Re: (linux-br) Problemas ao criar eth's virtuais Debian Leny

Fernando Cesario Wed, 20 May 2009 20:00:04 -0700

Juliano,

Boa noite me desculpe voce tem razao, irei anexar as informações
faltantes solicitadas:
Os testes feitos sao pings para o proprio ip de maquinas externas.
Sim existe um grande e unico motivo hoje a maioria dos meus servidores
de internet estao publicados diretamente com IP VALIDO entao o que eu
preciso fazer e fazer o cadastro dos meus ips validos no meu firewall
e ai ao invez do servidor estar com esse ip valido ele fica no
firewall e eu faco o encaminhamento pro ip da lan.


cat /etc/network/interfaces

iface eth0 inet static
        address 192.168.10.30
        netmask 255.255.255.0
        network 192.168.10.0
        broadcast 192.168.10.255


iface eth1 inet static
      address 200.205.182.94
      netmask 255.255.255.192


iface eth1:1 inet static
      address 200.205.182.68
      netmask 255.255.255.192



iface eth2 inet static
      address 200.212.230.3
      netmask 255.255.255.192


route -n

firewall:~# route -n
Tabela de Roteamento IP do Kernel
Destino         Roteador        MascaraGen.    OpÃ§Ãµes MÃ©trica Ref   Uso Iface
200.212.230.0   0.0.0.0             255.255.255.192 U     0      0        0 eth2
200.205.182.64  0.0.0.0            255.255.255.192 U     0      0        0 eth1
192.168.100.0   192.168.10.1    255.255.255.0   UG    0      0        0 eth0
192.168.21.0    192.168.10.1    255.255.255.0   UG    0      0        0 eth0
192.168.20.0    192.168.10.1    255.255.255.0   UG    0      0        0 eth0
192.168.50.0    192.168.10.1    255.255.255.0   UG    0      0        0 eth0
192.168.19.0    192.168.10.1    255.255.255.0   UG    0      0        0 eth0
192.168.18.0    192.168.10.1    255.255.255.0   UG    0      0        0 eth0
192.168.17.0    192.168.10.1    255.255.255.0   UG    0      0        0 eth0
192.168.16.0    192.168.10.1    255.255.255.0   UG    0      0        0 eth0
192.168.15.0    192.168.10.1    255.255.255.0   UG    0      0        0 eth0
192.168.30.0    192.168.10.1    255.255.255.0   UG    0      0        0 eth0
192.168.14.0    192.168.10.1    255.255.255.0   UG    0      0        0 eth0
192.168.95.0    192.168.10.1    255.255.255.0   UG    0      0        0 eth0
192.168.13.0    192.168.10.1    255.255.255.0   UG    0      0        0 eth0
192.168.12.0    192.168.10.1    255.255.255.0   UG    0      0        0 eth0
192.168.11.0    192.168.10.1    255.255.255.0   UG    0      0        0 eth0
192.168.10.0    192.168.10.1    255.255.255.0   UG    0      0        0 eth0
192.168.10.0    0.0.0.0             255.255.255.0   U      0      0
    0 eth0
192.168.9.0     192.168.10.1    255.255.255.0    UG    0      0        0 eth0
0.0.0.0         200.212.230.1   0.0.0.0         UG    0      0        0 eth2
0.0.0.0         200.205.182.65  0.0.0.0         UG    0      0        0 eth1


###############Script do IPTABLES################################

touch /var/lock/subsys/local

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts


##########################################GW####################################################
/sbin/route add default gw 200.205.182.65
/sbin/route add default gw 200.212.230.1
################################################################################################


########### Configuracoes  da Redes
##############################################################
/sbin/route add -net 192.168.9.0 netmask 255.255.255.0 gw 192.168.10.1
/sbin/route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.10.1
/sbin/route add -net 192.168.11.0 netmask 255.255.255.0 gw 192.168.10.1
/sbin/route add -net 192.168.12.0 netmask 255.255.255.0 gw 192.168.10.1
/sbin/route add -net 192.168.13.0 netmask 255.255.255.0 gw 192.168.10.1
/sbin/route add -net 192.168.14.0 netmask 255.255.255.0 gw 192.168.10.1
/sbin/route add -net 192.168.15.0 netmask 255.255.255.0 gw 192.168.10.1
/sbin/route add -net 192.168.16.0 netmask 255.255.255.0 gw 192.168.10.1
/sbin/route add -net 192.168.17.0 netmask 255.255.255.0 gw 192.168.10.1
/sbin/route add -net 192.168.18.0 netmask 255.255.255.0 gw 192.168.10.1
/sbin/route add -net 192.168.19.0 netmask 255.255.255.0 gw 192.168.10.1
/sbin/route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.10.1
/sbin/route add -net 192.168.21.0 netmask 255.255.255.0 gw 192.168.10.1
/sbin/route add -net 192.168.50.0 netmask 255.255.255.0 gw 192.168.10.1
/sbin/route add -net 192.168.30.0 netmask 255.255.255.0 gw 192.168.10.1
/sbin/route add -net 192.168.95.0 netmask 255.255.255.0 gw 192.168.10.1
/sbin/route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.10.1
##################################################################################################

################################ Modulos NAT ###################################
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
################################################################################

#################################Limpando os Filtros############################
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
################################################################################

####################### Regras Default #########################################
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
################################################################################

#################### Regras ####################################################
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
################################################################################

######## loopback  #############################################################
/sbin/iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
################################################################################

##################  Roteamento entre as redes ##################################
/sbin/iptables -A FORWARD  -s 192.168.9.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.9.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.10.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.10.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.11.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.11.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.12.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.12.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.13.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.13.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.14.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.14.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.15.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.15.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.16.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.16.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.17.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.17.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.18.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.18.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.19.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.19.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.20.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.20.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.21.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.21.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.93.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.93.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.94.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.94.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.95.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.95.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.96.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.96.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.97.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.97.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.98.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.98.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.99.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.99.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.30.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.30.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -s 192.168.100.0/24 -j ACCEPT
/sbin/iptables -A FORWARD  -d 192.168.100.0/24 -j ACCEPT
############################################################################

############# Acesso redes ##################################################
/sbin/iptables -A INPUT  -s 192.168.9.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.10.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.11.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.12.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.13.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.14.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.15.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.16.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.17.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.18.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.19.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.20.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.21.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.93.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.94.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.95.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.96.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.97.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.98.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.99.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.30.0/24 -j ACCEPT
/sbin/iptables -A INPUT  -s 192.168.100.0/24 -j ACCEPT
#########################################################################

####################################Liberando
ICMP###########################################################
iptables -A INPUT -p icmp --icmp-type 8 -i eth0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -i eth1 -j ACCEPT
#############################################################################################################

######################################## Exchange
###########################################################
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.205.182.94
--dport 80 -j DNAT --to 192.168.14.4:80
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.205.182.94
--dport 110 -j DNAT --to 192.168.14.4:110
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.205.182.94
--dport 53 -j DNAT --to 192.168.14.4:53
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.205.182.94
--dport 25 -j DNAT --to 192.168.14.4:25
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.205.182.94
--dport 143 -j DNAT --to 192.168.14.4:143
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.205.182.94
--dport 443 -j DNAT --to 192.168.14.4:443
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.205.182.94
--dport 8081 -j DNAT --to 192.168.14.4:8081
##############################################################################################################

##################################Encaminhamento de ETH
VIRTUAL##############################################
#iptables -t nat -I PREROUTING -d 200.205.182.68 -p tcp --dport 80 -j
DNAT --to-destination 192.168.30.1:80
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.205.182.68
--dport 80 -j DNAT --to-destination 192.168.30.1:80
#################################################################################################################




##############  Regra para o NAT #####################################
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
######################################################################


Acredito que agora contenha todas informações necessario para entender
o pq desse problema.


obrigado,


Fernando Felicissimo












2009/5/20 Juliano F. Ravasi <[email protected]>:
> Fernando Cesario wrote:
>> Estou usando Debian Leny como um firewall e com ele fazendo
>> direcionamentos de ip validos para lan, o problema e que por algum
>> motivo quando eu subo a eth virtual por exemplo eth1:1
>
> Isso não é uma "eth virtual", mas sim, "alias".
>
>> ela sobe
>> normalmente e ai do nada o ip valido atrelado a essa eth virtual para
>> de responder,
>
> Faltam detalhes. Para de responder como? Você verificou isso da própria
> máquina ou de máquinas externas? Como está sua tabela de rotas?
>
>> Alguem teria alguma dica a respeito dessa situacao?
>
> Primeira questão é: para quê você está usando alias de interfaces de
> rede? Existe algum bom motivo?
>
> Falta muita informação sobre o seu problema: como você está
> configurando, como você está detectando que "para de responder", como
> estão suas rotas, como está seu firewall...
>
>
> --
> Juliano F. Ravasi ·· http://juliano.info/
> 5105 46CC B2B7 F0CD 5F47 E740 72CA 54F4 DF37 9E96
>
> "A candle loses nothing by lighting another candle." -- Erin Majors
>
> * NOTE: Don't try to reach me through this address, use "contact@" instead.
>
---------------------------------------------------------------------------
Esta lista é patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br

Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br
Regras de utilização da lista: http://linux-br.conectiva.com.br
FAQ: http://www.zago.eti.br/menu.html

Re: (linux-br) Problemas ao criar eth's virtuais Debian Leny

Responder a