balanceamento de banda (duas ETH entrando internet)

1. balanceamento de banda (duas ETH entrando internet)

Willian Saldanha
williansaldanha

(usa Outra)

Enviado em 23/06/2016 - 10:11h

Olá pessoal, tenho um linux lts 12.04 e preciso que entre nele 2 internet, e preciso que ele faço um balanceamento de banda pra mim, ou seja, quando uma net falhar ou cair ele subirá automaticamente a outra... E não tenho nem ideia de como fazer isso!!! Só pra constar eu trabalho com squid3, (controle de acesso de páginas), dhcpd, (controle de IPs na rede), e um script criado chamado Firewall, (Responsável por bloqueio de portas, redirecionamento "NAT").... Vou colocar meus scripts aqui em baixo pra darem uma olhada e ver onde eu posso mudar para que as duas internet's possam entrar... Eu sei que vou ter que ter 3 placas de rede.. ETH0, ETH1 e ETH2...

Squid3.conf

visible_hostname NOME_DA_EMPRESA_Firewall
http_port 3128 transparent

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

cache_mem 16 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB

#client_netmask 255.255.255.0

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.1/8

acl SSL_ports port 443 563
acl Safe_ports port 80 88 #http
acl Safe_ports port 21 #ftp
acl Safe_ports port 70 #gopher
acl Safe_ports port 210 #wais
acl Safe_ports port 1025-65535 #unregistered ports
acl Safe_ports port 280 #http-mgmt
acl Safe_ports port 488 #gss-http
acl Safe_ports port 591 #filemaker
acl Safe_ports port 771 #multiling http
acl CONNECT method CONNECT

#O IP DA REDE DEVE SER ALTERADO CONFORME AS CONFIGURACOES DA LAN
acl redelocal src 192.168.1.0/24
#10.0.0.0/24

dns_nameservers 201.10.120.2 208.67.222.222 208.67.220.220

#LISTA DE IPS QUE NAO ACESSAO A INTERNET
acl proibir_ip src "/etc/squid3/ips/bloqueados"

#LISTA DE IPS COM ACESSO TOTAL
acl acesso_total src "/etc/squid3/ips/liberados"

#ACESSO DO ROTEADOR WIRELLES
acl acesso_publico src "/etc/squid3/ips/publico"

## IPS sem qualquer bloqueio
acl acesso_especial src "/etc/squid3/ips/livres"

#ACLs referentes aos bloqueios de sites e extensoes de arquivos
acl dominios_proibidos url_regex -i "/etc/squid3/dominios/proibidos"
acl palavras_proibidas url_regex -i "/etc/squid3/keywords/proibidas"

acl dominios_permitidos url_regex -i "/etc/squid3/dominios/permitidos"
acl palavras_permitidas url_regex -i "/etc/squid3/keywords/permitidas"

acl downloads_permitidos dstdomain -i "/etc/squid3/downloads/permitidos"
acl downloads_proibidos url_regex -i "/etc/squid3/downloads/proibidos"
acl downloads_proibidos_publico url_regex -i "/etc/squid3/downloads/proibidos_publico"

acl streaming rep_mime_type -i "/etc/squid3/downloads/stream"

#Lista de IPs com acesso restritos a alguns sites
acl acesso_restrito src "/etc/squid3/ips/restritos"
acl sites_restritos url_regex -i "/etc/squid3/dominios/acesso_restrito"

#______________________________________________________________________________________________
#IPS E SITES ESPECIFICOS RESTRITOS

acl ips_financeiro src "/etc/squid3/restritos/ips_financeiro"
acl sites_financeiro url_regex -i "/etc/squid3/restritos/sites_financeiro"

#______________________________________________________________________________________________
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

#ips sem qualquer tipo de bloqueio
http_access allow acesso_especial

http_access allow dominios_permitidos
http_access allow palavras_permitidas
http_access allow downloads_permitidos

#PARA BLOQUEAR STREAMINGS DE RADIOS E OUTROS, DESCOMENTE AS LINHAS ABAIXO
#http_access deny streaming
#http_reply_access deny streaming
http_access deny dominios_proibidos
http_access deny palavras_proibidas
http_access deny downloads_proibidos

#ACESSO RESTRITO PARA ALGUNS SITES
http_access allow acesso_restrito sites_restritos
http_access deny acesso_restrito

#______________________________________________________________________________________________
##PERMITIR ACESSOS ESPECIFICOS RESTRITOS

http_access allow sites_financeiro ips_financeiro

#______________________________________________________________________________________________

http_access allow acesso_publico !dominios_proibidos !downloads_proibidos_publico !palavras_proibidas
http_access allow acesso_total !dominios_proibidos !downloads_proibidos !palavras_proibidas

#http_access allow acesso_especial
#ips sem acesso a internet
http_access deny proibir_ip
http_access deny redelocal
http_access deny all
icp_access allow all
miss_access allow all

cache_mgr webmaster suporte@novatecnologia.net.br
cache_dir aufs /var/spool/squid3 10240 16 256
coredump_dir /var/spool/squid3

error_directory /usr/share/squid3/errors/pt-br





dhcpd.conf

#
ddns-update-style none;
option domain-name "novatecnologia.net.br";
option domain-name-servers 201.10.128.2, 201.10.120.2, 208.67.222.222, 208.67.220.220;
#AQUI VOCE COLOCA OS DNS DA SUA OPERADORA DE INTERNET

default-lease-time 600;
max-lease-time 72000;

authoritative;

subnet 192.168.1.0 netmask 255.255.255.0{
option routers 192.168.1.254;
option broadcast-address 192.168.1.255;
range 192.168.1.100 192.168.1.200;
##AQUI VOCE DETERMINA A FAIXA DE IP QUE QUER LIBERAR NO INTERVALO DO DHCP
}

##AQUI VOCE RESERVA IPS ESPECIFICOS PARA MAQUINAS ESPECIFICAS USANDO O MAC---

group servers{

}

group clients{

use-host-decl-names true;

###IPS ESPECIFICOS____________________________________________________________
# host willian_note_cb {
# hardware ethernet dc:0e:a1:bf:6c:e5;
# fixed-address 192.168.1.20;
# }

# host nome_da_maquina_2 {
# hardware ethernet yy:yy:yy:yy:yy:yy;
# fixed-address 192.168.1.21;
# }

###fim________________________________________________________________________

}

log-facility local7;





firewall

#!/bin/bash
# /etc/init.d/firewall
# descrition: firewall
##### DEFINICOES #####
MODPROBE=/sbin/modprobe
IPTABLES=/sbin/iptables
prog=firewall
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
IFACE_LO=lo
IP_IFACE_LO=127.0.0.1

IFACE_EXT=eth0
#### DEVE SER ALTERADO CONFORME A CONFIGURAÃ DA REDE ####
IP_IFACE_EXT=192.168.2.2
IP_REDE_EXT=192.168.2.0/24
IP_BROADCAST_EXT=192.168.2.255
MASC_REDE_EXT=255.255.255.0

IFACE_INT=eth1
IP_IFACE_INT=192.168.1.254
IP_REDE_INT=192.168.1.0/24
IP_BROADCAST_INT=192.168.1.255
MASC_REDE_INT=255.255.255.0

case "$1" in
start)
##################### tabela filter ###########################

#### flush ####
$IPTABLES -F

#### apaga todas as user chains #####
$IPTABLES -X

#### politicas padrao ####
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

#### chain INPUT ####
## stateful ##


$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#### regras para redes que não fazem parte da internet ####
$IPTABLES -A INPUT -p ALL -i $IFACE_INT -d $IP_BROADCAST_INT -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $IFACE_LO -s $IP_IFACE_LO -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $IFACE_LO -s $IP_IFACE_EXT -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $IFACE_LO -s $IP_IFACE_INT -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $IFACE_INT -s $IP_REDE_INT -j ACCEPT

#### ativa o roteamento de pacotes ####
echo 1 > /proc/sys/net/ipv4/ip_forward

#$IPTABLES -A INPUT -p tcp -i $IFACE_INT -s $IP_REDE_INT -d $IP_IFACE_INT --dport 22 -j ACCEPT
#$IPTABLES -A FORWARD -p tcp --dport 22 -i $IFACE_INT -o $IFACE_EXT -s $IP_IFACE_INT -j ACCEPT

## SQUID ##
$IPTABLES -A INPUT -p tcp -i $IFACE_INT -s $IP_REDE_INT -d $IP_IFACE_INT --dport 3128 -j ACCEPT

#### chain FORWARD ####
## stateful ##
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport 2280 -j ACCEPT

## Conexao externa Terminal Server ##
$IPTABLES -I FORWARD -p tcp --dport 3389 -j ACCEPT
## Conexao externa SSH ##
$IPTABLES -A FORWARD -p tcp --dport 2280 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT

## spoofing ##
# externo #
$IPTABLES -A FORWARD -o $IFACE_EXT -d $IP_REDE_INT -j DROP
$IPTABLES -A FORWARD -i $IFACE_EXT -s $IP_REDE_INT -j DROP
# interno #
$IPTABLES -A FORWARD -o $IFACE_INT -d $IP_REDE_EXT -j DROP
$IPTABLES -A FORWARD -i $IFACE_INT -s $IP_REDE_EXT -j DROP

### bloqueio de sites https ### >> /etc/init.d/block_https
$IPTABLES -I FORWARD -m string --string "www.youtube.com" --algo bm --from 1 --to 600 -j REJECT
$IPTABLES -I FORWARD -m string --string "www.twitter.com" --algo bm --from 1 --to 600 -j REJECT
$IPTABLES -I FORWARD -m string --string "abs.twimg.com" --algo bm --from 1 --to 600 -j REJECT
$IPTABLES -I FORWARD -m string --string "www.facebook.com" --algo bm --from 1 --to 600 -j REJECT
$IPTABLES -I FORWARD -m string --string "www.whatsapp.com" --algo bm --from 1 --to 600 -j REJECT
$IPTABLES -I FORWARD -m string --string "www.whatsapp.net" --algo bm --from 1 --to 600 -j REJECT

### whatsap ###
$IPTABLES -A OUTPUT -p tcp --dport xmpp-client -j DROP
$IPTABLES -A INPUT -p tcp --dport xmpp-client -j DROP

########################## ATRIBUINDO SEGURANÃ#########################

# Proteção para SYN Flood
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Rejeitar requisição de ICMP Echo destinado a Broadcasts e Multicasts
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Ignorar Mensagens Falsas de icmp_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

for i in /proc/sys/net/ipv4/conf/*; do
# Não Redirecionar Mensagens ICMP
echo 0 > $i/accept_redirects
# Proteção a Ataques IP Spoofing
echo 0 > $i/accept_source_route
# Permitir que Pacotes Forjados sejam logados pelo próprio kernel
echo 1 > $i/log_martians
# Verificar Endereço de Origem do Pacote (Proteção a Ataques IP Spoofing)
echo 1 > $i/rp_filter
done
### ftp ###
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 21 -j ACCEPT

### ssh ###
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 2280 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 2280 -j ACCEPT

### http ###
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 80 -j ACCEPT

### https ###
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 443 -j ACCEPT

### smtp ###
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 587 -j ACCEPT

### smtps ###
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 465 -j ACCEPT

### pop ###
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 110 -j ACCEPT

### pops ###
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 995 -j ACCEPT

### imap ###
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 143 -j ACCEPT

### imaps ###
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 993 -j ACCEPT

### dns ###
$IPTABLES -A FORWARD -p udp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 53 -j ACCEPT

### squid ###
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 3128 -j ACCEPT
#$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 3130 -j ACCEPT

### terminal server ###
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 3389 -j ACCEPT

## hamachi
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 12975 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 32976 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 17771 -j ACCEPT

##DCTF
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 8017 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 3456 -j ACCEPT

##teanwier
$IPTABLES -A FORWARD -p tcp -i $IFACE_INT -s $IP_REDE_INT -o $IFACE_EXT --dport 5938 -j ACCEPT

### contabilidade ###
#DCTF
#$IPTABLES -A FORWARD -p tcp --dport 3456 -j ACCEPT
#DPI
$IPTABLES -A FORWARD -p tcp --dport 24001 -j ACCEPT
#ted
#$IPTABLES -A FORWARD -p tcp --dport 8017 -j ACCEPT

### portas para departamento pessoal ###
#sefip
$IPTABLES -A FORWARD -p tcp --dport 2004 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 2631 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 1494 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 5017 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 9090 -j ACCEPT

#### chains OUTPUT ####
$IPTABLES -A OUTPUT -p ALL -s $IP_IFACE_LO -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $IP_IFACE_EXT -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $IP_IFACE_INT -j ACCEPT

################################# tabela nat ###########################

####### flush #######
$IPTABLES -t nat -F

####### apaga todas as user chains ######
$IPTABLES -t nat -X

####### politicas padrao ########

####### cria chains de usuarios ########

####### regras chains usuarios #######

####### chain PREROUTING #######
## squid ##
$IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp --dport 80 -j REDIRECT --to-port 3128

## squid https ##
#$IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp --dport 443 -j REDIRECT --to-port 3130

## NAT DE DIRECIONAMENTO DDE PORTAS ##
$IPTABLES -t nat -A PREROUTING -i $IFACE_EXT -p tcp --dport 3389 -j DNAT --to-destination 192.168.1.100:3389
$IPTABLES -t nat -A PREROUTING -i $IFACE_EXT -p udp --dport 3389 -j DNAT --to-destination 192.168.1.100:3389

##IPS EXTERNOS QUE PODEM ACESSAR A PORTA
#$IPTABLES -t nat -A PREROUTING -s 187.5.208.130 -i $IFACE_EXT -p tcp --dport 3389 -j DNAT --to-destination 192.168.1.100:3389
#$IPTABLES -t nat -A PREROUTING -s 187.5.208.130 -i $IFACE_EXT -p udp --dport 3389 -j DNAT --to-destination 192.168.1.100:3389


#$IPTABLES -A OUTPUT -p tcp --dport 3389 -j ACCEPT

####### chain POSTROUTING #######
$IPTABLES -t nat -A POSTROUTING -s $IP_REDE_INT -o $IFACE_EXT -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -o $IFACE_INT -p tcp --dport 443 -j MASQUERADE

#### chain OUTPUT ####

################################ tabela mangle ###########################

###### flush ########
$IPTABLES -t mangle -F

###### apaga todas as user chains #######
$IPTABLES -t mangle -X

;;

stop)

### restaura as politicas padrao da tabela filter ###
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

### restaura as politicas default da tabela nat ###
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

### restaura as politicas default da tabela mangle ###
$IPTABLES -t mangle -P PREROUTING ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
##### flush ######
$IPTABLES -F
$IPTABLES -t nat -F
### apaga todas as user chais ###
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
;;

status)
echo ""
echo "TABELA FILTER"
echo ""
$IPTABLES -L -n
echo ""
echo "TABELA NAT"
echo ""
$IPTABLES -t nat -L -n
echo ""
echo "TABELA MANGLE"
echo ""
$IPTABLES -t mangle -L -n
;;

restart)
$0 stop
$0 start
;;

*)
echo #"Usage: $0{start|stop|status|restart|}"
exit 1
;;

esac

exit $?



  






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts