Caros amigos,
Bom dia!
Estou precisando muito que diga como faço pra definir as rotas no meu server, pq ta tando um pouco de queda, e tb atimizar o acesso.
Estou usando conectiva 10 kernel 2.6.5
as rotas estaum por default
[root@servidor network-scripts]# route
Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface
200.101.81.192 * 255.255.255.240 U 0 0 0 eth0
10.16.0.0 * 255.255.255.0 U 0 0 0 eth1
16.10.100.0 * 255.255.255.0 U 0 0 0 eth2
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 200.101.81.190 0.0.0.0 UG 0 0 0 eth0
[root@servidor network-scripts]#
Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface
200.101.81.192 0.0.0.0 255.255.255.240 U 0 0 0 eth0
10.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
16.10.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 200.101.81.190 0.0.0.0 UG 0 0 0 eth0
minhas regras de iptables estaum assim
#! /bin/sh
# Descrição: Inicialização do Firewall
# Criado por: Germano Silva
# Versão 0.2 de 20/01/2004
# El Shammah Linux
#
######################################################
NET_IFACE='eth0'
LAN_IFACE='eth1'
LAN_IFACE2='eth2'
LAN_RANGE='10.16.0.0/24'
LAN_RANGE2='10.16.100.1'
NET_VNC='10.16.0.139'
iptables="/usr/sbin/iptables"
############ Regras do firewall #######
########LIMPAR TODAS AS TABELAS
$iptables -F -t filter
$iptables -F -t nat
$iptables -F -t mangle
########APAGA TODAS AS CHAINS
$iptables -X -t filter
$iptables -X -t nat
$iptables -X -t mangle
########ZERA TODAS A TABELAS
$iptables -Z -t filter
$iptables -Z -t nat
$iptables -Z -t mangle
$iptables -F
$iptables -Z
$iptables -t nat -F
# Ativa roteamento de pacotes
echo 1 > /proc/sys/net/ipv4/ip_forward
########REGRAS PADRAO
$iptables -P INPUT DROP
$iptables -P FORWARD ACCEPT
$iptables -P OUTPUT ACCEPT
########habilitando o compartilhamento
echo -n "Habilitando o mascaramento..."
$iptables -t nat -A POSTROUTING -o $LAN_IFACE -j MASQUERADE
$iptables -t nat -A POSTROUTING -o $LAN_IFACE2 -j MASQUERADE
echo " [OK]"
######## regra para negar pacotes icmp
$iptables -t filter -A INPUT -p icmp --icmp-type echo-request -i $LAN_IFACE -j ACCEPT
$iptables -t filter -A INPUT -p icmp --icmp-type echo-request -i $LAN_IFACE2 -j ACCEPT
$iptables -t filter -A INPUT -p icmp --icmp-type echo-request -j DROP
$iptables -t filter -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
######## recusar pacotes fragmentados
iptables -t filter -A FORWARD -j REJECT -f -p tcp -d 10.16.0.0/24
######## negar acesso ao endereço de broadcast
iptables -t filter -A FORWARD -j DROP -d 10.16.0.255
######## regras para ssh no firewall
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
# Proteções contra portscanners
$iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
$iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
# $iptables -A FORWARD -m unclean -j DROP
# Proteções diversas
$iptables -N VALID_CHECK
$iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
$iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
$iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP
# VNC regras de iptables pra repassar pra maquina local
$iptables -A FORWARD -i $NET_IFACE -p tcp --dport 5800:5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $NET_IFACE -p udp --dport 5800:5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A PREROUTING -p tcp -i $NET_IFACE --dport 5800:5900 -j DNAT --to $NET_VNC:5800-5900
$iptables -t nat -A PREROUTING -p udp -i $NET_IFACE --dport 5800:5900 -j DNAT --to $NET_VNC:5800-5900
Caros amigos, desde já agradeço.
Germano Silva