-
Eu pessoalmente desconhecia a opção -j ROUTE. Depois de pesquisar um pouco descobrir que são alguns patchs que podem ser aplicados para estender as funções do iptables.
Agora vem a notícia ruim... Acho que vc vai ter que compilar e instalar manualmente.
Agora a notícia boa. Existe algo que eles chamam de patch-o-matic, mas eu desconheço também. Achei esse link: Netfilter Extensions HOWTO
Só uma coisa, não é mais interessante vc usar o iproute2??? Eu acho ele mais simples...
Até mais...
-
Obrigado Magnun,
Vou procurar na net como faço essa rota usando iproute2.
-
Aqui na under mesmo tem muita coisa sobre isso. Segue o link de 2 posts.:
Servidor Proxy e Web na mesma maquina + com links diferentes ..
Balanceamento de carga entre links com iproute2 - mini-howto
O primeiro é bem parecido com o seu caso, é um cara tentando rotear a porta 80 por uma eth e o restante pela outra.
Até mais...
-
veja como fiocu meu script, se a ideia é essa mesmo
###################################################
# DEFININDO VARIAVEIS
###################################################
# VARIAVEL PARA IPTABLES
IPTABLES="/sbin/iptables"
# BUSCANDO INFORMACAO DA PLACA COM IP DINAMICO
FW0=`ifconfig eth0| grep "inet end."| awk '{print $3}'|cut -d":" -f2`
FW1=`ifconfig eth1| grep "inet end."| awk '{print $3}'|cut -d":" -f2`
# PLACA LOCAL
FW2="192.168.2.1/32"
# REDE INTERNA
LAN="192.168.2.0/24"
###################################################
# CARREGANDO MODULOS
###################################################
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
$DEPMOD -a
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE iptable_nat
###################################################
# HABILITANDO ROTEAMENTO
###################################################
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
###################################################
# LIMPEZA GERAL
###################################################
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
###################################################
#SETUP DE POLITICA
###################################################
####
# TABELA FILTER
####
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
###################################################
# REGRA DE ESTABILIDADE / DINAMICA DE ROTEAMENTO
###################################################
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
###################################################
# REMOVENDO REGRAS DA TABELAS
###################################################
ip route del default table link1 &> /dev/null
ip route del default table link2 &> /dev/null
####################################################
# REMOVENDO ROTA PADRAO
####################################################
ip route del default &> /dev/null
ip route del default &> /dev/null
ip route del default &> /dev/null
#####################################################
# INSERINDO ROTA DEFAULT PARA TABELAS
#####################################################
ip route add table link1 default via 192.168.0.1
ip route add table link2 default via 192.168.1.1
###################################################
# REDE INVALIDA (INTERNA) E LOCAL
###################################################
####
# INTERFACE LOOPBACK
####
$IPTABLES -A INPUT -i lo -j ACCEPT
####
# REDE INVALIDA
####
$IPTABLES -A FORWARD -i eth2 -d 0/0 -j ACCEPT
####
# REDE INTERNA ACESSANDO SERVIDOR
####
$IPTABLES -A INPUT -s $LAN -d $FW2 -j ACCEPT
####################################################
# MARCADO TRAFEGO DA PORTA 80
####################################################
$IPTABLES -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK --set-mark 20
$IPTABLES -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 10
#####################################################
# VINCULANDO TRAFEDO COM A TABELA
#####################################################
ip rule add fwmark 10 table 10 prio 20
ip rule add fwmark 20 table 20 prio 20
##################################################
# REGRAS PARA DNS
##################################################
####
# FORWARD PARA DNS
####
$IPTABLES -A FORWARD -p udp -s $LAN -d $FW2 -o eth0 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d $LAN -s $FW2 -i eth0 --sport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s $LAN -d $FW2 -o eth1 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d $LAN -s $FW2 -i eth1 --sport 53 -j ACCEPT
####
# NAT PARA DNS
####
$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 53 -o eth0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 53 -o eth1 -j MASQUERADE
###################################################
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
$IPTABLES -A OUTPUT -j ACCEPT
Deva como as rotas
ip route show table main
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
169.254.0.0/16 dev eth2 scope link
ip route show table link1
default via 192.168.0.1 dev eth0
ip route show table link2
default via 192.168.1.1 dev eth1
Agrdeço desde ja.
-
Parece que está tudo ok. Geralmente quando utilizamos iproute2 desabilitamos as rotas do kernel. Então é bom excluir aquelas rotas atribuídas com route add -net 0/0...
Pra testar ou vc faz uma captura de pacotes nos gateways pra ter certeza de por onde ele está sendo encaminhado ou vc faz um tcpdump nas portas de saída desse linux.
Até mais...