-
Bandlimit com cache
Galera esta brabo de encontrar informações sobre o meu problema. Possuo um link de Velox com 4 MBps, e fiz o compartilhamento com o pessoal do prédio onde moro, limitei a galera em 128Kbps para download e upload. Até ai tudo bem o compartilhamento esta funcionando bem, mais estes computadores que estão com limite de banda, não conseguem utilizar o cache do meu proxy, quando paro o meu bandlimit, eles conseguem ter acesso ao cache, e também ficam sem qualquer limite de banda. Se alguém puder me ajudar ficarei muito grato.....
-
Re: Bandlimit com cache
Galera mais uma vez venho pedir a ajuda de vocês, pois continuo com o "problema" de não conseguir ter acesso ao cache do squid com a utilização do Bandlimit, ou seja a rede que esta com limite vai direto para a internet e utiliza o cache, mais quando paro o Bandlimit, essa rede acessa normalmente o cache. Segue abaixo os meus scripts e arquivos de configuração do Squid, Firewall e Bandlimit. Ficarei muito grato caso alguém possa me ajudar. (Devido ao limite de caracteres abaixo segue só o do squid na outra mensagem segue o Firewall e o Bandlimit)
Squid:
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 256 MB
cache_swap_low 95
cache_swap_high 98
maximum_object_size 100 MB
minimum_object_size 3 KB
maximum_object_size_in_memory 20 KB
ipcache_size 2048
ipcache_low 90
ipcache_high 95
cache_dir ufs /var/spool/squid 15000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl minharede src 192.168.254.0/24
acl redepredio src 192.168.1.8/29
acl redepredio2 src 192.168.1.16/29
acl redepredio3 src 192.168.1.24/29
acl redepredio4 src 192.168.1.32/29
acl redepredio5 src 192.168.1.40/29
acl redepredio6 src 192.168.1.48/29
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow minharede
http_access allow redepredio
http_access allow redepredio2
http_access allow redepredio3
http_access allow redepredio4
http_access allow redepredio5
http_access allow redepredio6
http_access allow localhost
http_access deny all
http_reply_access allow all
# and finally allow by default
http_reply_access allow all
icp_access allow all
cache_mgr root
visible_hostname SERVIDOR-PROXY
#Default:
httpd_accel_port 80
#Default:
httpd_accel_host virtual
#Default:
httpd_accel_with_proxy on
#Default:
httpd_accel_uses_host_header on
httpd_accel_no_pmtu_disc off
-
Re: Bandlimit com cache
Script do Firewall.....
Firewall:
#!/bin/sh
### Resetando todas as regras ###
iptables -F
iptables -Z
iptables -X
iptables -t nat -F
iptables -F INPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
###############################################################################
for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter;do
echo "1" > $spoofing
done
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
### Carregar modulos ###
modprobe iptable_filter
modprobe iptable_mangle
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
#modprobe ipt_LOG
modprobe ipt_state
modprobe ipt_MASQUERADE
modprobe ip_nat_ftp
modprobe ipt_mark
modprobe ipt_MARK
modprobe ipt_mac
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
### Liberando acesso do LocalHost ###
iptables -A INPUT -i lo -j ACCEPT
### Otimizando o roteamento ###
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### Manutencao de conexoes ativas ###
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
### Liberando acessos externos ao Firewall ###
iptables -A INPUT -p udp --dport 53 -i ppp0 -j ACCEPT
### Liberado o Ping Interno ao Firewall da rede 192.168.254.0 ###
iptables -A INPUT -p icmp -s 0/0 -i eth0 -j ACCEPT
### Liberado o Ping Interno ao Firewall da rede 192.168.1.x ###
#iptables -A INPUT -p icmp -s 0/0 -i eth2 -j ACCEPT
### Liberado o Ping Interno ao Firewall da rede 192.168.2.0###
iptables -A INPUT -p icmp -s 0/0 -i eth1 -j ACCEPT
### Porta SSH do Firewall ###
iptables -A INPUT -p tcp --dport 22 -i ppp0 -j ACCEPT
### Porta de acesso ao HTTP ###
iptables -A INPUT -p tcp --dport 80 -i ppp0 -j ACCEPT
### Porta de acesso ao WEBMIN ###
iptables -A INPUT -p tcp --dport 33000 -i ppp0 -j ACCEPT
### Bloqueio de Ping Externo ao Firewall ###
iptables -A INPUT -p icmp -s 0/0 -i ppp0 -j DROP
### Bloquea acessos vindo de fora para o Proxy na porta 3128 ###
iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 3128 -j DROP
## Liberando acessos interno ao Firewall ###
### Porta para o SSH Interno ###
iptables -A INPUT -p tcp -s 192.168.254.0/24 -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.2.0/24 -i eth1 --dport 22 -j ACCEPT
### Porta do proxy Transparente ###
iptables -A INPUT -p tcp -s 192.168.254.0/24 -i eth0 --dport 3128 -j ACCEPT
# SALA 303 #
iptables -A INPUT -p tcp -s 192.168.1.8/29 -i eth2 --dport 3128 -j ACCEPT
# COBERTURA #
iptables -A INPUT -p tcp -s 192.168.1.16/29 -i eth2 --dport 3128 -j ACCEPT
# SALA 402 #
iptables -A INPUT -p tcp -s 192.168.1.24/29 -i eth2 --dport 3128 -j ACCEPT
# SALA 404 #
iptables -A INPUT -p tcp -s 192.168.1.32/29 -i eth2 --dport 3128 -j ACCEPT
# SALA 401 #
iptables -A INPUT -p tcp -s 192.168.1.40/29 -i eth2 --dport 3128 -j ACCEPT
# SALA 403 #
iptables -A INPUT -p tcp -s 192.168.1.48/29 -i eth2 --dport 3128 -j ACCEPT
# SALA 301 #
### Pesquisa de DNS ###
iptables -A INPUT -p tcp -s 192.168.254.0/24 -i eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.254.0/24 -i eth0 --dport 53 -j ACCEPT
# SALA 303 #
iptables -A INPUT -p tcp -s 192.168.1.8/29 -i eth2 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.8/29 -i eth2 --dport 53 -j ACCEPT
# COBERTURA #
iptables -A INPUT -p tcp -s 192.168.1.16/29 -i eth2 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.16/29 -i eth2 --dport 53 -j ACCEPT
# SALA 402 #
iptables -A INPUT -p tcp -s 192.168.1.24/29 -i eth2 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.24/29 -i eth2 --dport 53 -j ACCEPT
# SALA 404 #
iptables -A INPUT -p tcp -s 192.168.1.32/29 -i eth2 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.32/29 -i eth2 --dport 53 -j ACCEPT
# SALA 401 #
iptables -A INPUT -p tcp -s 192.168.1.40/29 -i eth2 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.40/29 -i eth2 --dport 53 -j ACCEPT
# SALA 403 #
iptables -A INPUT -p tcp -s 192.168.1.48/29 -i eth2 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.48/29 -i eth2 --dport 53 -j ACCEPT
### HTTP ###
iptables -A INPUT -p tcp -s 192.168.254.0/24 -i eth0 --dport 80 -j ACCEPT
# SALA 303 #
iptables -A INPUT -p tcp -s 192.168.1.8/29 -i eth2 --dport 80 -j ACCEPT
# COBERTURA #
iptables -A INPUT -p tcp -s 192.168.1.16/29 -i eth2 --dport 80 -j ACCEPT
# SALA 402 #
iptables -A INPUT -p tcp -s 192.168.1.24/29 -i eth2 --dport 80 -j ACCEPT
# SALA 404 #
iptables -A INPUT -p tcp -s 192.168.1.32/29 -i eth2 --dport 80 -j ACCEPT
# SALA 401 #
iptables -A INPUT -p tcp -s 192.168.1.40/29 -i eth2 --dport 80 -j ACCEPT
# SALA 403 #
iptables -A INPUT -p tcp -s 192.168.1.48/29 -i eth2 --dport 80 -j ACCEPT
# SALA 301 #
iptables -A INPUT -p tcp -s 192.168.4.0/29 -i eth2 --dport 80 -j ACCEPT
### Acesso da rede interna ao Firewall para utilizar o proxy ###
iptables -A INPUT -s 192.168.254.0/24 -i eth0 -j ACCEPT
# SALA 303 #
iptables -A INPUT -s 192.168.1.8/29 -i eth2 -j ACCEPT
# COBERTURA #
iptables -A INPUT -s 192.168.1.16/29 -i eth2 -j ACCEPT
# SALA 402 #
iptables -A INPUT -s 192.168.1.24/29 -i eth2 -j ACCEPT
# SALA 404 #
iptables -A INPUT -s 192.168.1.32/29 -i eth2 -j ACCEPT
# SALA 401 #
iptables -A INPUT -s 192.168.1.40/29 -i eth2 -j ACCEPT
# SALA 403 #
iptables -A INPUT -s 192.168.1.48/29 -i eth2 -j ACCEPT
# SALA 301 #
iptables -A INPUT -s 192.168.4.0/29 -i eth2 -j ACCEPT
### SMTP ###
iptables -A FORWARD -p tcp -s 192.168.254.0/24 --dport 25 -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.254.0/24 --sport 25 -i ppp0 -o eth0 -j ACCEPT
### SMTP da SALA 301 ###
iptables -A FORWARD -p tcp -s 192.168.4.0/29 --dport 25 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.4.0/29 --sport 25 -i ppp0 -o eth2 -j ACCEPT
### SMTP da SALA 303 ###
iptables -A FORWARD -p tcp -s 192.168.1.8/29 --dport 25 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.8/29 --sport 25 -i ppp0 -o eth2 -j ACCEPT
### SMTP da COBERTURA ###
iptables -A FORWARD -p tcp -s 192.168.1.16/29 --dport 25 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.16/29 --sport 25 -i ppp0 -o eth2 -j ACCEPT
### SMTP da SALA 402 ###
iptables -A FORWARD -p tcp -s 192.168.1.24/29 --dport 25 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.24/29 --sport 25 -i ppp0 -o eth2 -j ACCEPT
### SMTP da SALA 404 ###
iptables -A FORWARD -p tcp -s 192.168.1.32/29 --dport 25 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.32/29 --sport 25 -i ppp0 -o eth2 -j ACCEPT
### SMTP da SALA 401 ###
iptables -A FORWARD -p tcp -s 192.168.1.40/29 --dport 25 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.40/29 --sport 25 -i ppp0 -o eth2 -j ACCEPT
### SMTP da SALA 403 ###
iptables -A FORWARD -p tcp -s 192.168.1.48/29 --dport 25 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.48/29 --sport 25 -i ppp0 -o eth2 -j ACCEPT
### POP3 ###
iptables -A FORWARD -p tcp -s 192.168.254.0/24 --dport 110 -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.254.0/24 --sport 110 -i ppp0 -o eth0 -j ACCEPT
### POP3 da SALA 301 ###
iptables -A FORWARD -p tcp -s 192.168.4.0/29 --dport 110 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.4.0/29 --sport 110 -i ppp0 -o eth2 -j ACCEPT
### POP3 da SALA 303 ###
iptables -A FORWARD -p tcp -s 192.168.1.8/29 --dport 110 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.8/29 --sport 110 -i ppp0 -o eth2 -j ACCEPT
### POP3 da SALA COBERTURA ###
iptables -A FORWARD -p tcp -s 192.168.1.16/29 --dport 110 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.16/29 --sport 110 -i ppp0 -o eth2 -j ACCEPT
### POP3 da SALA 402 ###
iptables -A FORWARD -p tcp -s 192.168.1.24/29 --dport 110 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.24/29 --sport 110 -i ppp0 -o eth2 -j ACCEPT
### POP3 da SALA 404 ###
iptables -A FORWARD -p tcp -s 192.168.1.32/29 --dport 110 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.32/29 --sport 110 -i ppp0 -o eth2 -j ACCEPT
### POP3 da SALA 401 ###
iptables -A FORWARD -p tcp -s 192.168.1.40/29 --dport 110 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.40/29 --sport 110 -i ppp0 -o eth2 -j ACCEPT
### POP3 da SALA 403 ###
iptables -A FORWARD -p tcp -s 192.168.1.48/29 --dport 110 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.48/29 --sport 110 -i ppp0 -o eth2 -j ACCEPT
### IMAP ###
iptables -A FORWARD -p tcp -s 192.168.254.0/24 --dport 143 -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.254.0/24 --sport 143 -i ppp0 -o eth0 -j ACCEPT
### IMAP da SALA 301 ###
iptables -A FORWARD -p tcp -s 192.168.4.0/29 --dport 143 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.4.0/29 --sport 143 -i ppp0 -o eth2 -j ACCEPT
### IMAP da SALA 303 ###
iptables -A FORWARD -p tcp -s 192.168.1.8/29 --dport 143 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.8/29 --sport 143 -i ppp0 -o eth2 -j ACCEPT
### IMAP da COBERTURA ###
iptables -A FORWARD -p tcp -s 192.168.1.16/29 --dport 143 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.16/29 --sport 143 -i ppp0 -o eth2 -j ACCEPT
### IMAP da SALA 402 ###
iptables -A FORWARD -p tcp -s 192.168.1.24/29 --dport 143 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.24/29 --sport 143 -i ppp0 -o eth2 -j ACCEPT
### IMAP da SALA 404 ###
iptables -A FORWARD -p tcp -s 192.168.1.32/29 --dport 143 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.32/29 --sport 143 -i ppp0 -o eth2 -j ACCEPT
### IMAP da SALA 401 ###
iptables -A FORWARD -p tcp -s 192.168.1.40/29 --dport 143 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.40/29 --sport 143 -i ppp0 -o eth2 -j ACCEPT
### IMAP da SALA 403 ###
iptables -A FORWARD -p tcp -s 192.168.1.48/29 --dport 143 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.48/29 --sport 143 -i ppp0 -o eth2 -j ACCEPT
### HTTP seguro ###
iptables -A FORWARD -p tcp -s 192.168.254.0/24 --dport 443 -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.254.0/24 --sport 443 -i ppp0 -o eth0 -j ACCEPT
### HTTP seguro da SALA 301 ###
iptables -A FORWARD -p tcp -s 192.168.4.0/29 --dport 443 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.4.0/29 --sport 443 -i ppp0 -o eth2 -j ACCEPT
### HTTP seguro da SALA 303 ###
iptables -A FORWARD -p tcp -s 192.168.1.8/29 --dport 443 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.8/29 --sport 443 -i ppp0 -o eth2 -j ACCEPT
### HTTP seguro da COBERTURA ###
iptables -A FORWARD -p tcp -s 192.168.1.16/29 --dport 443 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.16/29 --sport 443 -i ppp0 -o eth2 -j ACCEPT
### HTTP seguro da SALA 402 ###
iptables -A FORWARD -p tcp -s 192.168.1.24/29 --dport 443 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.24/29 --sport 443 -i ppp0 -o eth2 -j ACCEPT
### HTTP seguro da SALA 404 ###
iptables -A FORWARD -p tcp -s 192.168.1.32/29 --dport 443 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.32/29 --sport 443 -i ppp0 -o eth2 -j ACCEPT
### HTTP seguro da SALA 401 ###
iptables -A FORWARD -p tcp -s 192.168.1.40/29 --dport 443 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.40/29 --sport 443 -i ppp0 -o eth2 -j ACCEPT
### HTTP seguro da SALA 403 ###
iptables -A FORWARD -p tcp -s 192.168.1.48/29 --dport 443 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.48/29 --sport 443 -i ppp0 -o eth2 -j ACCEPT
### Acesso ao FTP ###
iptables -A FORWARD -p tcp -s 192.168.254.0/24 --dport 20:21 -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.254.0/24 --sport 20:21 -i ppp0 -o eth0 -j ACCEPT
### FTP Rede da SALA 301 ###
iptables -A FORWARD -p tcp -s 192.168.4.0/29 --dport 20:21 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.4.0/29 --sport 20:21 -i ppp0 -o eth2 -j ACCEPT
### FTP Rede da SALA 303 ###
iptables -A FORWARD -p tcp -s 192.168.1.8/29 --dport 20:21 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.8/29 --sport 20:21 -i ppp0 -o eth2 -j ACCEPT
### FTP Rede da COBERTURA ###
iptables -A FORWARD -p tcp -s 192.168.1.16/29 --dport 20:21 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.16/29 --sport 20:21 -i ppp0 -o eth2 -j ACCEPT
### FTP Rede da SALA 402 ###
iptables -A FORWARD -p tcp -s 192.168.1.24/29 --dport 20:21 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.24/29 --sport 20:21 -i ppp0 -o eth2 -j ACCEPT
### FTP Rede da SALA 404 ###
iptables -A FORWARD -p tcp -s 192.168.1.32/29 --dport 20:21 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.32/29 --sport 20:21 -i ppp0 -o eth2 -j ACCEPT
### FTP Rede da SALA 401 ###
iptables -A FORWARD -p tcp -s 192.168.1.40/29 --dport 20:21 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.40/29 --sport 20:21 -i ppp0 -o eth2 -j ACCEPT
### FTP Rede da SALA 403 ###
iptables -A FORWARD -p tcp -s 192.168.1.48/29 --dport 20:21 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.48/29 --sport 20:21 -i ppp0 -o eth2 -j ACCEPT
### Pesquisa de DNS ###
iptables -A FORWARD -p udp -s 192.168.254.0/24 --dport 53 -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.254.0/24 --sport 53 -i ppp0 -o eth0 -j ACCEPT
### Rede Predial SALA 301 ###
iptables -A FORWARD -p udp -s 192.168.4.0/29 --dport 53 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.4.0/29 --sport 53 -i ppp0 -o eth2 -j ACCEPT
### Rede Predial SALA 303 ###
iptables -A FORWARD -p udp -s 192.168.1.8/29 --dport 53 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.1.8/29 --sport 53 -i ppp0 -o eth2 -j ACCEPT
### Rede Predial COBERTURA ###
iptables -A FORWARD -p udp -s 192.168.1.16/29 --dport 53 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.1.16/29 --sport 53 -i ppp0 -o eth2 -j ACCEPT
### Rede Predial SALA 402 ###
iptables -A FORWARD -p udp -s 192.168.1.24/29 --dport 53 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.1.24/29 --sport 53 -i ppp0 -o eth2 -j ACCEPT
### Rede Predial SALA 404 ###
iptables -A FORWARD -p udp -s 192.168.1.32/29 --dport 53 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.1.32/29 --sport 53 -i ppp0 -o eth2 -j ACCEPT
### Rede Predial SALA 401 ###
iptables -A FORWARD -p udp -s 192.168.1.40/29 --dport 53 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.1.40/29 --sport 53 -i ppp0 -o eth2 -j ACCEPT
### Rede Predial SALA 403 ###
iptables -A FORWARD -p udp -s 192.168.1.48/29 --dport 53 -i eth2 -o ppp0 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.1.48/29 --sport 53 -i ppp0 -o eth2 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
### Regras de NAT, mascaramento ###
iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -o ppp0 -j MASQUERADE
# SALA 301 #
iptables -t nat -A POSTROUTING -s 192.168.4.0/29 -o ppp0 -j MASQUERADE
# SALA 303 #
iptables -t nat -A POSTROUTING -s 192.168.1.8/29 -o ppp0 -j MASQUERADE
# COBERTURA #
iptables -t nat -A POSTROUTING -s 192.168.1.16/29 -o ppp0 -j MASQUERADE
# SALA 402 #
iptables -t nat -A POSTROUTING -s 192.168.1.24/29 -o ppp0 -j MASQUERADE
# SALA 404 #
iptables -t nat -A POSTROUTING -s 192.168.1.32/29 -o ppp0 -j MASQUERADE
# SALA 401 #
iptables -t nat -A POSTROUTING -s 192.168.1.40/29 -o ppp0 -j MASQUERADE
# SALA 403 #
iptables -t nat -A POSTROUTING -s 192.168.1.48/29 -o ppp0 -j MASQUERADE
### Redirecionando todo o trafego da porta 80 para o Proxy ###
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -d! 200.201.174.207/32 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -d! 200.201.174.207/32 -j REDIRECT --to-port 3128
-
Re: Bandlimit com cache
Script do Bandlimit....
Bandlimit:
#!/bin/bash
##############################################################################
# UnderLinux BandLimit v0.4 #
# ============================================ #
# #
# Copyright (c) 2003 by Marcus Maciel(ScOrP|On) [email protected] #
# https://under-linux.org #
# #
# This program is free software. You can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License. #
##############################################################################
#ChangeLog v0.4
# Descobre o path dos binários usando which (by Eri Ramos Bastos erirb at xtms.com.br)
# transforma stop e start em funções (by Eri Ramos Bastos erirb at xtms.com.br)
# cria uma função de instalação (by Eri Ramos Bastos erirb at xtms.com.br)
# cria um menu "init-like" (start|stop|restart|install) (by Eri Ramos Bastos erirb at xtms.com.br)
# verifica sempre se o sistema está instalado antes de executá-lo (by Eri Ramos Bastos erirb at xtms.com.br)
# permite maior modularização (by Eri Ramos Bastos erirb at xtms.com.br)
# resolvido problema de nao utilizacao do modulo de compartilhamento
#ChangeLog v0.3
#adicionado compartilhamento de Link
#ChangeLog v0.2
#
#Adicionado opcao para PATH de executaveis
# Dependencias
# Ipchains ou Iptables , iproute2 , modulos do kernel de CBQ QoS e compania... hehehe :)
# Iptables: necessita de iptable_mangle e ipt_MARK
# Ipchains: nenhuma
##################
#INSTALACAO
# crie o diretorio bandlimit dentro do seu /etc
##mkdir /etc/bandlimit
# dentro deste diretorio crie os arquivos ips e interfaces
##touch /etc/bandlimit/ips
##touch /etc/bandlimit/interfaces
# depois edite o ips e o interfaces
# colocando dentro do ips
# os ips que vc deseja limitar 1 por linha no seguinte formato
# ip:ratein:rateout ex: 10.0.1.2:97:33
# e no interfaces as interfaces que vc usa na sua maquina
# no formato ethx ex: eth0
# 1 por linha tambem :)))
#
# Para rodar coloque o script dentro do seu rc.local
# Para remover as regras digite rc.bandlimit stop
#
##################
#Checa se o usuario eh root
if [ $(whoami) != root ]
then
echo "Voce nao e root"
exit 1
fi
# Instalacao do sistema
##finstall(){
#verifica a existencia do destino
##if [ -d /etc/bandlimit ]
##then
## echo "Sistema ja instalado."
##else
## mkdir /etc/bandlimit
## INST_IP=0
#Loop para configuracao de IPs
## echo "Configurando IPs. Digite fim na configuracao de IP para terminar"
## while [ $INST_IP != fim ]
## do
## read -p "Entre com IP: " INST_IP
## if [ $INST_IP = "fim" ]
## then
## break
## fi
## read -p "Entre com Rate-IN: " INST_RATE_IN
## read -p "Entre com Rate-OUT: " INST_RATE_OUT
## echo "$INST_IP:$INST_RATE_IN:$INST_RATE_OUT" >> /etc/bandlimit/ips
## done
## INST_INT=0
#Loop para configuracao de Interfaces
## echo "Configurando Interfaces. Digite fim para terminar"
## while [ $INST_INT != "fim" ]
## do
## read -p "Entre com Interface: " INST_INT
## if [ $INST_INT = "fim" ]
## then
## break
## fi
## echo $INST_INT >> /etc/bandlimit/interfaces
## done
##fi
#}
#PATH para os executaveis
#Devem ser descobertos automaticamente
IPTABLES=`which iptables`
TC=`which tc`
##IPCHAINS=`which ipchains`
GREP=`which grep`
CUT=`which cut`
EXPR=`which expr`
####
# IMPORTANTE!!!! USAMOS OS COMANDO
iptables -F -t mangle
# ipchains -F input
# ipchains -F output
# Isso fara com que se voce tem alguma regra no seu mangle no iptables
# ou alguma regra no input ou output no seu ipchains esta regra sera apagada
# Para que voce nao perca suas regras de Firewall do iptables/ipchains
# Caso use alguma coisa no mangle do iptables ou alguma coisa no input/output
# no ipchains sete seu script de regras abaixo abaixo
#Lembrando que usamos o mangle apartir do mark 2 e este vai gerando um mark novo
#ate acabar seus ips ou seja se voce fizer pra 250 ips o ultimo mark sera o 252
#Caso use o Mark tente comecar apartir do 1000 para evitar Marks Iguais
#script=/path/seuscript.sh
script=/etc/frw
##########################################################################################################
#Inicio da Configuracao
comum()
{
#Arquivos de Configuracao
ips=/etc/bandlimit/ips
#ips2=/etc/bandlimit/ips2
interfaces=/etc/bandlimit/interfaces
##########################################################
# Opcao de instalacao e remocao
#########################################################
######################################
#Este arquivo e para compartilhar Link
#Ou seja se voce quer que mais de 1 ip use o mesmo link
#coloque os "Filhos" dentro deste arquivo
#e lembre-se os filhos nao podem estar dentro do arquivo ips
#o formato do compartilhamento e o seguinte:
#
#ippai:ipfilho1:ipfilho2:0
#
#Ou seja:
#
#10.0.1.2:10.0.1.3:10.0.1.4:0
#
#lembre-se de terminar sempre com o :0
#caso contrario ele vai entrar num looping infinito :))
compartilha=/etc/bandlimit/compartilha
#compartilha=inexistente
#########################
#Firewall's Suportados ipchains e Iptables # Padrao IPTABLES
#firewall=ipchains
firewall=iptables
###################################
#############
# Interfaces
redelocal=eth2
#redelocal2=eth0
redelocal2=inexistente
internet=ppp0
#############
#Fim da configuracao
##########################################################################################################
#ifacenum=0
###Contando o numero de Interaces####
## alterei aqui
#for iface in `cat $interfaces`
#do
# ifacenum=`$EXPR $ifacenum + 1`
#done
if [ $firewall == "iptables" ]
then
modprobe iptable_mangle
modprobe ipt_MARK
fi
} #fim do comum
#inicio do markador :)
mark=2
#Stop e Start colocados dentro de funcoes
fstop(){
comum
echo "Removendo Regras"
for iface in `cat $interfaces`
do
$TC qdisc del dev $iface root
done
if [ $firewall == "iptables" ]
then
## $IPTABLES -F -t mangle
if [ $script != "0" ]
then
$script
fi
else
$IPCHAINS -F input
$IPCHAINS -F output
if [ $script != "0" ]
then
$script
fi
fi
}
fstart(){
comum
#Limpar Regras antes de rodar o script ):)
$IPTABLES -F -t mangle
if [ $firewall == "iptables" ]
then
$IPTABLES -F -t mangle
if [ $script != "0" ]
then
$script
fi
else
$IPCHAINS -F input
$IPCHAINS -F output
if [ $script != "0" ]
then
$script
fi
fi
#adicionado interfaces
for iface in `cat $interfaces`
do
$TC qdisc del dev $iface root
$TC qdisc add dev $iface root handle 1 cbq bandwidth 10Mbit avpkt 1000 cell 8
$TC class change dev $iface root cbq weight 1Mbit allot 1514
done
####
for ip in `cat $ips`
do
ratein=`echo $ip | $CUT -d ":" -f 2`
rateout=`echo $ip | $CUT -d ":" -f 3`
ip=`echo $ip | $CUT -d ":" -f 1`
#conteudo da variavel var
var=2
compartip=1
#entrada
$TC class add dev $redelocal parent 1: classid 1:$mark cbq bandwidth 10Mbit rate "$ratein"Kbit weight `$EXPR $ratein / 10`Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded
$TC qdisc add dev $redelocal parent 1:$mark handle $mark sfq perturb 10
$TC filter add dev $redelocal parent 1:0 protocol ip prio 200 handle $mark fw classid 1:$mark
if [ $firewall == "iptables" ]
then
$IPTABLES -t mangle -A POSTROUTING -d $ip -j MARK --set-mark $mark
if [ $compartilha != "inexistente" ]
then
if [ `$GREP $ip $compartilha | $CUT -d ":" -f 1` == $ip ]
then
while [ $compartip != "0" ]
do
compartip=`$GREP $ip $compartilha | $CUT -d ":" -f $var`
$IPTABLES -t mangle -A POSTROUTING -d $compartip -j MARK --set-mark $mark
var=`$EXPR $var + 1`
compartip=`$GREP $ip $compartilha | $CUT -d ":" -f $var`
done
fi
fi
else
$IPCHAINS -A output -d $ip --mark $mark
if [ $compartilha != "inexistente" ]
then
if [ `$GREP $ip $compartilha | $CUT -d ":" -f 1` == $ip ]
then
while [ $compartip != "0" ]
do
compartip=`$GREP $ip $compartilha | $CUT -d ":" -f $var`
$IPCHAINS -A output -d $compartip --mark $mark
var=`$EXPR $var + 1`
compartip=`$GREP $ip $compartilha | $CUT -d ":" -f $var`
done
fi
fi
fi
#conteudo da variavel var
var=2
compartip=1
#Saida
$TC class add dev $internet parent 1: classid 1:$mark cbq bandwidth 10Mbit rate "$rateout"Kbit weight `$EXPR $rateout / 10`Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded
$TC qdisc add dev $internet parent 1:$mark handle $mark sfq perturb 10
$TC filter add dev $internet parent 1:0 protocol ip prio 200 handle $mark fw classid 1:$mark
if [ $firewall == "iptables" ]
then
$IPTABLES -t mangle -A FORWARD -s $ip -j MARK --set-mark $mark
if [ $compartilha != "inexistente" ]
then
if [ `$GREP $ip $compartilha | $CUT -d ":" -f 1` == $ip ]
then
while [ $compartip != "0" ]
do
compartip=`$GREP $ip $compartilha | $CUT -d ":" -f $var`
$IPTABLES -t mangle -A FORWARD -s $compartip -j MARK --set-mark $mark
var=`$EXPR $var + 1`
compartip=`$GREP $ip $compartilha | $CUT -d ":" -f $var`
done
fi
fi
else
$IPCHAINS -A input -s $ip --mark $mark
if [ $compartilha != "inexistente" ]
then
if [ `$GREP $ip $compartilha | $CUT -d ":" -f 1` == $ip ]
then
while [ $compartip != "0" ]
do
compartip=`$GREP $ip $compartilha | $CUT -d ":" -f $var`
$IPCHAINS -A input -s $compartip --mark $mark
var=`$EXPR $var + 1`
compartip=`$GREP $ip $compartilha | $CUT -d ":" -f $var`
done
fi
fi
fi
#################################################################
mark=`$EXPR $mark + 1`
done
if [ $redelocal2 != "inexistente" ]
then
for ip in `cat $ips2`
do
ratein=`echo $ip | $CUT -d ":" -f 2`
rateout=`echo $ip | $CUT -d ":" -f 3`
ip=`echo $ip | $CUT -d ":" -f 1`
#conteudo da variavel var
var=2
compartip=1
#entrada
$TC class add dev $redelocal2 parent 1: classid 1:$mark cbq bandwidth 10Mbit rate "$ratein"Kbit weight `$EXPR $rateout / 10`Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded
$TC qdisc add dev $redelocal2 parent 1:$mark handle $mark sfq perturb 10
$TC filter add dev $redelocal2 parent 1:0 protocol ip prio 200 handle $mark fw classid 1:$mark
if [ $firewall == "iptables" ]
then
$IPTABLES -t mangle -A POSTROUTING -d $ip -j MARK --set-mark $mark
if [ $compartilha != "inexistente" ]
then
if [ `$GREP $ip $compartilha | $CUT -d ":" -f 1` == $ip ]
then
while [ $compartip != "0" ]
do
compartip=`$GREP $ip $compartilha | $CUT -d ":" -f $var`
$IPTABLES -t mangle -A POSTROUTING -d $compartip -j MARK --set-mark $mark
var=`$EXPR $var + 1`
compartip=`$GREP $ip $compartilha | $CUT -d ":" -f $var`
done
fi
fi
else
$IPCHAINS -A output -d $ip --mark $mark
if [ $compartilha != "inexistente" ]
then
if [ `$GREP $ip $compartilha | $CUT -d ":" -f 1` == $ip ]
then
while [ $compartip != "0" ]
do
compartip=`$GREP $ip $compartilha | $CUT -d ":" -f $var`
$IPCHAINS -A output -d $compartip --mark $mark
var=`$EXPR $var + 1`
compartip=`$GREP $ip $compartilha | $CUT -d ":" -f $var`
done
fi
fi
fi
#conteudo da variavel var
var=2
compartip=1
#Saida
$TC class add dev $internet parent 1: classid 1:$mark cbq bandwidth 10Mbit rate "$rateout"Kbit weight `$EXPR $rateout / 10`Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded
$TC qdisc add dev $internet parent 1:$mark handle $mark sfq perturb 10
$TC filter add dev $internet parent 1:0 protocol ip prio 200 handle $mark fw classid 1:$mark
if [ $firewall == "iptables" ]
then
$IPTABLES -t mangle -A FORWARD -s $ip -j MARK --set-mark $mark
if [ $compartilha != "inexistente" ]
then
if [ `$GREP $ip $compartilha | $CUT -d ":" -f 1` == $ip ]
then
while [ $compartip != "0" ]
do
compartip=`$GREP $ip $compartilha | $CUT -d ":" -f $var`
$IPTABLES -t mangle -A FORWARD -s $compartip -j MARK --set-mark $mark
var=`$EXPR $var + 1`
compartip=`$GREP $ip $compartilha | $CUT -d ":" -f $var`
done
fi
fi
else
$IPCHAINS -A input -s $ip --mark $mark
if [ $compartilha != "inexistente" ]
then
if [ `$GREP $ip $compartilha | $CUT -d ":" -f 1` == $ip ]
then
while [ $compartip != "0" ]
do
compartip=`$GREP $ip $compartilha | $CUT -d ":" -f $var`
$IPCHAINS -A input -s $compartip --mark $mark
var=`$EXPR $var + 1`
compartip=`$GREP $ip $compartilha | $CUT -d ":" -f $var`
done
fi
fi
fi
#################################################################
mark=`$EXPR $mark + 1`
done
fi
}
##
# Aqui rodamos as opcoes
# Mais amigavel e modular usando estrutura case
#
##
case $1 in
stop)
if [ -d /etc/bandlimit ]
then
fstop
else
echo "Sistema nao instalado"
exit 1
fi
;;
start)
if [ -d /etc/bandlimit ]
then
fstart
else
echo "Sistema nao instalado"
exit 1
fi
;;
restart)
if [ -d /etc/bandlimit ]
then
$0 stop
$0 start
else
echo "Sistema nao instalado"
exit 1
fi
;;
install)
finstall
;;
*)
echo "Uso: $0 (stop|start|restart|install)"
;;
esac