All pastes #2128804 Raw Edit

Stuff

public text v1 · immutable
#2128804 ·published 2012-03-16 14:30 UTC
rendered paste body
Funcionamento:

Cliente conecta no ip 187.5.250.106 e ganha o ip 10.8.0.2. A rede interna do OPENVPN é 10.1.1.0

O cliente consegue navegar na internet, mas não consegue acessar/pingar nenhum ip 10.1.1.xxx.


--- ROTAS DO SERVIDOR VPN:

root@router ~]# route -n
Tabela de Roteamento IP do Kernel
Destino         Roteador        MáscaraGen.    Opções Métrica Ref   Uso Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
187.5.250.104   0.0.0.0         255.255.255.248 U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 eth1
0.0.0.0         187.5.250.105   0.0.0.0         UG    0      0        0 eth0

----- FIREWALL:


#!/bin/bash
 
# modprobe eh usado para carregar modulos do kernel
MOD=$(which modprobe)
 
# 
IPT=$(which iptables)
 
# Interfaces de rede
I_LINK1="eth0"
I_LINK2="eth2"
I_LAN="eth1"
I_VPN="tun0" 

function start() {
# Carrega o modulo do kernel
  $MOD ip_tables
  $MOD iptable_nat

  # Limpa as regras anteriores
  stop;

  # Habilita redirecionamento de IP
  echo 1 > /proc/sys/net/ipv4/ip_forward
  echo "0" > /proc/sys/net/ipv4/conf/default/rp_filter

  #Compartilhando links
  $IPT -t nat -A POSTROUTING -s 10.0.0.0/255.0.0.0 -o eth2 -j MASQUERADE
  $IPT -t nat -A POSTROUTING -s 10.0.0.0/255.0.0.0 -o eth0 -j MASQUERADE

  $IPT -P INPUT DROP
  $IPT -P FORWARD ACCEPT
  $IPT -P OUTPUT ACCEPT

  $IPT -A INPUT -i tun0 -j ACCEPT
  $IPT -A OUTPUT -o tun0 -j ACCEPT
  $IPT -A FORWARD -o tun0 -j ACCEPT

  #liberando trágo de rede local (127.0.0.1)
  $IPT -A INPUT -i lo -j ACCEPT

  #Liberando VPN
  $IPT -A FORWARD -i tun0 -j ACCEPT
  $IPT -t nat -A POSTROUTING -s 10.8.0.2 -o $I_LAN -j MASQUERADE
  $IPT -t nat -A POSTROUTING -s 10.1.1.30 -o $I_VPN -j MASQUERADE

  #Liberando SIP
  $IPT -A INPUT -p tcp -m tcp --dport 5080 -s 187.0.0.0/255.0.0.0 -j ACCEPT
  $IPT -A INPUT -p udp -m udp --dport 5080 -s 187.0.0.0/255.0.0.0 -j ACCEPT
  $IPT -A INPUT -p tcp -m tcp --dport 5080 -s 189.0.0.0/255.0.0.0 -j ACCEPT
  $IPT -A INPUT -p udp -m udp --dport 5080 -s 189.0.0.0/255.0.0.0 -j ACCEPT
  $IPT -A INPUT -p tcp -m tcp --dport 5080 -s 200.0.0.0/255.0.0.0 -j ACCEPT
  $IPT -A INPUT -p udp -m udp --dport 5080 -s 200.0.0.0/255.0.0.0 -j ACCEPT
  $IPT -A INPUT -p tcp -m tcp --dport 5080 -s 201.0.0.0/255.0.0.0 -j ACCEPT
  $IPT -A INPUT -p udp -m udp --dport 5080 -s 201.0.0.0/255.0.0.0 -j ACCEPT

  #$IPT -A INPUT -p tcp -m tcp --dport 5080  -j ACCEPT
  #$IPT -A INPUT -p udp -m udp --dport 5080  -j ACCEPT

  #$IPT -A INPUT -p tcp -m tcp --dport 5070  -j ACCEPT
  #$IPT -A INPUT -p udp -m udp --dport 5070  -j ACCEPT

  #Liberando Voz
  $IPT -A INPUT -p tcp -m tcp --dport 10000:20000 -s 187.0.0.0/255.0.0.0 -j ACCEPT
  $IPT -A INPUT -p udp -m udp --dport 10000:20000 -s 187.0.0.0/255.0.0.0 -j ACCEPT
  $IPT -A INPUT -p tcp -m tcp --dport 10000:20000 -s 189.0.0.0/255.0.0.0 -j ACCEPT
  $IPT -A INPUT -p udp -m udp --dport 10000:20000 -s 189.0.0.0/255.0.0.0 -j ACCEPT
  $IPT -A INPUT -p tcp -m tcp --dport 10000:20000 -s 200.0.0.0/255.0.0.0 -j ACCEPT
  $IPT -A INPUT -p udp -m udp --dport 10000:20000 -s 200.0.0.0/255.0.0.0 -j ACCEPT
  $IPT -A INPUT -p tcp -m tcp --dport 10000:20000 -s 201.0.0.0/255.0.0.0 -j ACCEPT
  $IPT -A INPUT -p udp -m udp --dport 10000:20000 -s 201.0.0.0/255.0.0.0 -j ACCEPT

  # Aceitando conexoes de entrada
  $IPT -A INPUT -p tcp --dport 22 -j ACCEPT
  $IPT -A INPUT -p tcp --dport 142 -j ACCEPT
  $IPT -A INPUT -p tcp --dport 80 -j ACCEPT
  $IPT -A INPUT -p tcp --dport 81 -j ACCEPT
  $IPT -A INPUT -p tcp --dport 2223 -j ACCEPT
  $IPT -A INPUT -p tcp --dport 5038 -j ACCEPT
  $IPT -A INPUT -p tcp --dport 34684 -j ACCEPT
  $IPT -A INPUT -p tcp --dport 161 -j ACCEPT
  $IPT -A INPUT -p udp --dport 161 -j ACCEPT
  $IPT -A INPUT -p udp --dport 1194 -j ACCEPT

##### Toda navegacao sai pela ADSL, o resto pelo link dedicado

  # Saida dos pacotes pela ADSL
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 3389 -j MARK --set-mark 2
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 80 -j MARK --set-mark 2
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 0:65535 -j MARK --set-mark 2
  $IPT -t mangle -A PREROUTING -i $I_LAN -p udp --dport 0:65535 -j MARK --set-mark 2
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dst 192.168.1.1 -j MARK --set-mark 2
  $IPT -t mangle -A PREROUTING -i $I_VPN -p tcp --dport 0:65535 -j MARK --set-mark 2

  # Saida dos pacotes pelo Link Dedicado
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 22 -j MARK --set-mark 1
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 142 -j MARK --set-mark 1

  $IPT -t mangle -A PREROUTING -i $I_VPN -p tcp --dport 22 -j MARK --set-mark 1
  $IPT -t mangle -A PREROUTING -i $I_VPN -p tcp --dport 142 -j MARK --set-mark 1

  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dst 187.53.232.107 -j MARK --set-mark 1
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dst 177.19.183.166 -j MARK --set-mark 1 #Servidor SanMartin WEB
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 6666 -j MARK --set-mark 1 #IRC
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 6667 -j MARK --set-mark 1 #IRC
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 6665 -j MARK --set-mark 1 #IRC
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dst 187.52.9.22 -j MARK --set-mark 1 # Abosco
  $IPT -t mangle -A PREROUTING -i $I_VPN -p tcp --dst 187.52.9.22 -j MARK --set-mark 1 # Abosco

  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dst 177.40.146.4 -j MARK --set-mark 1 # DAGMOLLER
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dst 177.67.230.29 -j MARK --set-mark 1 # Saojoao CD
  $IPT -t mangle -A PREROUTING -i $I_VPN -p tcp --dst 177.67.230.29 -j MARK --set-mark 1 # Saojoao CD

  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dst 200.240.249.10 -j MARK --set-mark 1
  $IPT -t mangle -A PREROUTING -i $I_VPN -p tcp --dst 200.240.249.10 -j MARK --set-mark 1

  $IPT -t mangle -A PREROUTING -p icmp --icmp-type echo-request -j MARK --set-mark 1

  # Liberando Rede Local
  $IPT -A INPUT -p tcp -s 10.0.0.0/255.0.0.0 -j ACCEPT
  $IPT -A INPUT -p udp -s 10.0.0.0/255.0.0.0 -j ACCEPT

  $IPT -A INPUT -p udp -s 187.17.166.162 -j ACCEPT
  $IPT -A INPUT -p udp -s 189.29.54.144 -j ACCEPT
  $IPT -A INPUT -p udp -s 177.35.100.170 -j ACCEPT
  $IPT -A INPUT -p udp -s 187.5.250.107 -j ACCEPT

  #Liberando pacotes que realmente devem estabelecer conexã
  $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

  #Liberando ping
  $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

  # Forward de portas para o servidor de backup
  $IPT -t nat -A PREROUTING -d 187.5.250.106 -p tcp --dport 22 -j DNAT --to 10.1.1.52:22
  $IPT -t mangle -A PREROUTING -p tcp -s 10.1.1.52 --sport 22 -j MARK --set-mark 1

  # Servidor WEB Maquina virtual
  $IPT -t nat -A PREROUTING -d 187.5.250.106 -p tcp --dport 81 -j DNAT --to 10.1.1.88:80
  $IPT -t mangle -A PREROUTING -p tcp -s 10.1.1.88 --sport 80 -j MARK --set-mark 1

  # Servidor Freeswitch
  $IPT -t nat -A PREROUTING -d 187.5.250.106 -p tcp --dport 82 -j DNAT --to 10.1.1.78:80
  $IPT -t mangle -A PREROUTING -p tcp -s 10.1.1.78 --sport 80 -j MARK --set-mark 1
  $IPT -t nat -A PREROUTING -d 187.5.250.106 -p tcp --dport 2223 -j DNAT --to 10.1.1.78:22
  $IPT -t mangle -A PREROUTING -p tcp -s 10.1.1.78 --sport 22 -j MARK --set-mark 1


  #Lyrics

  $IPT -t nat -A PREROUTING -d 187.5.250.106 -p tcp --dport 2220 -j DNAT --to 10.1.1.244:22
  $IPT -t mangle -A PREROUTING -p tcp -s 10.1.1.244 --sport 22 -j MARK --set-mark 1
  $IPT -t nat -A PREROUTING -d 187.5.250.106 -p tcp --dport 2221 -j DNAT --to 10.1.1.245:22
  $IPT -t mangle -A PREROUTING -p tcp -s 10.1.1.245 --sport 22 -j MARK --set-mark 1

  $IPT -t nat -A PREROUTING -d 187.5.250.106 -p tcp --dport 8080 -j DNAT --to 10.1.1.244:80
  $IPT -t mangle -A PREROUTING -p tcp -s 10.1.1.244 --sport 80 -j MARK --set-mark 1
  $IPT -t nat -A PREROUTING -d 187.5.250.106 -p tcp --dport 8081 -j DNAT --to 10.1.1.245:80
  $IPT -t mangle -A PREROUTING -p tcp -s 10.1.1.245 --sport 80 -j MARK --set-mark 1


  # Torrent Willian 
  $IPT -t nat -A PREROUTING -p tcp --dport 34684 -j DNAT --to 10.1.1.30
  $IPT -t mangle -A PREROUTING -p tcp -s 10.1.1.30 --sport 34684 -j MARK --set-mark 2


  # teste do lyric
  # $IPT -t nat -A PREROUTING -i $I_LAN -d 74.125.65.141 -j DNAT --to 10.1.1.249

  echo "Firewall iniciado."
  
}
 
function stop() {
# Limpa a tabela mangle
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -F -t filter
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X -t filter
$IPT -X -t nat
$IPT -X -t mangle
$IPT -Z -t filter
$IPT -Z -t nat
$IPT -Z -t mangle
  echo "Firewall parado."

}
 
case $1 in
  'start') start; exit ;;
  'stop') stop; exit ;;
  'restart') stop; start; exit ;;
  *) start; exit ;;
esac