Re: Duzy problem z routingiem.. HELP!

[Krzysztof Zubik <kzubik@wp.pl>]

Michał Prokopiuk napisał.
> Witam,
> Dnia czw, lut 11, 2010 at 05:10:15 +0100, Bartosz Fenski aka fEnIo napisaĹ?:
> > On Thu, Feb 11, 2010 at 01:25:36PM +0100, toomeek_85 wrote:
> > > proszÄ? o pomoc w skonfigurowaniu routingu. Jest to dosyÄ? zĹ?oĹźony system wiÄ?c postaram siÄ? przedstawiÄ? (niektĂłre dane sÄ? zmienione):
> > Stawiam czteropak komuĹ? kto to doczyta do koĹ?ca, zrozumie i jeszcze
> > rozwiÄ?Ĺźe koledze problem.
> Wywalilem maila po pierwszym zdaniu, ale jak stawiasz czteropak, to
> podeslij maila jeszcze raz, zobaczymy co sie da zrobic ;).
Witam.
Moze ja go podesle, to taki dlugi e-mail. Oto on. :)

***************************************************************

Subject: Duzy problem z routingiem.. HELP!
Resent-Date: Thu, 11 Feb 2010 12:42:21 +0000 (UTC)
Resent-From: debian-user-polish@lists.debian.org
Date: Thu, 11 Feb 2010 13:25:36 +0100
From: toomeek 85 <toomeek_85@tlen.pl>
To: debian-user-polish@lists.debian.org
Witam,
proszÄ? o pomoc w skonfigurowaniu routingu. Jest to dosyÄ? zĹ?oĹźony
system wiÄ?c postaram siÄ?
przedstawiÄ? (niektĂłre dane sÄ? zmienione):
cat /etc/debian_version 
5.0.4
uname -r
2.6.27.24-tomcia.3.0.imq+hfsc+raid+sata
Cele:
- podsieÄ? 192.168.0.x na interfejsie bond0 musi komunikowaÄ? siÄ?
poprawnie ze wszystkimi hostami w
poniĹźszych podsieciach (w sensie Ĺźe dziaĹ?a ping nie tylko po adresie
IP, ale takĹźe po nazwie hosta):
10.10.10.x - sieÄ? wirtualna na interfejsie bond0:1 (drugi LAN)
10.10.4.x - sieÄ? wirtualna na interfejsie bond0:2 (trzeci LAN)
10.55.55.x - sieÄ? wirtualna na interfejsie tap0 (VPN)
- musi poprawnie dziaĹ?aÄ? routing na 2 Ĺ?Ä?cza (tj. coĹ? przychodzi
Ĺ?Ä?czem 1, wchodzi do LANu do hosta,
wraca z hosta do LANu, wychodzi Ĺ?Ä?czem 1 - czyli w skrĂłcie chodzi o
--save-mark i --restore-mark), routing
zrobiony po portach
- transfer z 10.10.10.x do 192.168.0.x powinien wynosiÄ? okoĹ?o 2 Gbit/s
(moduĹ? bonding dziaĹ?a w trybie round-robin
czyli "0")
- HFSC na download (pracujÄ? nad tym)

W tej chwili sytuacja wyglÄ?da tak:
- z 10.55.55.x moĹźna pingowaÄ? hosty z 192.168.0.x, ale tylko po
adresie IP, po nazwie nie znajduje, VPN dziaĹ?a ok
(usĹ?ugi TCP)
- przy pingu z 192.168.0.x do do 10.x.x.x jest:
PING 10.10.10.40 (10.10.10.40) 56(84) bytes of data.
>From 192.168.0.1: icmp_seq=3 Redirect Host(New nexthop: 10.10.10.40)
>From 192.168.0.1 icmp_seq=1 Destination Host Unreachable
>From 192.168.0.1 icmp_seq=2 Destination Host Unreachable
>From 192.168.0.1 icmp_seq=3 Destination Host Unreachable
- tu teĹź z klienta:
ip route get 10.10.10.40
10.10.10.40 via 192.168.0.1 dev eth0Â  src 192.168.0.14
    cache  mtu 1500 advmss 1460 hoplimit 64
- zaĹ? z serwera do 10.10.10.x:
PING 10.10.10.40 (10.10.10.40) 56(84) bytes of data.
>From 10.10.10.254 icmp_seq=1 Destination Host Unreachable
>From 10.10.10.254 icmp_seq=2 Destination Host Unreachable
>From 10.10.10.254 icmp_seq=3 Destination Host Unreachable
>From 10.10.10.254 icmp_seq=5 Destination Host Unreachable
>From 10.10.10.254 icmp_seq=6 Destination Host Unreachable
>From 10.10.10.254 icmp_seq=7 Destination Host Unreachable
z kolei dla innego hosta - ze stacji:
PING 10.10.10.30 (10.10.10.30) 56(84) bytes of data.
64 bytes from 10.10.10.30: icmp_seq=1 ttl=254 time=13.7 ms
64 bytes from 10.10.10.30: icmp_seq=2 ttl=254 time=14.0 ms
64 bytes from 10.10.10.30: icmp_seq=3 ttl=254 time=14.0 ms
64 bytes from 10.10.10.30: icmp_seq=4 ttl=254 time=16.2 ms
64 bytes from 10.10.10.30: icmp_seq=5 ttl=254 time=13.8 ms
64 bytes from 10.10.10.30: icmp_seq=6 ttl=254 time=13.8 ms
64 bytes from 10.10.10.30: icmp_seq=7 ttl=254 time=13.8 ms
64 bytes from 10.10.10.30: icmp_seq=8 ttl=254 time=13.9 ms
64 bytes from 10.10.10.30: icmp_seq=9 ttl=254 time=13.8 ms
64 bytes from 10.10.10.30: icmp_seq=10 ttl=254 time=13.8 ms
tomcio@testowy:~$ ip route get 10.10.10.30
10.10.10.30 via 192.168.0.1 dev eth0Â  src 192.168.0.14 
    cache  mtu 1500 advmss 1460 hoplimit 64
a z serwera:
serwer:/tmp# ip route get 10.10.10.30
10.10.10.30 dev bond0Â  src 10.10.10.254 
    cache  ipid 0x96a1 mtu 1500 advmss 1460 hoplimit 64


Pliki konfiguracyjne:
/etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback 

# DSL1
allow-hotplug eth0
iface eth0 inet static
    address 92.12.221.212
    netmask 255.255.255.248
#wyremowane z powodu pojawiajacego sie bledu z dwoma bramami (router nie
wie ktora brama maja isc pakiety)
#Â Â Â  gateway 92.12.221.211
auto eth0

# DSL2
allow-hotplug eth1
iface eth1 inet static
    address 81.17.121.67
    netmask 255.255.255.248
# to jest brama domyslna
    gateway 81.17.121.65
auto eth1

# LAN - 2 karty polaczone w 2 Gbit link
iface bond0 inet static
    address 192.168.0.5
    netmask 255.255.255.0
    network 192.168.0.0
up /sbin/ifenslave bond0 eth2
up /sbin/ifenslave bond0 eth3
auto bond0

# Wirtualne interfejsy do sieci
# Siec1
iface bond0:1 inet static
address 10.10.4.254
netmask 255.255.255.255
auto bond0:1

# Siec2
iface bond0:2 inet static
address 10.10.10.254
netmask 255.255.255.255
auto bond0:2

Plik /etc/init.d/openvpn/server.conf

dev tun
proto tcp-server
port 1122
server 10.55.55.0 255.255.255.0

push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option WINS 192.168.0.1"
keepalive 10 120
max-clients 10
ifconfig-pool-persist /etc/openvpn/ipp.txt
client-config-dir /etc/openvpn/ccd
log-append /var/log/openvpn.log
mute 20

tls-server
tls-auth /etc/openvpn/keys/ta.key 0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
persist-key
persist-tun

comp-lzo
daemon
verb 5
; eof

Plik /etc/init.d/firewall:

#!/bin/sh

PATH=/bin:/sbin:/usr/bin:/usr/sbin
iptables=/sbin/iptables

# Services that the system will offer to the network
# (chain INPUT)
TCP_SERVICES="1122" # VPN
UDP_SERVICES="53 ntp" # DNS
# Services the system will use from the network
# (chain OUTPUT)
REMOTE_TCP_SERVICES="" # Http, OpenVPN
REMOTE_UDP_SERVICES="53" # DNS
# SSH port
SSH_PORT="223344"

echo "Definicja zmiennych"
#interfejsy
LAN="bond0"
VLAN1="bond0:1"
VLAN2="bond0:2"
WAN="eth1"
WAN2="eth0"
#adresy_ip
LAN_IP="192.168.0.1"
NAT="92.12.221.212"
NAT2="81.17.121.67"
#bramy
GW1="92.12.221.211"
GW2="81.17.121.65"
#sieci
LAN_NET="192.168.0.0/24"
GW1_NET="92.12.221.208/29"
GW2_NET="81.17.121.64/29"
#maski
LOCALMASK="255.255.255.0"
DSLMASK="255.255.255.248"
echo "Koniec definiowania zmiennych"

if ! [ -x /sbin/iptables ]; then 
    exit 0
fi

fw_start () {

  # Modules
  modprobe ip_conntrack
  modprobe ip_conntrack_ftp

echo "Dodawanie podsieci"
route del -net 10.10.10.0 netmask 255.255.255.0 dev $VLAN1
route del -net 10.10.4.0 netmask 255.255.255.0 dev $VLAN2
route add -net 10.10.10.0 netmask 255.255.255.0 dev $VLAN1
route add -net 10.10.4.0 netmask 255.255.255.0 dev $VLAN2
echo "ZakoĹ?czone dodawanie podsieci"

#podzial na 2 DSLe
echo "Kolejkowanie ruchu"

ip route flush table T1
ip route flush table T2
ip rule del from $NAT table T1
ip rule del from $NAT2 table T2
ip rule del fwmark 0x1 table T1
ip rule del fwmark 0x2 table T2

#"Setting up interfaces ..."

echo 1 > /proc/sys/net/ipv4/ip_forward

ifconfig $LAN $LAN_IP netmask $LOCALMASK up
ifconfig $WAN $NAT netmask $DSLMASK up
ifconfig $WAN2 $NAT2 netmask $DSLMASK up

ip route add $GW1_NET dev $WAN src $NAT table T1
ip route add default via $GW1 table T1

ip route add $GW2_NET dev $WAN2 src $NAT2 table T2
ip route add default via $GW2 table T2

# Odwolania do sieci LAN
ip route add $LAN_NET dev $LAN table T1
ip route add $GW1_NET dev $WAN table T1
ip route add $GW2_NET dev $WAN2 table T1
ip route add 10.10.10.0/24 dev $LAN table T1
ip route add 10.10.4.0/24 dev $LAN table T1

ip route add $LAN_NET dev $LAN table T2
ip route add $GW1_NET dev $WAN table T2
ip route add $GW2_NET dev $WAN2 table T2
ip route add 10.10.10.0/24 dev $LAN table T2
ip route add 10.10.4.0/24 dev $LAN table T2

# Backroute
ip route add $GW1_NET dev $WAN src $NAT
ip route add $GW2_NET dev $WAN2 src $NAT2

# Dodawanie 2 bram
ip route add default scope global nexthop via $GW1 dev $WAN weight 1
nexthop via $GW2 dev $WAN2 weight 1
ip route add $GW2 dev $WAN2

# Tabelki
ip rule add from $NAT table T1
ip rule add from $NAT2 table T2

#przypisanie pakietow do tabel
ip rule add fwmark 0x1 table T1
ip rule add fwmark 0x2 table T2

#flushowanie cache-u..
ip route flush cache

#tworzenie NAT
iptables -t nat -A POSTROUTING -s $LAN_NET -o $WAN -j SNAT --to $NAT
iptables -t nat -A POSTROUTING -s $LAN_NET -o $WAN2 -j SNAT --to $NAT2
#siec testowa - dostep do netu
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o $WAN -j SNAT --to
$NAT
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o $WAN2 -j SNAT --to
$NAT2

#Przywrocenie markowania dla juz nawiazanych polaczen - calkowicie
wywala kolejkowanie
#iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

#POP3 Secured - odbieranie maili
iptables -t mangle -A PREROUTING -p tcp --dport 995 -j MARK --set-mark
0x2
#SMTP Secured - wysylanie maili
iptables -t mangle -A PREROUTING -p tcp --sport 465 -j MARK --set-mark
0x2
#POP3 - odbieranie
iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark
0x2
#SMTP - wysylanie
iptables -t mangle -A PREROUTING -p tcp --sport 110 -j MARK --set-mark
0x2
#HTTPS - polaczenia szyfrowane do stron
iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark
0x2
#Radia internetowe
iptables -t mangle -A PREROUTING -p tcp --dport 8000:8500 -j MARK
--set-mark 0x2
#DNS - zapytania o nazwy domen
iptables -t mangle -A PREROUTING -p udp --dport 53 -j MARK --set-mark
0x1
# ? pozniej dopisze
iptables -t mangle -A PREROUTING -p tcp --dport 445 -j MARK --set-mark
0x1
# Save MARK - przez to nie dziala smtps!!!!
#iptables -t mangle -A PREROUTING -p tcp -m mark --mark 0x1 -j CONNMARK
--save-mark
#iptables -t mangle -A PREROUTING -p tcp -m mark --mark 0x2 -j CONNMARK
--save-mark
#iptables -t mangle -A PREROUTING -p udp -m mark --mark 0x1 -j CONNMARK
--save-mark
#iptables -t mangle -A PREROUTING -p udp -m mark --mark 0x2 -j CONNMARK
--save-mark

# tu byl blad powodujacy ze pakiety wracajace tym samym laczem szly
przez interfejs $LAN !!!!
#iptables -t nat -A PREROUTING -i $WAN -s 0/0 -d 0/0 -j DNAT --to
$LAN_IP
#iptables -t nat -A PREROUTING -i $WAN2 -s 0/0 -d 0/0 -j DNAT --to
$LAN_IP

echo "Zakonczone tworzenie tras"

echo "Kolejkowanie uploadu - HFSC"
# DSL1 up
/etc/skrypty/hfsc-up stop $WAN
/etc/skrypty/hfsc-up start $WAN 1000 120
# DSL2 up
/etc/skrypty/hfsc-up2 stop $WAN2
/etc/skrypty/hfsc-up2 start $WAN2 1000 120
echo "Zakonczono kolejkowanie uploadu - HFSC"

/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
 
  # Other network protections
  echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  echo 1 > /proc/sys/net/ipv4/ip_forward
  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  echo 0 > /proc/sys/net/ipv4/conf/${WAN}/rp_filter
  echo 0 > /proc/sys/net/ipv4/conf/${WAN2}/rp_filter
  echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
  echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# TESTy z routingiem miedzy sieciami LAN
#Â  echo 1 > /proc/sys/net/ipv4/conf/${LAN}/send_redirects
#Â  echo 1 > /proc/sys/net/ipv4/conf/${LAN}/accept_redirects
#Â  echo 1 > /proc/sys/net/ipv4/conf/${LAN}/accept_source_route
 
#Â  echo 0 > /proc/sys/net/ipv4/conf/${WAN}/accept_source_route
#Â  echo 0 > /proc/sys/net/ipv4/conf/${WAN2}/accept_source_route
#Â  echo 0 > /proc/sys/net/ipv4/conf/${WAN}/accept_redirects
#Â  echo 0 > /proc/sys/net/ipv4/conf/${WAN2}/accept_redirects
#Â  echo 0 > /proc/sys/net/ipv4/conf/${WAN}/send_redirects
#Â  echo 0 > /proc/sys/net/ipv4/conf/${WAN2}/send_redirects
  echo 0 > /proc/sys/net/ipv4/tcp_ecn
  echo 1 > /proc/sys/net/ipv4/tcp_timestamps
 
  # Limitowanie sesji tcp
  echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
  echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
  echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
  echo "0" > /proc/sys/net/ipv4/tcp_sack
  echo "20" > /proc/sys/net/ipv4/ipfrag_time
  echo "1280" > /proc/sys/net/ipv4/tcp_max_syn_backlog
 
 
  # Input traffic:
  /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
  # Services - TCP
  echo " "
  echo "Otwarcie drogi dla serwisow"
  if [ -n "$TCP_SERVICES" ] ; then
  for PORT in $TCP_SERVICES; do
    /sbin/iptables -A INPUT -p tcp --dport ${PORT} -j ACCEPT
  done
  fi
  # SSH
  /sbin/iptables -A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT
  # Services - UDP
  if [ -n "$UDP_SERVICES" ] ; then
  for PORT in $UDP_SERVICES; do
    /sbin/iptables -A INPUT -p udp --dport ${PORT} -j ACCEPT
  done
  fi

  # ICMP i inne
  #REM - dozwolone tylko niektore pakiety ICMP
  #/sbin/iptables -A INPUT -p icmp -j ACCEPT
  /sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
  /sbin/iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
  /sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
  /sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit
1/second -j ACCEPT
  #/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT Â
  // ta pojedyncza linia zezwala tylko serwerowi
otrzymac ICMP - zabezpieczenie przed DoS
  # Odrzuc duzy ping
  #iptables -A INPUT -p icmp -m length --length 200:65535 -j DROP
  #iptables -A OUTPUT -p icmp -m length --length 200:65535 -j DROP

  /sbin/iptables -A INPUT -i lo -j ACCEPT
  /sbin/iptables -P INPUT DROP
  # Output:
  /sbin/iptables -A OUTPUT -j ACCEPT -o lo
  /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
  # ICMP is permitted:
  /sbin/iptables -A OUTPUT -p icmp -j ACCEPT
  /sbin/iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
  # So are security package updates:
  # Note: You can hardcode the IP address here to prevent DNS spoofing
  # and to setup the rules even if DNS does not work but then you
  # will not "see" IP changes for this service:
  /sbin/iptables -A OUTPUT -p tcp -d security.debian.org --dport 80 -j
ACCEPT
  # As well as the services we have defined:
  /sbin/iptables -A OUTPUT -p tcp -m state --state NEW -j ACCEPT
  /sbin/iptables -A OUTPUT -p udp -m state --state NEW -j ACCEPT
  if [ -n "$REMOTE_TCP_SERVICES" ] ; then
  for PORT in $REMOTE_TCP_SERVICES; do
    /sbin/iptables -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
    done
  fi
  if [ -n "$REMOTE_UDP_SERVICES" ] ; then
  for PORT in $REMOTE_UDP_SERVICES; do
    /sbin/iptables -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
   
  done
  fi
  # OUTPUT - puszczamy wszystko
  #/sbin/iptables -A OUTPUT -j LOG
  #/sbin/iptables -A OUTPUT -j REJECT
  #/sbin/iptables -P OUTPUT DROP
 
  #Maskarada
  /sbin/iptables -A FORWARD -m state --state NEW -j ACCEPT
  /sbin/iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED
-j ACCEPT
  /sbin/iptables -A FORWARD -p udp -m state --state ESTABLISHED,RELATED
-j ACCEPT
  /sbin/iptables -A FORWARD -p icmp -m state --state
ESTABLISHED,RELATED -j ACCEPT

  #To jest przekierowanie na glowne lacze - nie bedziemy go juz uzywac
bo leci na 2 DSLe.
  #/sbin/iptables -t nat -A POSTROUTING -o ${WAN} -s 192.168.0.0/16 -j
SNAT --to ${NAT}
 
  #Ograniczenie liczby polaczen do 300 na 1 modem - zabezpieczenie
przed zawieszeniem modemu
  /sbin/iptables -t filter -A FORWARD -s 192.168.0.0/24 -o ${WAN} -p
tcp -m mark \
  --mark 0x0 -m connlimit --connlimit-above 300 --connlimit-mask 32 \
  -j REJECT --reject-with tcp-reset
  /sbin/iptables -t filter -A FORWARD -s 192.168.0.0/24 -o ${WAN2} -p
tcp -m mark \
  --mark 0x0 -m connlimit --connlimit-above 300 --connlimit-mask 32 \
  -j REJECT --reject-with tcp-reset
 

#OpenVPN virtual devices
echo "OpenVPN ustawienie interface'ow"
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other
interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
# Allow TAP interface connections to OpenVPN server
iptables -A INPUT -i tap+ -j ACCEPT
# Allow TAP interface connections to be forwarded through other
interfaces
iptables -A FORWARD -i tap+ -j ACCEPT
# Ta linijka odpowiada za dostep do sieci z adresow wirtualnych
/sbin/iptables -A FORWARD -i tun0 -s 10.55.55.0/24 -d 192.168.0.0/24 -j
ACCEPT
# Mostek do polaczenia VPN
#/sbin/iptables -A INPUT -i br0 -j ACCEPT
#/sbin/iptables -A FORWARD -i br0 -j ACCEPT

#USLUGI

#Samba
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p udp --dport 137 -m state
--state NEW -j ACCEPT
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p udp --dport 138 -m state
--state NEW -j ACCEPT
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p tcp --dport 139 -m state
--state NEW -j ACCEPT
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p tcp --dport 445 -m state
--state NEW -j ACCEPT
#TFTP - Boot from LAN
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p udp --dport 67 -m state
--state NEW -j ACCEPT
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p udp --dport 69 -m state
--state NEW -j ACCEPT
#NFS for LAN
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p udp -m multiport --ports
111,2049,32765:32769 -m state --state NEW
-j ACCEPT
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p tcp -m multiport --ports
111,2049,32765:32769 -m state --state NEW
-j ACCEPT
#NetCat
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p tcp --dport 1234 -m
state --state NEW -j ACCEPT

##Wlasciwe przekierowanie - wylaczam bo 2 DSLe chodza##
#/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${LAN} -s
192.168.0.0/16 -j DNAT --to-destination
192.168.0.1:8080
#ponizsze uzywane jest z DANSGUARDIANEM
#/sbin/iptables -t nat -A PREROUTING -p tcp --dport 8080 -i ${WAN} -j
DNAT --to-destination 192.168.0.1:3128

#Logowanie wszystkich lancuchow
#Â  /sbin/iptables -A INPUT -j LOG
#Â  /sbin/iptables -A OUTPUT -j LOG
#Â  /sbin/iptables -A FORWARD -j LOG

echo "Blokada niechcianych kompow"
#BLOKADA CALKOWITA SERWER-HOST
BLOCKED_MAC="12:34:56:78:90:12 09:87:65:43:21:09"
for adres_mac in $BLOCKED_MAC
do
    iptables -I INPUT 1 -m mac --mac-source $adres_mac -j DROP
    done
#BLOKADA DOSTEPU TYLKO INTERNETU
BLOCKED_MAC2="12:34:56:78:90:12 09:87:65:43:21:09"
for adres_mac2 in $BLOCKED_MAC2
do
    iptables -I FORWARD 2 -m mac --mac-source $adres_mac2 -j DROP
    done

#KOMP1 - blokada wszystkiego poza RDC i poczta
iptables -I FORWARD 3 -m mac --mac-source 12:34:56:78:90:12 -m multiport
-p tcp --ports ! 25,110,465,995,3389,5900
-j DROP
iptables -I FORWARD 4 -m mac --mac-source 12:34:56:78:90:12 -m multiport
-p udp --ports ! 53,5900 -j DROP
#Blokada dostepu do internetu dla zakresu IP poza paroma portami
iptables -I FORWARD 9 -m iprange --src-range 192.168.0.20-192.168.0.30
-m multiport -p tcp --ports ! 3389,5900,22,23
-j DROP
iptables -I FORWARD 10 -m iprange --src-range 192.168.0.20-192.168.0.30
-m multiport -p udp --ports ! 5900 -j DROP

echo "Blokada P2P na cala siec"
P2P_PROTO="100bao applejuice ares bittorrent directconnect edonkey
fasttrack gnucleuslan gnutella hotline imesh mute
napster openft poco pplive soribada soulseek thecircle xunlei code_red
nimda"
if [ -n "$P2P_PROTO" ]; then
for P2P in ${P2P_PROTO}; do
    ${iptables} -A FORWARD -s 192.168.0.0/16 -m layer7 --l7proto
${P2P} -j LOG --log-level debug --log-prefix
"IPT:P2P "
    ${iptables} -A FORWARD -s 192.168.0.0/16 -m layer7 --l7proto
${P2P} -j DROP
    done
    fi
echo "Blokada eMule"
${iptables} -A FORWARD -s 192.168.0.0/16 -p tcp --dport 4661:4711 -j
REJECT
${iptables} -A FORWARD -s 192.168.0.0/16 -p udp --dport 4661:4711 -j
REJECT
echo "Blokada roznych serwisow WWW - napalonych przekieruj na Google"
LISTA_SERWISOW="193.17.41.95 208.43.223.10 rapidshare.com rapidshare.de
megaupload.com megadownload.com
speedyshare.com"
#193.17.41.95 = wrzuta.pl
#208.43.223.10 = chomikuj.pl
if [ -n "$LISTA_SERWISOW" ]; then
for WWW in ${LISTA_SERWISOW}; do
    ${iptables} -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 -d
${WWW} --dport 80 -j DNAT --to
216.239.59.104:80
    done
    fi
echo "Przekierowania"
# PRZEKIEROWANIA
# Ubuntu server
/sbin/iptables -t nat -A PREROUTING -p tcp -d ${NAT} --dport 1234 -j
DNAT --to-destination 10.10.10.100:1234
/sbin/iptables -A FORWARD -i ${WAN} -p tcp --dport 1234 -d 10.10.10.100
-j ACCEPT

  #logi
  #/sbin/iptables -A INPUT -j LOG -m limit --limit 10/hour
  /sbin/iptables -A INPUT -j DROP
  #/sbin/iptables -A FORWARD -j LOG -m limit --limit 10/hour
  /sbin/iptables -A FORWARD -j DROP

  #Ustawienie TTL pomocne w przypadku zlego ustawienia tras routingu
  #/sbin/iptables -t mangle -A POSTROUTING -j TTL --ttl-set 128
 
  #Zapisz reguly
  /sbin/iptables-save > /etc/iptables-reguly.ipt
}

fw_stop () {
  /sbin/iptables -F
  /sbin/iptables -X
  /sbin/iptables -t nat -F
  /sbin/iptables -t nat -X
  /sbin/iptables -t mangle -F
  /sbin/iptables -P INPUT DROP
  /sbin/iptables -P FORWARD DROP
  /sbin/iptables -P OUTPUT ACCEPT
}

fw_clear () {
  /sbin/iptables -F
  /sbin/iptables -t nat -F
  /sbin/iptables -t mangle -F
  /sbin/iptables -P INPUT ACCEPT
  /sbin/iptables -P FORWARD ACCEPT
  /sbin/iptables -P OUTPUT ACCEPT
}


case "$1" in
  start|restart)
    echo -n "Starting firewall.."
    fw_stop
    fw_start
    echo "done."
    ;;
  stop)
    echo -n "Stopping firewall.."
    fw_stop
    echo "done."
    ;;
  clear)
    echo -n "Clearing firewall rules.."
    fw_clear
    echo "done."
    ;;
  *)
    echo "Usage: $0 {start|stop|restart|clear}"
    exit 1
    ;;
  esac
exit 0

Komenda IFCONFIG zwraca:

bond0
          inet addr:192.168.0.1  Bcast:192.168.0.255 
Mask:255.255.255.0

bond0:1
          inet addr:10.10.4.254  Bcast:10.255.255.255 
Mask:255.255.255.255
          UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500 
Metric:1

bond0:2   Link encap:Ethernet  HWaddr 00:14:85:fb:84:f5 
          inet addr:10.10.10.254  Bcast:10.255.255.255 
Mask:255.255.255.255
          UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500 
Metric:1

eth0
          inet addr:92.12.221.212  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:90465714 errors:0 dropped:0 overruns:0
frame:0
          TX packets:78865335 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0 txqueuelen:1000

eth1
          inet addr:81.17.121.67  Bcast: 
Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth2
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500 
Metric:1
          RX packets:271344123 errors:0 dropped:0 overruns:0
frame:0
          TX packets:241058379 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0 txqueuelen:1000

eth3
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500 
Metric:1
          RX packets:53697061 errors:0 dropped:0 overruns:0
frame:0
          TX packets:45544896 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0 txqueuelen:1000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:29815 errors:0 dropped:0 overruns:0
frame:0
          TX packets:29815 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0 txqueuelen:0

tun0Â Â Â Â Â  Link encap:UNSPECÂ  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.55.55.1  P-t-P:10.55.55.2 
Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500 
Metric:1
          RX packets:180024 errors:0 dropped:0 overruns:0
frame:0
          TX packets:171714 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0 txqueuelen:100

Komenda route -n zwraca:
Kernel IP routing table
Destination     Gateway         Genmask        
Flags Metric Ref    Use Iface
92.12.221.212Â Â  0.0.0.0Â Â Â Â Â Â Â Â  255.255.255.255 UHÂ Â Â  0Â Â
    0        0 eth0
10.55.55.2Â Â Â Â Â  0.0.0.0Â Â Â Â Â Â Â Â  255.255.255.255 UHÂ Â Â  0Â
     0        0 tun0
92.12.221.208Â Â  0.0.0.0Â Â Â Â Â Â Â Â  255.255.255.248 UÂ Â Â Â  0Â Â
    0        0 eth0
81.17.121.64Â Â  0.0.0.0Â Â Â Â Â Â Â Â  255.255.255.248 UÂ Â Â Â  0Â Â
    0        0 eth1
10.10.4.0Â Â Â Â Â Â  0.0.0.0Â Â Â Â Â Â Â Â  255.255.255.0Â Â  UÂ Â Â
  0      0        0 bond0
192.168.0.0Â Â Â Â  0.0.0.0Â Â Â Â Â Â Â Â  255.255.255.0Â Â  UÂ Â Â Â 
0Â Â Â Â Â  0Â Â Â Â Â Â Â  0 bond0
10.55.55.0Â Â Â Â Â  10.55.55.2Â Â Â Â Â  255.255.255.0Â Â  UGÂ Â Â  0Â
     0        0 tun0
10.10.10.0Â Â Â Â Â  0.0.0.0Â Â Â Â Â Â Â Â  255.255.255.0Â Â  UÂ Â Â Â 
0Â Â Â Â Â  0Â Â Â Â Â Â Â  0 bond0
0.0.0.0Â Â Â Â Â Â Â Â  81.17.121.65 Â  0.0.0.0Â Â Â Â Â Â Â Â  UGÂ Â Â 
0Â Â Â Â Â  0Â Â Â Â Â Â Â  0 eth1

**************************************************************************************

To juz jego koniec. Jest tego troche. :)
Przy okazji prosba do nadawcy tej wiadomosci toomeek 85
<toomeek_85@tlen.pl>
zeby na przyszlosc pisac wylacznie czystym tekstem bez jakiegokolwiek
uzywania
HTML. Wiele czytnikow nieprawidlowo go odczytuje. Niestety tak tez
dzieje sie
u niektorych uzytkownikow kont Gmail.  Tu trzeba dodatkowo przelaczyc
na plan text i juz bedzie OK. Latwo odczytuje sie zapisuje wiadomosci i
odpowiada
majac wszytko w cytacie.

Zycze powodzenia w rozszyfrowaniu podanej wiadomosci. :)
-- 
Konczac Pozdrawiam. Krzysztof.
------------------------------------------------------------
Registered Linux User: 253243
Powered by Aurox 11.0, Ubuntu Studio 8.04 i Fedora 9.0
Krzysztof Zubik. | kzubik@netglob.com.pl| kzubik@wp.pl
http://www.kzubik.cba.pl
GaduGadu. 1208376 | Jabber. kzubik@jabber.wp.pl | Skype. kzubik