[slack-users] ajuda com roteamento de 2 links

Renato Rudnicki Thu, 25 Sep 2008 05:49:25 -0700

Ola pessoal.
Estou precisando de uma ajuda para adicionar mais um link na rede de um
cliente. Eu ja consegui fazer a divisão dos links (usar um link para navegar
e outro para mandar email). Porém, quando eu tento mandar email, o email é
rejeitado (tanto ao tentar enviar, quanto ao tentar receber). Bom, vamos por
partes. No meu caso, eu tenho um link dedicado da embratel, com ip fixo, que
está funcionando sem problemas. Estou tentando adicionar um link da NET, com
ip dinamico. A ideia, é usar o ip da embratel para enviar e receber emails,
e o da NET, para a navegaçao...Ja consegui colocar o ip da Net e navegar com
ele, porém, os emails não funcionam. Quando tento enviar um email, recebo a
seguinte mensagem de erro:


The Postfix program

<[EMAIL PROTECTED]>: host gmail-smtp-in.l.google.com[72.14.247.27]
    said: 550-5.7.1 [201.21.224.119] The IP you're using to send mail is not
    authorized 550-5.7.1 to send email directly to our servers. Please use
the
    SMTP 550-5.7.1 relay at your service provider instead. Learn more at
    550 5.7.1 http://mail.google.com/support/bin/answer.py?answer=10336
    18si5430872agb.12 (in reply to end of DATA command)


OBS: minha rede tem um firewall (iptables) e um proxy (squid) no mesmo
servidor (ip 192.168.7.105). Também tem um servidor de emails, rodando
postfix (ip 192.168.7.104).

Abaixo estou colocando como esta meu firewall original.

# Generated by iptables-save v1.3.8 on Tue Sep 23 10:44:22 2008
*nat
:PREROUTING ACCEPT [716473:54166331]
:POSTROUTING ACCEPT [2413283:20526690499]
:OUTPUT ACCEPT [2407842:20526743312]
-A PREROUTING -p tcp -m tcp --dport 5900 -j DNAT --to-destination
192.168.7.201:5900
-A PREROUTING -p tcp -m tcp --dport 5900 -j DNAT --to-destination
192.168.7.202:5900
-A PREROUTING -d 200.248.222.222 -p tcp -m tcp --dport 81 -j DNAT
--to-destination 192.168.7.101:80
-A PREROUTING -d 200.248.222.222 -p tcp -m tcp --dport 1494 -j DNAT
--to-destination 192.168.7.101
-A PREROUTING -d 200.248.222.222 -p tcp -m tcp --dport 1494 -j DNAT
--to-destination 192.168.7.102
-A PREROUTING -s 192.168.7.0/255.255.255.0 -d 192.168.7.105 -p tcp -m tcp
--dport 25 -j DNAT --to-destination 192.168.7.104
-A PREROUTING -s 192.168.7.0/255.255.255.0 -d 192.168.7.105 -p tcp -m tcp
--dport 143 -j DNAT --to-destination 192.168.7.104
-A PREROUTING -d 200.248.222.222 -p tcp -m tcp --dport 25 -j DNAT
--to-destination 192.168.7.104
-A PREROUTING -d 200.248.222.222 -p tcp -m tcp --dport 143 -j DNAT
--to-destination 192.168.7.104
-A PREROUTING -d 200.248.222.222 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.7.104
-A POSTROUTING -d 10.10.10.203 -j MASQUERADE
-A POSTROUTING -d 192.168.7.123 -j MASQUERADE
-A POSTROUTING -d 192.168.7.103 -j MASQUERADE
-A POSTROUTING -d 192.168.7.107 -j MASQUERADE
-A POSTROUTING -d 192.168.7.101 -j MASQUERADE
-A POSTROUTING -s 192.168.7.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Tue Sep 23 10:44:22 2008
# Generated by iptables-save v1.3.8 on Tue Sep 23 10:44:22 2008
*filter
:INPUT DROP [44194:5541262]
:FORWARD DROP [47346:2309810]
:OUTPUT ACCEPT [797688631:1063810322067]
-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 389 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -s 200.213.200.200 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.7.0/255.255.255.0 -j ACCEPT
-A INPUT -s 192.168.7.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.7.0/255.255.255.0 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -s 192.168.7.0/255.255.255.0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -s 192.168.7.0/255.255.255.0 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -s 192.168.7.105 -j ACCEPT
-A INPUT -s 200.248.222.222 -j ACCEPT
-A INPUT -s 192.168.7.107 -j ACCEPT
-A FORWARD -s 192.168.7.25 -j ACCEPT
-A FORWARD -s 192.168.7.176 -j ACCEPT
-A FORWARD -s 192.168.7.170 -j ACCEPT
-A FORWARD -s 192.168.7.23 -j ACCEPT
-A FORWARD -s 192.168.7.92 -j ACCEPT
-A FORWARD -s 192.168.7.27 -j ACCEPT
-A FORWARD -s 192.168.7.42 -j ACCEPT
-A FORWARD -s 192.168.7.30 -j ACCEPT
-A FORWARD -s 192.168.7.30 -j ACCEPT
-A FORWARD -s 192.168.7.40 -j ACCEPT
-A FORWARD -s 192.168.7.146 -j ACCEPT
-A FORWARD -s 192.168.7.27 -j ACCEPT
-A FORWARD -s 192.168.7.2 -j ACCEPT
-A FORWARD -s 192.168.7.38 -j ACCEPT
-A FORWARD -s 192.168.7.207 -j ACCEPT
-A FORWARD -s 192.168.7.239 -j ACCEPT
-A FORWARD -s 192.168.7.43 -j ACCEPT
-A FORWARD -s 192.168.7.94 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5017 -j ACCEPT
-A FORWARD -s 192.168.7.29 -j ACCEPT
-A FORWARD -s 192.168.7.35 -j ACCEPT
-A FORWARD -s 192.168.7.34 -j ACCEPT
-A FORWARD -s 192.168.7.33 -j ACCEPT
-A FORWARD -s 192.168.7.9 -j ACCEPT
-A FORWARD -s 192.168.7.31 -j ACCEPT
-A FORWARD -s 192.168.7.108 -j ACCEPT
-A FORWARD -s 192.168.7.29 -j ACCEPT
-A FORWARD -s 192.168.7.27 -j ACCEPT
-A FORWARD -s 192.168.7.26 -j ACCEPT
-A FORWARD -s 192.168.7.99 -j ACCEPT
-A FORWARD -s 192.168.7.2 -j ACCEPT
-A FORWARD -s 192.168.7.2 -j ACCEPT
-A FORWARD -s 192.168.7.94 -j ACCEPT
-A FORWARD -s 192.168.7.53 -j ACCEPT
-A FORWARD -s 192.168.7.6 -j ACCEPT
-A FORWARD -s 10.10.10.203 -j ACCEPT
-A FORWARD -d 10.10.10.203 -j ACCEPT
-A FORWARD -s 192.168.7.68 -j ACCEPT
-A FORWARD -s 192.168.7.25 -j ACCEPT
-A FORWARD -s 192.168.7.26 -j ACCEPT
-A FORWARD -s 192.168.7.66 -j ACCEPT
-A FORWARD -s 192.168.7.100 -j ACCEPT
-A FORWARD -s 192.168.7.101 -j ACCEPT
-A FORWARD -d 192.168.7.101 -j ACCEPT
-A FORWARD -d 192.168.7.102 -j ACCEPT
-A FORWARD -s 192.168.7.102 -j ACCEPT
-A FORWARD -s 192.168.7.104 -j ACCEPT
-A FORWARD -d 192.168.7.104 -j ACCEPT
-A FORWARD -s 192.168.7.105 -j ACCEPT
-A FORWARD -s 192.168.7.123 -j ACCEPT
-A FORWARD -s 192.168.7.200 -j ACCEPT
-A FORWARD -s 192.168.7.254 -j ACCEPT
-A FORWARD -d 64.4.4.4/255.255.0.0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 200.201.211.211/255.255.0.0 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 2631 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 6901 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 1024:65356 -j ACCEPT
-A FORWARD -d 10.10.10.203 -j ACCEPT
-A FORWARD -d 192.168.7.123 -j ACCEPT
-A FORWARD -d 192.168.7.103 -j ACCEPT
-A FORWARD -d 192.168.7.107 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3456 -j ACCEPT
-A FORWARD -s 192.168.7.123 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -s 192.168.7.103 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 1863 -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 2500 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -p udp -m udp --dport 123 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Sep 23 10:44:22 2008


Abaixo, segue as modificações que eu fiz para adicionar o link da NET:

IPTABLES - Tabela Mangle:


*mangle
:PREROUTING ACCEPT [3574:2011155]
:INPUT ACCEPT [3373:1996429]
:FORWARD ACCEPT [201:14726]
:OUTPUT ACCEPT [3745:2112186]
:POSTROUTING ACCEPT [3878:2123748]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3128 -j MARK --set-mark 0x2
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j MARK --set-mark 0x2
-A INPUT -p tcp -m tcp --dport 25 -j MARK --set-mark 0x3
-A OUTPUT -d 192.168.7.104 -o eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j MARK --set-mark 0x2
-A OUTPUT -p tcp -m tcp --dport 443 -j MARK --set-mark 0x2
-A OUTPUT -p tcp -m tcp --dport 25 -j MARK --set-mark 0x3
COMMIT

Tabela VLENTO:

ip rule add fwmark 2 table main prio 20
ip rule add fwmark 3 table vlento prio 20
ip rule add from 200.248.222.222 table vlento
ip rule add from 193.1.1.5 table vlento
ip rule add from 193.1.1.6 table vlento
ip rule add from 193.1.1.3 table vlento
ip rule add from 193.1.1.13 table vlento
ip route add default via 200.248.222.1 dev eth1 table vlento
ip route flush cache


Se alguem tiver alguma ideia de onde estou errando, eu agradeceria.

-- 
[]'s, Renato

http://www.renator.wordpress.com

--~--~---------~--~----~------------~-------~--~----~
GUS-BR - Grupo de Usuários de Slackware Brasil
http://www.slackwarebrasil.org/
http://groups.google.com/group/slack-users-br
-~----------~----~----~----~------~----~------~--~---

[slack-users] ajuda com roteamento de 2 links

Responder a