAT, elas saiam pelo squid na por 3128, ou seja, o trafego chega na porta 80 é redirecionado para porta 3128 (squid) e saindo pela interface eth1.
Segue abaixo o script completo:
Agradeço desde já. (a novela esta chegando ao fim :-))
###################################################
# DEFININDO VARIAVEIS
###################################################
# VARIAVEL PARA IPTABLES
IPTABLES="/sbin/iptables"
# BUSCANDO INFORMACAO DA PLACA COM IP DINAMICO
FW0=`ifconfig eth0| grep "inet end."| awk '{print $3}'|cut -d":" -f2`
FW1=`ifconfig eth1| grep "inet end."| awk '{print $3}'|cut -d":" -f2`
# PLACA LOCAL
FW2="192.168.2.1/32"
# REDE INTERNA
LAN="192.168.2.0/24"
###################################################
# CARREGANDO MODULOS
###################################################
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
$DEPMOD -a
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE iptable_nat
###################################################
# HABILITANDO ROTEAMENTO
###################################################
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
###################################################
# LIMPEZA GERAL
###################################################
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
###################################################
#SETUP DE POLITICA
###################################################
####
# TABELA FILTER
####
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
###################################################
# REGRA DE ESTABILIDADE / DINAMICA DE ROTEAMENTO
###################################################
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
###################################################
# REMOVENDO REGRAS DA TABELAS
###################################################
ip route del default table link1 &> /dev/null
ip route del default table link2 &> /dev/null
####################################################
# REMOVENDO ROTA PADRAO
####################################################
ip route del default &> /dev/null
ip route del default &> /dev/null
ip route del default &> /dev/null
####################################################
# ADICIONANDO ROTA DEFAULT
####################################################
ip route add default dev eth0 via 192.168.0.1 table main
#####################################################
# INSERINDO ROTA DEFAULT PARA TABELAS
#####################################################
ip route add table link1 default via 192.168.0.1
ip route add table link2 default via 192.168.1.1
#####################################################
# REDE INVALIDA (INTERNA) E LOCAL
#####################################################
####
# INTERFACE LOOPBACK
####
$IPTABLES -A INPUT -i lo -j ACCEPT
####
# REDE INVALIDA
####
$IPTABLES -A FORWARD -i eth2 -d 0/0 -j ACCEPT
####
# REDE INTERNA ACESSANDO SERVIDOR
####
$IPTABLES -A INPUT -s $LAN -d $FW2 -j ACCEPT
######################################################
# MARCADO TRAFEGO DA PORTA 80
######################################################
$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 20
$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i eth2 -j MARK --set-mark 10
######################################################
# VINCULANDO TRAFEDO COM A TABELA
######################################################
ip rule add fwmark 10 table 10 prio 20
ip rule add fwmark 20 table 20 prio 20
######################################################
# VIGORANDO REGRAS NAS TABELAS DE ROTEAMENTO
######################################################
ip route flush cached
######################################################
# NAT MASQUERADE PARA MAQUINAS ESPECIFICAS
######################################################
$IPTABLES -t nat -A POSTROUTING -s $LAN -o eth1 -p tcp --dport 80 -j MASQUERADE
###################################################
# REGRA PARA EMAIL
###################################################
####
# FORWARD PARA EMAILS
####
$IPTABLES -A FORWARD -p tcp -s $LAN -d $FW2 -o eth0 --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d $LAN -s $FW2 -i eth0 --sport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $LAN -d $FW2 -o eth0 --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d $LAN -s $FW2 -i eth0 --sport 110 -j ACCEPT
####
# NAT PARA EMAILS
####
$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport 25 -o eth0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport 110 -o eth0 -j MASQUERADE
######################################################
# REGRAS PARA DNS
######################################################
####
# FORWARD PARA DNS
####
$IPTABLES -A FORWARD -p udp -s $LAN -d $FW2 -o eth0 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d $LAN -s $FW2 -i eth0 --sport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s $LAN -d $FW2 -o eth1 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d $LAN -s $FW2 -i eth1 --sport 53 -j ACCEPT
####
# NAT PARA DNS
####
$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 53 -o eth0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 53 -o eth1 -j MASQUERADE
#####################################################
# BLOQUEIO GERAL
#####################################################
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
$IPTABLES -A OUTPUT -j ACCEPT
echo "SCRIPT IPTABLES EXECUTADO"
-
Consegui fazer o que tinha em mente, segue o script completo.
Gostaria de agradecer a ajuda de todos em especial Magnun, sem a ajuda de vcs não seria capaz.
# DEFININDO VARIAVEIS
# VARIAVEL PARA IPTABLES
IPTABLES="/sbin/iptables"
# BUSCANDO INFORMACAO DA PLACA COM IP DINAMICO
FW0=`ifconfig eth0| grep "inet end."| awk '{print $3}'|cut -d":" -f2`
FW1=`ifconfig eth1| grep "inet end."| awk '{print $3}'|cut -d":" -f2`
# PLACA LOCAL
FW2="192.168.2.1/32"
# REDE INTERNA
LAN="192.168.2.0/24"
# MAQUINA ADM
ADM="192.168.0.2/32"
# CARREGANDO MODULOS
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
$DEPMOD -a
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE iptable_nat
# HABILITANDO ROTEAMENTO
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
###################################################
# LIMPEZA GERAL
###################################################
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
###################################################
#SETUP DE POLITICA
###################################################
####
# TABELA FILTER
####
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
###################################################
# REGRA DE ESTABILIDADE / DINAMICA DE ROTEAMENTO
###################################################
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
###################################################
# LIBERAR PACOTES MARCIANOS
###################################################
for i in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 0 >$i
done
###################################################
# REMOVENDO REGRAS DA TABELAS
###################################################
ip route del default table link1 &> /dev/null
ip route del default table link2 &> /dev/null
####################################################
# REMOVENDO ROTA PADRAO
####################################################
ip route del default &> /dev/null
ip route del default &> /dev/null
ip route del default &> /dev/null
####################################################
# ADICIONANDO ROTA DEFAULT
####################################################
ip route add default dev eth0 via 192.168.0.1 table main
#####################################################
# INSERINDO ROTA DEFAULT PARA TABELAS
#####################################################
ip route add table link1 default via 192.168.0.1
ip route add table link2 default via 192.168.1.1
#####################################################
# REDE INVALIDA (INTERNA) E LOCAL
#####################################################
####
# INTERFACE LOOPBACK
####
$IPTABLES -A INPUT -i lo -j ACCEPT
####
# REDE INVALIDA
####
$IPTABLES -A FORWARD -i eth2 -d 0/0 -j ACCEPT
####
# REDE INTERNA ACESSANDO SERVIDOR
####
$IPTABLES -A INPUT -s $LAN -d $FW2 -j ACCEPT
$IPTABLES -A INPUT -s $ADM -d $FW0 -j ACCEPT
######################################################
# MARCADO TRAFEGO DA PORTA 25 E 110
######################################################
$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 25 -j MARK --set-mark 20
$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 25 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i eth2 -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 110 -j MARK --set-mark 20
$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 110 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i eth2 -j MARK --set-mark 10
######################################################
# VINCULANDO TRAFEDO COM A TABELA
######################################################
ip rule add fwmark 10 table 10 prio 20
ip rule add fwmark 20 table 20 prio 20
######################################################
# VIGORANDO REGRAS NAS TABELAS DE ROTEAMENTO
######################################################
ip route flush cached
######################################################
# NAT MASQUERADE REDIRECIONANDO PORTA 80 PARA SQUID
######################################################
$IPTABLES -t nat -A PREROUTING -s $LAN -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
###################################################
# REGRA PARA EMAIL
###################################################
####
# FORWARD PARA EMAILS
####
$IPTABLES -A FORWARD -p tcp -s $LAN -d $FW2 -o eth1 --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d $LAN -s $FW2 -i eth1 --sport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $LAN -d $FW2 -o eth1 --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d $LAN -s $FW2 -i eth1 --sport 110 -j ACCEPT
####
# NAT PARA EMAILS
####
$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport 25 -o eth1 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport 110 -o eth1 -j MASQUERADE
######################################################
# REGRAS PARA DNS
######################################################
####
# FORWARD PARA DNS
####
$IPTABLES -A FORWARD -p udp -s $LAN -d $FW2 -o eth0 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d $LAN -s $FW2 -i eth0 --sport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s $LAN -d $FW2 -o eth1 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d $LAN -s $FW2 -i eth1 --sport 53 -j ACCEPT
####
# NAT PARA DNS
####
$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 53 -o eth0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 53 -o eth1 -j MASQUERADE
#####################################################
# BLOQUEIO GERAL
#####################################################
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
$IPTABLES -A OUTPUT -j ACCEPT
echo "SCRIPT IPTABLES EXECUTADO"