Pessoal, tenho um server Slack 10.2 com iptables, squid e iproute2.
A parte do load balance tá funcionando, o problema é que quando um link cai, o outro não assume, a net para.
Se alguém sabe o que devo fazer, agradeço.
Abaixo uma cópia do meu script de firewall:
#!/bin/sh
#Script de Firewall
#Suportech Consultoria e Informática
#Giovane Jr ¥ Japa ¥
#[email protected]
IR0="eth0"
IR1="eth1"
IR2="eth2"
#RINTERNA="192.168.1.1/24"
#ENDREMOTO="192.168.0.1"
UP_PORTS="1024:"
#D_PORTS="1024:"
DNS1="200.146.201.11"
DNS2="200.146.201.12"
ip route del default
#route add default gw 192.168.0.1 dev eth1
#Carregando os modulos basicos
echo -n "Carregando os modulos..."
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_state
modprobe ipt_MASQUERADE
echo " [OK]"
#Resetando Firewall
echo -n "Resetando Firewall..."
iptables -F
iptables -Z
iptables -X
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
echo " [OK]"
#Habilitando roteamento de pacotes
echo -n "Habilitando o roteamento..."
echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " [OK]"
#Liberando a chain INPUT para o localhost...
echo -n "Liberando acesso do localhost..."
iptables -A INPUT -p ALL -s 127.0.0.1 -i lo -j ACCEPT
iptables -A INPUT -p ALL -s 192.168.1.1 -i lo -j ACCEPT
iptables -A INPUT -p ALL -s 192.168.2.2 -i lo -j ACCEPT
iptables -A INPUT -p ALL -s 192.168.3.2 -i lo -j ACCEPT
echo " [OK]"
#Otimizando o firewall
echo -n "Otimimizando o roteamento..."
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo " [OK]"
#Liberando resposta dos servidores DNS:
echo -n "Liberando servidores DNS..."
iptables -A INPUT -p udp -s 192.168.1.0/24 --sport 53 -d $DNS1 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.0/24 --sport 53 -d $DNS2 -j ACCEPT
echo " [OK]"
#Redirecionanto squid
echo -n "Redirecionando Squid..."
#iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -p udp -i eth0 --dport 80 -j REDIRECT --to-port 3128
iptables -t mangle -A OUTPUT -p tcp --dport 80 -m owner --uid-owner 23 -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -p tcp --dport 53 -m owner --uid-owner 23 -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -p udp --dport 53 -m owner --uid-owner 23 -j MARK --set-mark 3
echo " [OK]"
#Regras para SSH
echo -n "Liberando acesso SSH..."
iptables -A INPUT -i eth1 -p tcp --syn --dport 22 -j ACCEPT
echo " [OK]"
#Habilitando mascaramento
echo -n "Habilitando o mascaramento..."
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
echo " [OK]"
#Regras do FORWARD
#Descarta pacotes fragmentados
echo -n "Bloquando pacotes fragmentados..."
iptables -A INPUT -i eth1 -f -j LOG --log-prefix "Pacote fragmentado: "
iptables -A INPUT -i eth1 -f -j DROP
iptables -A INPUT -i eth2 -f -j LOG --log-prefix "Pacote fragmentado: "
iptables -A INPUT -i eth2 -f -j DROP
echo " [OK]"
#Descarta pacotes invalidos
echo -n "Descartando pacotes invalidos para reenvio..."
iptables -A FORWARD -m state --state INVALID -j DROP
echo " [OK]"
#Mantendo conexoes ativas
echo -n "Manutencao de conexoes ativas..."
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
echo " [OK]"
#Liberando acesso ao DNS para a rede interna(email)
echo -n "Liberando DNS para rede interna..."
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.1.0/24 -d $DNS1 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.1.0/24 -d $DNS2 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s $DNS1 --sport 53 -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -p udp -s $DNS2 --sport 53 -d 192.168.1.0/24 -j ACCEPT
echo " [OK]"
#Marcando pacotes
echo -n "Marcando pacotes..."
iptables -A PREROUTING -t mangle -s 192.168.1.0/24 -d 0/0 -j MARK --set-mark 3
echo " [OK]"
#Desabilitando o filtro de pacotes do martian source
echo -n "Desligando rp_filter..."
for eee in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $eee
done
echo " [OK]"
#Definindo regras de balanceamento de link
#Netsuper
echo -n "Netsuper...."
ip route add 192.168.2.0/24 dev eth1 src 192.168.2.2 table netsuper
#ip route add 192.168.2.0/24 via 192.168.2.1 table netsuper
ip route add default via 192.168.2.1 table netsuper
echo " [OK]"
#Wideway
echo -n "Wideway...."
ip route add 192.168.3.0/24 dev eth2 src 192.168.3.2 table wideway
#ip route add 192.168.3.0/24 via 192.168.3.1 table wideway
ip route add default via 192.168.3.1 table wideway
echo " [OK]"
#Setando internet na tabela principal de roteamento
echo "Setando tabela de roteamento"
ip route add 192.168.2.0/24 dev eth1 src 192.168.2.2 table internet
ip route add 192.168.3.0/24 dev eth2 src 192.168.3.2 table internet
echo " [OK]"
#setando a rota preferencial
echo "Rota Default...."
#ip route add default via 192.168.2.1
echo " [OK]"
#regras das tabelas
echo "Regras das tabelas..."
ip rule add from 192.168.2.2 table netsuper
ip rule add from 192.168.3.2 table wideway
echo " [OK]"
#balanceamento de link
echo "Balanceamento de links..."
echo -n "1.."
ip rule add fwmark 3 lookup internet prio 3
echo " [OK]"
echo "2..."
ip route add default table internet nexthop via 192.168.2.1 dev eth1 weight 1 nexthop via 192.168.3.1 dev eth2 weight 1
echo " [OK]"
#flush no roteamento
echo "Flush no roteamento..."
ip route flush cache
echo " [OK]"