[FUGSPBR] dois link....

Luiz Otavio Souza luiz em microeletronica.com.br
Qui Fev 26 13:49:04 BRT 2004 

Ola Marcelo,

    Aparentemente o erro esta aqui:

> #nat everything that get's here, should be ok as local allowed in first
> lines to go direct
> ${fwcmd} add 00700 divert 8868 ip from $lan_ip to any in
> ${fwcmd} add 00750 divert 8868 ip from $lan_ip to any out
> ${fwcmd} add 00900 divert 8869 ip from $lan_ip to any out
> ${fwcmd} add 00950 divert 8869 ip from $lan_ip to any in

    Quando o pacote passa pela linha 700 e passa tambem pela linha 900 e
pode ser traduzido duas vezes e acaba saindo sempre pela natd da porta 8869.

    Outra coisa, voce pode capturar os pacotes com apenas uma linha (voce ja
capturou o retorno nas linhas 400 e 450 do seu script). Os pacotes são
traduzidos para o IP da interface (alias address) na saida da interface (out
via if).

    Normalmente a routa default envia todos os pacotes para a interface onde
se encontra o gateway.

    Você precisaria de duas linhas +- assim:

${fwcmd} add 00700 divert 8868 ip from $lan_ip to any via out ${gateway_if}
${fwcmd} add 00800 skipto 2000
${fwcmd} add 00900 divert 8869 ip from $lan_ip to any via out ${gateway_if}


    Qualquer duvida entre em contato.

[]'s
___________________________________
Luiz Otávio Souza
Microeletrônica - OpenSource Development
luiz em microeletronica.com.br
14.9111.1255

----- Original Message -----
From: "Marcelo Aldi Vera Olate" <mavo em tuxnuts.com.br>
To: <fugspbr em fugspbr.org>
Sent: Thursday, February 26, 2004 9:07 AM
Subject: Re: [FUGSPBR] dois link....


> Olá Aprigio,
>
>     Em principio a ideia e estas fazer redundância de links, a segunda
opção
> não deixa de ser interesante tambem...inclusive fiz algo usando natd e
ipfw
> so que nao deu certo... onde eu posso conseguir documentação ou ainda
melhor
> alguem na lista ja tem isto em pratica e poderia me da um ajuda....segue
> abaixo o script do ipfw....
>
> ----------####-----------
> #!/bin/sh
> #
> # Setup system for firewall service.
> #
> # Suck in the configuration variables.
>
> if [ -r /etc/defaults/rc.conf ]; then
>         . /etc/defaults/rc.conf
>         source_rc_confs
> elif [ -r /etc/rc.conf ]; then
>         . /etc/rc.conf
> fi
>
> ############
> # Set quiet mode if requested
> #
> case ${firewall_quiet} in
> [Yy][Ee][Ss])
>                 fwcmd="/sbin/ipfw -q"
>                 ;;
>         *)
>                 fwcmd="/sbin/ipfw"
>                 ;;
> esac
>
> natcmd="/sbin/natd"
>
> ############
> #
> # Local Variables
>
> net_iface="ed0"
> lan_iface="rl0"
> tun_iface=`ifconfig | grep tun | cut -d: -f1`
> loc_iface="lo0"
>
> lan_ip="172.18.1.0/24"
> net_ip="200.164.x.x/24"
> tun_ip=""
> loc_ip="127.0.0.0/8"
>
> lan_ip_local="172.18.1.254"
> net_ip_local="200.164.x.x"
> tun_ip_local=`ifconfig $tun_iface | grep inet | awk '{print $2}'`
> loc_ip_local="127.0.0.1"
>
> route_net_ip="200.164.x.x"
> route_tun_ip=`ifconfig $tun_iface | grep inet | awk '{print $4}'`
>
>
> ############
> # Flush out the list before we begin.
> #
> ${fwcmd} -f flush
>
> ############
> #
> #
>
> ############
> # start natd
> #
> ${natcmd} -p 8868 -dynamic -interface $net_iface
> ${natcmd} -p 8869 -dynamic -interface $tun_iface
>
> ############
> # Only in rare cases do you want to change these rules
> #
>
> # allow local traffic
> ${fwcmd} add 00100 allow ip from $lan_ip to $lan_ip
> ${fwcmd} add 00125 allow ip from 127.0.0.0/24 to $lan_ip
> ${fwcmd} add 00130 allow ip from $lan_ip to 127.0.0.0/24
>
> ${fwcmd} add 00140 allow all from $lan_ip to $net_ip
> ${fwcmd} add 00145 allow all from $net_ip to $lan_ip
>
> ${fwcmd} add 00150 pass all from any to any via lo0
> ${fwcmd} add 00160 deny all from any to 127.0.0.0/8
> ${fwcmd} add 00170 deny ip from 127.0.0.0/8 to any
>
> # stop simple incoming attempts from internet
> ${fwcmd} add 00200 deny tcp from any to any setup in via $tun_iface
> ${fwcmd} add 00250 deny tcp from any to any setup in via $net_iface
>
> #send incoming traffic to natd
> ${fwcmd} add 00450 divert 8868 ip from any to any in via $net_iface
> ${fwcmd} add 00400 divert 8869 ip from any to any in via $tun_iface
>
> #if flow is already going via NATD, send it back to same NATD
> ${fwcmd} add 00500 check-state
>
> # send 38% of traffic to isp 1 as 600k = 38% of 1mb + 600k
> ${fwcmd} add 00600 prob 0.380000 skipto 700 ip from $lan_ip to any out
> keep-state
>
> # remaining 62% of traffic send to isp2
> ${fwcmd} add 00650 skipto 900 ip from $lan_ip to any out keep-state
>
> #nat everything that get's here, should be ok as local allowed in first
> lines to go direct
> ${fwcmd} add 00700 divert 8868 ip from $lan_ip to any in
> ${fwcmd} add 00750 divert 8868 ip from $lan_ip to any out
> ${fwcmd} add 00900 divert 8869 ip from $lan_ip to any out
> ${fwcmd} add 00950 divert 8869 ip from $lan_ip to any in
>
> #policy route to send traffic to correct isp
> ${fwcmd} add 02000 fwd $route_net_ip ip from $net_ip_local to any
> ${fwcmd} add 02500 fwd $route_tun_ip ip from $tun_ip_local to any
>
> #break out traffic to allow accounting to show me what's going where
> ${fwcmd} add 30000 allow ip from any to $lan_ip
> ${fwcmd} add 30100 allow ip from any to any in via $tun_iface
> ${fwcmd} add 30200 allow ip from any to any in via $net_iface
> ${fwcmd} add 30300 allow ip from any to any out via $tun_iface
> ${fwcmd} add 30400 allow ip from any to any out via $net_iface
>
> ${fwcmd} add 65000 allow ip from any to any
> #${fwcmd} add 65535 deny ip from any to any
>
> ----------####-----------
>
>
> onde esta o error aqui... ja que este script parte dele eu obtive de
alguns
> colegas da lista outra parte eu fiz.....
>
>
> agradeço......
>
> []´s
>
>
> Marcelo Olate
>


_______________________________________________________________
Sair da Lista: http://lists.fugspbr.org/listinfo.cgi
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

Mais detalhes sobre a lista de discussão freebsd