Registrován: 19.06.2004
Příspěvků: 5

pripojenie mam z dvoch routerov ADSL ST Telekom:

1. 10.0.0.138
2. 10.0.1.138

sever ma tri sietovky:

1. eth0 - 192.168.10.1 - pre wifi siet
2. eth1 - 10.0.0.1 - do 1. routeru
3. sth2 - 10.0.1.1 - do 2. routeru

a routing je robeny takto:

#! /bin/bash
echo "nastavenie premennych"
IFI=eth0
IPI=192.168.10.1
NWI=16
IFE1=eth1
IPE1=10.0.0.1
NME1=29
NWE1=10.0.0.0
GWE1=10.0.0.138
BRD1=10.0.0.255
IFE2=eth2
IPE2=10.0.1.1
NWE2=10.0.1.0
NME2=29
GWE2=10.0.1.138
BRD2=10.0.1.255

echo "Vypinanie interfejsov"
ip link set lo down
ip link set eth0 down
ip link set eth1 down
ip link set eth2 down

echo "Cistenie tabuliek routingu"
ip ro flush table dsl1
ip ro flush table dsl2
ip ro flush table ja
ip ro flush table main

echo "Inicializacia LO"
ip link set lo up
ip addr add 127.0.0.1/8 brd + dev lo

echo "Inicializacia ETH0"
ip link set $IFI up
ip addr add $IPI/$NWI brd + dev $IFI
ip rule add prio 50 table main
ip route del default table main

echo "Inicializacia ETH1"
ip link set $IFE1 up
ip addr flush dev $IFE1
ip addr add $IPE1/$NME1 brd $BRD1 dev $IFE1

echo "Inicializacia ETH2"
ip link set $IFE2 up
ip addr flush dev $IFE2
ip addr add $IPE2/$NME2 brd $BRD2 dev $IFE2

echo "Nastavenie tabulky JA"
ip rule add prio 300 table ja
ip ro add default table ja proto static nexthop via $GWE1 dev $IFE1 nexthop via $GWE2 dev $IFE2

echo "Nastavenie tabulky DSL1"
ip rule add prio 201 from $NWE1/$NME1 table dsl1
ip route add default table dsl1 proto static via $GWE1 dev $IFE1 src $IPE1
ip route append prohibit default table dsl1 metric 1 proto static

echo "Nastavenie tabulky DSL2"
ip rule add prio 202 from $NWE2/$NME2 table dsl2
ip route add default table dsl2 proto static via $GWE2 dev $IFE2 src $IPE2
ip route append prohibit default table dsl2 metric 1 proto static

ip ro flush cache

echo "Vypinanie route filteringu"
echo "1" > /proc/sys/net/ipv4/conf/eth2/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter


echo "Nahravanie pravidiel iptables"
echo "Cistenie tabuliek"
iptables -F
iptables -F -t nat
iptables -X -t nat

iptables -F -t mangle
#dopisane
iptables -F -t filter
iptables -X -t filter

/etc/rc.d/connlimit
/etc/rc.d/syf

#####
echo "keep_state"
iptables -t filter -N keep_state
iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A keep_state -j RETURN

iptables -t nat -N keep_state
iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A keep_state -j RETURN

iptables -t filter -A INPUT -j keep_state
iptables -t filter -A OUTPUT -j keep_state
iptables -t filter -A FORWARD -j keep_state
iptables -t nat -A PREROUTING -j keep_state
iptables -t nat -A POSTROUTING -j keep_state
iptables -t nat -A OUTPUT -j keep_state


echo Vstupy
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT

# Forward
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -p tcp --dport 135:139 -j DROP
iptables -A FORWARD -p udp --dport 135:139 -j DROP
iptables -A FORWARD -p tcp --dport 445 -j DROP
iptables -A FORWARD -p udp --dport 445 -j DROP


# Postrouting
iptables -A POSTROUTING -t nat -o eth1 -j SNAT --to 83.16.139.83
iptables -A POSTROUTING -t nat -o eth2 -j SNAT --to 83.16.141.218

# Vystup
iptables -A OUTPUT -j ACCEPT

#iptables -t nat -A PREROUTING -i eth0 -s 192.168.10.0/16 -p tcp --dport 80 -j REDIRECT --to-port 8080
#iptables -t nat -A PREROUTING -i eth0 -s 192.168.10.0/16 -p tcp --dport 8080 -j REDIRECT --to-port 8080

/etc/rc.d/rc.limits
#/etc/rc.d/pinger &

pekne to vyvazuje zatazenie oboch liniek :)