Como criar duas rotas

**wasley** · 10-08-2009, 13:59

Com a modificações que fiz veja como ficou:

[root@srvteste scripts]# ip route show table link1
default via 192.168.0.1 dev eth0
[root@srvteste scripts]#

[root@srvteste scripts]# ip route show table link2
default via 192.168.1.1 dev eth1
[root@srvteste scripts]#

A rotas da tabela main é necessario exclui-las? (caso positivo como faço isso)

[root@srvteste scripts]# ip route show table main
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
]192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.31
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
169.254.0.0/16 dev eth1 scope link
[root@srvteste scripts]# ]

Apos tirar as rotas default da tabela main consigo pingar os dois gateway. mas não consigo pingar p fora, me retorna como se não existisse rota veja ai:

[root@srvteste scripts]# ping www.terra.com.br
ping: unknown host www.terra.com.br
[root@srvteste scripts]#

Agradeço desde ja.
WASLEY

**Magnun** · 10-08-2009, 16:59

Não precisa excluir as rotas da tabela main.

Quanto ao erro, isso é erro de DNS.. Tenta pingar pelo IP: 64.233.163.104 (esse é do google)

**wasley** · 10-08-2009, 17:35

Ola Magnu

Eu creio que esse erro não seja do DNS, quando habilito uma rota default na tabela main consigo pingar o site terra e o endereço ip do google. veja os teste abaixo:

[root@srvteste scripts]# ip route add default dev eth0 via 192.168.0.1

[root@srvteste scripts]# ip route show table main
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.31
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
169.254.0.0/16 dev eth2 scope link
default via 192.168.0.1 dev eth0

[root@srvteste scripts]# ping www.terra.com.br
PING www.terra.com.br (200.154.56.80) 56(84) bytes of data.
64 bytes from www.terra.com.br (200.154.56.80): icmp_seq=1 ttl=247 time=37.4 ms

[root@srvteste scripts]# ping 64.233.163.104
PING 64.233.163.104 (64.233.163.104) 56(84) bytes of data.
64 bytes from 64.233.163.104: icmp_seq=1 ttl=55 time=29.0 ms

E quando não tenho rota default na tabela main, nem pelo endereço ip consigo pingar.

sem rota default

[root@srvteste scripts]# ip route show table main
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.31
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
169.254.0.0/16 dev eth2 scope link
[root@srvteste scripts]#

[root@srvteste scripts]# ping 64.233.163.104
connect: Network is unreachable
[root@srvteste scripts]#

[root@srvteste scripts]# ping www.terra.com.br
ping: unknown host www.terra.com.br
[root@srvteste scripts]#

**Magnun** · 10-08-2009, 17:45

Ele não estava pingando pq ele não resolveu o nome terra, olha a mensagem: "unknown host"

Ele não resolveu pq ele não tinha o gateway. Você tem que manter esse gateway, eu me enganei, como o ping é gerado localmente ele não passa pela regra de MARK do iptables.

**wasley** · 11-08-2009, 09:06

Ok Magun,
Deixa eu ver se entendi, então as rotas tem de ficar assim:

Tabela Main
[root@srvteste scripts]# ip route show table main
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.31
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
169.254.0.0/16 dev eth2 scope link
default via 192.168.0.1 dev eth0
default via 192.168.1.1 dev eth1 metric 100
[root@srvteste scripts]#

Tabela Link1
[root@srvteste scripts]# ip route show table link1
default via 192.168.0.1 dev eth0
[root@srvteste scripts]#

Tabela link2
[root@srvteste scripts]# ip route show table link2
default via 192.168.1.1 dev eth1
[root@srvteste scripts]#

**Magnun** · 11-08-2009, 10:37

Como estamos utilizando iproute2 e marcação de pacotes acho que não precisa dessa regra na tabela main: default via 192.168.1.1 dev eth1 metric 100

**wasley** · 12-08-2009, 11:55

Bom dia Magun,

Como vc disse tirei umas das rota default apontando para eth1 deixando apenas a essa rota, alem das rotas na tabela link1 e link2, ficou assim:

[root@srvteste wasley]# ip route show table main
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.31
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.31
169.254.0.0/16 dev eth2 scope link
default via 192.168.0.1 dev eth0
[root@srvteste wasley]#

[root@srvteste wasley]# ip route show table link1
default via 192.168.0.1 dev eth0

[root@srvteste wasley]# ip route show table link2
default via 192.168.1.1 dev eth1
[root@srvteste wasley]#

Desculpe minha ignorancia, mas se estou entendendo corretamente a logica, se a rota default incluida na tabela main cair a rota, as outras rotas pararam de funcionar inclusive a rota que esta saindo pela eth1 (rota essa cadastrada na tabela link2).

**Magnun** · 12-08-2009, 12:26

Cara, na verdade, essa rota da tabela main só server para tráfego gerado localmente (gerado pelo próprio Linux) uma vez que todo o restante do tráfego está sendo tratado pelas tabelas link1 e link2.

Se vc quiser confirmar isso, pega um rost que está sendo roteado pelo Linux e faz um tracert pra um destino na internet. Depois retire a regra da tabela main e realize o mesmo teste, o resultado deve ser o mesmo.

Até mais...

**wasley** · 17-08-2009, 16:01

Boa Tarde,
Infelizmente pintou umas urgencias aqui no trabalho e tive que dar uma parada com as configurações, mas retomando.

Consegui criar um script onde o trafego da porta 80 esta saindo pelo interface eth1 e o trafego da porta 25 e 110 estão saindo pela interface eth0.

Para o trafego da porta 80 sair pela eth1 alem de outras configurações foi necessario criar uma NAT, da seguinte forma:

$IPTABLES -t nat -A POSTROUTING -s $LAN -o eth1 -p tcp --dport 80 -j MASQUERADE

Agora minha duvida, como faço para ao invez das conexões da porta 80 utilizarem essa NAT, elas saiam pelo squid na por 3128, ou seja, o trafego chega na porta 80 é redirecionado para porta 3128 (squid) e saindo pela interface eth1.

Segue abaixo o script completo:

Agradeço desde já. (a novela esta chegando ao fim :-))

###################################################
# DEFININDO VARIAVEIS
###################################################
# VARIAVEL PARA IPTABLES
IPTABLES="/sbin/iptables"

# BUSCANDO INFORMACAO DA PLACA COM IP DINAMICO
FW0=`ifconfig eth0| grep "inet end."| awk '{print $3}'|cut -d":" -f2`
FW1=`ifconfig eth1| grep "inet end."| awk '{print $3}'|cut -d":" -f2`

# PLACA LOCAL
FW2="192.168.2.1/32"

# REDE INTERNA
LAN="192.168.2.0/24"

###################################################
# CARREGANDO MODULOS
###################################################
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
$DEPMOD -a
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE iptable_nat

###################################################
# HABILITANDO ROTEAMENTO
###################################################
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

###################################################
# LIMPEZA GERAL
###################################################
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X

###################################################
#SETUP DE POLITICA
###################################################
####
# TABELA FILTER
####
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

###################################################
# REGRA DE ESTABILIDADE / DINAMICA DE ROTEAMENTO
###################################################
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

###################################################
# REMOVENDO REGRAS DA TABELAS
###################################################
ip route del default table link1 &> /dev/null
ip route del default table link2 &> /dev/null

####################################################
# REMOVENDO ROTA PADRAO
####################################################
ip route del default &> /dev/null
ip route del default &> /dev/null
ip route del default &> /dev/null

####################################################
# ADICIONANDO ROTA DEFAULT
####################################################
ip route add default dev eth0 via 192.168.0.1 table main

#####################################################
# INSERINDO ROTA DEFAULT PARA TABELAS
#####################################################
ip route add table link1 default via 192.168.0.1
ip route add table link2 default via 192.168.1.1

#####################################################
# REDE INVALIDA (INTERNA) E LOCAL
#####################################################
####
# INTERFACE LOOPBACK
####
$IPTABLES -A INPUT -i lo -j ACCEPT

####
# REDE INVALIDA
####
$IPTABLES -A FORWARD -i eth2 -d 0/0 -j ACCEPT

####
# REDE INTERNA ACESSANDO SERVIDOR
####
$IPTABLES -A INPUT -s $LAN -d $FW2 -j ACCEPT

######################################################
# MARCADO TRAFEGO DA PORTA 80
######################################################
$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 20
$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i eth2 -j MARK --set-mark 10

######################################################
# VINCULANDO TRAFEDO COM A TABELA
######################################################
ip rule add fwmark 10 table 10 prio 20
ip rule add fwmark 20 table 20 prio 20

######################################################
# VIGORANDO REGRAS NAS TABELAS DE ROTEAMENTO
######################################################
ip route flush cached

######################################################
# NAT MASQUERADE PARA MAQUINAS ESPECIFICAS
######################################################
$IPTABLES -t nat -A POSTROUTING -s $LAN -o eth1 -p tcp --dport 80 -j MASQUERADE

###################################################
# REGRA PARA EMAIL
###################################################
####
# FORWARD PARA EMAILS
####
$IPTABLES -A FORWARD -p tcp -s $LAN -d $FW2 -o eth0 --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d $LAN -s $FW2 -i eth0 --sport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $LAN -d $FW2 -o eth0 --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d $LAN -s $FW2 -i eth0 --sport 110 -j ACCEPT

####
# NAT PARA EMAILS
####
$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport 25 -o eth0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport 110 -o eth0 -j MASQUERADE

######################################################
# REGRAS PARA DNS
######################################################
####
# FORWARD PARA DNS
####
$IPTABLES -A FORWARD -p udp -s $LAN -d $FW2 -o eth0 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d $LAN -s $FW2 -i eth0 --sport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s $LAN -d $FW2 -o eth1 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d $LAN -s $FW2 -i eth1 --sport 53 -j ACCEPT

####
# NAT PARA DNS
####
$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 53 -o eth0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 53 -o eth1 -j MASQUERADE

#####################################################
# BLOQUEIO GERAL
#####################################################
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
$IPTABLES -A OUTPUT -j ACCEPT

echo "SCRIPT IPTABLES EXECUTADO"

**wasley** · 18-08-2009, 16:10

Consegui fazer o que tinha em mente, segue o script completo.
Gostaria de agradecer a ajuda de todos em especial Magnun, sem a ajuda de vcs não seria capaz.

# DEFININDO VARIAVEIS
# VARIAVEL PARA IPTABLES
IPTABLES="/sbin/iptables"

# BUSCANDO INFORMACAO DA PLACA COM IP DINAMICO
FW0=`ifconfig eth0| grep "inet end."| awk '{print $3}'|cut -d":" -f2`
FW1=`ifconfig eth1| grep "inet end."| awk '{print $3}'|cut -d":" -f2`

# PLACA LOCAL
FW2="192.168.2.1/32"

# REDE INTERNA
LAN="192.168.2.0/24"

# MAQUINA ADM
ADM="192.168.0.2/32"

# CARREGANDO MODULOS
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
$DEPMOD -a
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE iptable_nat

# HABILITANDO ROTEAMENTO
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

###################################################
# LIMPEZA GERAL
###################################################
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X

###################################################
#SETUP DE POLITICA
###################################################
####
# TABELA FILTER
####
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

###################################################
# REGRA DE ESTABILIDADE / DINAMICA DE ROTEAMENTO
###################################################
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

###################################################
# LIBERAR PACOTES MARCIANOS
###################################################
for i in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 0 >$i
done

###################################################
# REMOVENDO REGRAS DA TABELAS
###################################################
ip route del default table link1 &> /dev/null
ip route del default table link2 &> /dev/null

####################################################
# REMOVENDO ROTA PADRAO
####################################################
ip route del default &> /dev/null
ip route del default &> /dev/null
ip route del default &> /dev/null

####################################################
# ADICIONANDO ROTA DEFAULT
####################################################
ip route add default dev eth0 via 192.168.0.1 table main

#####################################################
# INSERINDO ROTA DEFAULT PARA TABELAS
#####################################################
ip route add table link1 default via 192.168.0.1
ip route add table link2 default via 192.168.1.1

#####################################################
# REDE INVALIDA (INTERNA) E LOCAL
#####################################################
####
# INTERFACE LOOPBACK
####
$IPTABLES -A INPUT -i lo -j ACCEPT

####
# REDE INVALIDA
####
$IPTABLES -A FORWARD -i eth2 -d 0/0 -j ACCEPT

####
# REDE INTERNA ACESSANDO SERVIDOR
####
$IPTABLES -A INPUT -s $LAN -d $FW2 -j ACCEPT
$IPTABLES -A INPUT -s $ADM -d $FW0 -j ACCEPT

######################################################
# MARCADO TRAFEGO DA PORTA 25 E 110
######################################################
$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 25 -j MARK --set-mark 20
$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 25 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i eth2 -j MARK --set-mark 10

$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 110 -j MARK --set-mark 20
$IPTABLES -t mangle -A PREROUTING -i eth2 -p tcp --dport 110 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i eth2 -j MARK --set-mark 10

######################################################
# VINCULANDO TRAFEDO COM A TABELA
######################################################
ip rule add fwmark 10 table 10 prio 20
ip rule add fwmark 20 table 20 prio 20

######################################################
# VIGORANDO REGRAS NAS TABELAS DE ROTEAMENTO
######################################################
ip route flush cached

######################################################
# NAT MASQUERADE REDIRECIONANDO PORTA 80 PARA SQUID
######################################################
$IPTABLES -t nat -A PREROUTING -s $LAN -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

###################################################
# REGRA PARA EMAIL
###################################################
####
# FORWARD PARA EMAILS
####
$IPTABLES -A FORWARD -p tcp -s $LAN -d $FW2 -o eth1 --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d $LAN -s $FW2 -i eth1 --sport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $LAN -d $FW2 -o eth1 --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d $LAN -s $FW2 -i eth1 --sport 110 -j ACCEPT

####
# NAT PARA EMAILS
####
$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport 25 -o eth1 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport 110 -o eth1 -j MASQUERADE

######################################################
# REGRAS PARA DNS
######################################################
####
# FORWARD PARA DNS
####
$IPTABLES -A FORWARD -p udp -s $LAN -d $FW2 -o eth0 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d $LAN -s $FW2 -i eth0 --sport 53 -j ACCEPT

$IPTABLES -A FORWARD -p udp -s $LAN -d $FW2 -o eth1 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d $LAN -s $FW2 -i eth1 --sport 53 -j ACCEPT

####
# NAT PARA DNS
####
$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 53 -o eth0 -j MASQUERADE

$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 53 -o eth1 -j MASQUERADE

#####################################################
# BLOQUEIO GERAL
#####################################################
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
$IPTABLES -A OUTPUT -j ACCEPT

echo "SCRIPT IPTABLES EXECUTADO"

Como criar duas rotas

Ferramentas de Tópicos