Cara iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p udp -j SNAT --to 192.168.4.3 iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p tcp -j SNAT --to 192.168.4.3
te aconselho a usar tb o endereço Broadcast da rede, ao invés de usar 192.168.0.0 use 192.168.0.255, se a dica do amigo acima não funcionar faz o que eu te falei e testa. Em 28 de abril de 2010 22:54, Catulo Hansen <catu...@gmail.com> escreveu: > Beltrane, > > Comenta a seguinte linha no teu script d firewall: > > #ptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j MASQUERADE > > Isso não tá te ajudando, tú já tá fazendo nat N:1 com a seguinte regra > no teu script: > > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p udp -j > SNAT --to 192.168.4.3 > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p tcp -j > SNAT --to 192.168.4.3 > > Só use "MASQUERADE", quando o ip de saida for dinâmico, no seu caso está > fixo. > > > 2010/4/28 Carlos Beltrame <beltr...@ieee.org>: > > Ola pessoal, volto eu com mais problemas pedidno ajuda =] > > O sinal de internet xega via radio pela eth1 configurada como > 192.168.4.3, e > > atraves do firewall compartilhando para minha rede 192.168.0.0/24. A > > intensão é rodar squid transparente e até funciona, porem a rede ta > lenta, o > > acesso a sites e download ta lento, qdo acesso direto com o AP que recebe > o > > sinal de fora no meu pc, a net voa kkkkk. O msn principalmente, qdo > conecta, > > fica uns 2 minutos conectado e dp cai. Enfim, segue abaixo meu > firewall.sh e > > meu squid.conf gostaria de saber se há como melhorar o desempenho, se ha > > algo errado. Procurei comentar minha intensao em cada linha abaixo: > > > > ==============firewall==================== > > #!/bin/bash > > > > ## Apaga quaisquer regras que por ventura existam > > iptables -F > > iptables -X > > iptables -t nat -F > > iptables -t nat -X > > #### Regras de policiamento #### > > > > ## bloqueia qualquer pacote que não seja explicitament permitio > > iptables -P INPUT DROP > > iptables -P FORWARD DROP > > iptables -P OUTPUT DROP > > > > ## Permite acesso a interface loopback > > iptables -A INPUT -i lo -j ACCEPT > > > > ## Permite apenas entrada das respostas as conexões desaida > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > #protecao contra port scanners ocultos > > iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit > > 1/s -j ACCEPT > > iptables -t filter -A INPUT -p icmp --icmp-type echo-request -m limit > > --limit 1/s -j ACCEPT > > > > #Protecao contra ataques > > iptables -A INPUT -m state --state INVALID -j DROP > > > > #setando delay minimo > > iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 53 -j TOS --set-tos > > Minimize-Delay > > iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 80 -j TOS --set-tos > > Minimize-Delay > > iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 443 -j TOS --set-tos > > Minimize-Delay > > iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 10000 -j TOS > --set-tos > > Minimize-Delay > > > > #### OUTPUT #### > > # Permite que o servidor acesse outras maquinas > > iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > > > ### PREROUTING ### > > iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j > > REDIRECT --to-port 3128 > > iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p udp --dport 80 -j > > REDIRECT --to-port 3128 > > > > ### FORWARD ### > > > > # Connection tracking (aceita pacotes para conexoes já estabelecidas) > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > ## Redireciona dados dos administradores > > /etc/firewall/admin/adminporta.sh > > /etc/firewall/admin/adminssh.sh > > > > ## Redireciona dados dos usuarios squid e outro barramento > > #exemplo: > > # iptables -I INPUT -s 192.168.0.106 -p tcp --dport 3128 -j ACCEPT > > # iptables -A FORWARD -s 192.168.0.106 -o eth1 -j ACCEPT > > /etc/firewall/liberados/liberados.sh > > > > #### POSTROUTING #### > > > > ## Compartilhamento da internet > > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p udp -j SNAT > --to > > 192.168.4.3 > > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p tcp -j SNAT > --to > > 192.168.4.3 > > > > > > iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j MASQUERADE > > iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j > TCPMSS > > -o eth1 --set-mss 1412 > > > > ### Ativa o modulo responsavel pelo encaminhamento de pacotes ### > > echo 1 > /proc/sys/net/ipv4/ip_forward > > ======================================================================== > > > > > > ====================squid.conf=========================== > > http_port 3128 transparent > > visible_hostname INTERNET > > > > cache_mem 512 MB > > maximum_object_size_in_memory 64 KB > > maximum_object_size 700 MB > > minimum_object_size 0 KB > > > > cache_swap_low 90 > > cache_swap_high 95 > > > > cache_dir ufs /var/spool/squid 50000 16 256 > > > > hierarchy_stoplist cgi-bin ? > > acl QUERY urlpath_regex cgi-bin \? > > > > cache deny QUERY > > acl apache rep_header Server ^Apache > > broken_vary_encoding allow apache > > access_log /var/log/squid/access.log squid > > hosts_file /etc/hosts > > refresh_pattern ^ftp: 1440 20% 10080 > > refresh_pattern ^gopher: 1440 0% 1440 > > refresh_pattern . 0 20% 4320 > > acl all src 0.0.0.0/0.0.0.0 > > acl manager proto cache_object > > acl localhost src 127.0.0.1/255.255.255.255 > > acl to_localhost dst 127.0.0.0/8 > > acl SSL_ports port 443 # https > > acl SSL_ports port 563 # snews > > acl SSL_ports port 873 # rsync > > acl Safe_ports port 80 # http > > acl Safe_ports port 21 # ftp > > acl Safe_ports port 443 # https > > acl Safe_ports port 70 # gopher > > acl Safe_ports port 210 # wais > > acl Safe_ports port 1025-65535 # unregistered ports > > acl Safe_ports port 280 # http-mgmt > > acl Safe_ports port 488 # gss-http > > acl Safe_ports port 591 # filemaker > > acl Safe_ports port 777 # multiling http > > acl Safe_ports port 631 # cups > > acl Safe_ports port 873 # rsync > > acl Safe_ports port 901 # SWAT > > acl Safe_ports port 6881 > > acl purge method PURGE > > acl CONNECT method CONNECT > > > > acl servidor src 192.168.0.1 > > > > acl horario time 00:30-06:00 > > acl proibir_dominio dstdomain "/etc/squid/bloqueio" > > acl proibir_url url_regex -i "/etc/squid/bloqurl" > > > > acl aceitar_dom dstdomain "/etc/squid/aceitar" > > > > http_access deny proibir_dominio !horario > > http_access deny proibir_url !horario > > > > http_access allow aceitar_dom > > http_access allow manager localhost > > http_access deny manager > > http_access allow purge localhost > > http_access deny purge > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > http_access allow localhost > > http_access allow servidor > > http_access allow all > > http_reply_access allow all > > icp_access allow all > > coredump_dir /var/spool/squid > > =========================================================== > > > > Espero ter sido claro, no aguardo, gde abraço. > > > > Yours Truly > > Carlos Beltrame - Eletrical Engineer > > IEEE - HTC Brazilian Representative > > Mobile: +55 18-9795-5271 > > MSN : c_beltr...@hotmail.com > > Skype : zebacking > > UNESP - Campus of Ilha Solteira > > > > > > > > > > -- > - > Catulo Kruuse Hansen > LPI000199593 > LPIC-2 > CompTIA Linux+ > CLA (Novell Certified Linux Administrator) > Data Center Technical Specialist > catulohansen.blogspot.com > > > -- > To UNSUBSCRIBE, email to debian-user-portuguese-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > http://lists.debian.org/s2x85da0e3a1004281954o75229275zb177b4893ddb...@mail.gmail.com > >
