Egyszerüsíteni szeretném a hálózatunkat. Két internet kapcsolatunk
van, egy bérelt vonal, és a sulinetes. Mivel a bérelt vonal
szolgáltatása időnként akadozik, szükség van a sulinetes elérésre is.
Jelenleg, a sulinet felé proxy szerver van beállítva, (ami a sulinet
felől érkező leveleket továbbítja egy másik szervernek) így ha nemmegy
a bérelt vonal, elegendő a böngészőben a proxy címét beírni és máris
van net. A helyi hálózatunk egy tüzfalként, átjáróként, funkcionáló
gép mögött van, a proxy szerver a tüzfal elött van.
Amit szeretnék elérni:
A tüzfalként működő gépbe legyen bekötve a helyi hálózat, a bérelt
vonal, és a sulinet.
A sulinet jó lenne ha továbra is proxy-n keresztűl menne, a sulinet
felől érkező levelek pedig továbbítva lennének egy másik szervernek.
A megoldáson dolgozok, de ha tudtok valami jó ötletet adni, szivesen venném.
Előre is köszönöm a segítséget.
- 1329 megtekintés
Hozzászólások
#!/bin/sh
#
# This script takes care of setting up the rules and routing table for
# eth0 and eth1 which are our wan port
#
# Programs
IPTABLES="/sbin/iptables"
IP="/sbin/ip"
# Enable ip_forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Script variables
wan0="eth0"
wan1="eth1"
# File for marking/demarking expiration/failure of interface
# so when its bound/rebound again it will by pass the new/old IP
# address checks
wan0_file="/var/run/wan0.expired"
wan1_file="/var/run/wan1.expired"
# Sets up the wan0 rules and routes
set_wan0 () {
$IP rule add from 172.20.0.5 lookup 100
for router in $new_routers; do
$IP route add default via $router dev $wan0 table 100
done
}
# Remove the wan0 rules and routes
unset_wan0 () {
$IP rule del from 172.20.0.5 lookup 100
$IP route flush table 100
}
# Sets up the wan1 rules and routes
set_wan1 () {
$IP rule add from 172.20.0.3 lookup 101
for router in $new_routers; do
$IP route add default via $router dev $wan1 table 101
done
}
# Remove the wan1 rules and routes
unset_wan1 () {
$IP rule del from 172.20.0.3 lookup 101
$IP route flush table 101
}
# Setup the IPTABLE rules for wan0
iptable_wan0 () {
$IPTABLES -t nat -A wan0_dnat -d $new_ip_address -j DNAT --to-destination 172.20.0.5
$IPTABLES -t nat -A wan0_snat -s 172.20.0.5 -j SNAT --to-source $new_ip_address
}
# Setup the IPTABLE rules for wan1
iptable_wan1 () {
$IPTABLES -t nat -A wan1_dnat -d $new_ip_address -j DNAT --to-destination 172.20.0.3
$IPTABLES -t nat -A wan1_snat -s 172.20.0.3 -j SNAT --to-source $new_ip_address
}
##################################################################################################
#
# Below this section shouldn't needs to be changed as long as the basic logic/stuff are the
# same in the above variables/functions
#
##################################################################################################
# Setup the indivual wan0 & wan1 chains and add it to the NAT tables
setup_NAT () {
$IPTABLES -t nat -N wan0_dnat
$IPTABLES -t nat -N wan0_snat
$IPTABLES -t nat -N wan1_dnat
$IPTABLES -t nat -N wan1_snat
$IPTABLES -t nat -A PREROUTING -j wan0_dnat
$IPTABLES -t nat -A POSTROUTING -j wan0_snat
$IPTABLES -t nat -A PREROUTING -j wan1_dnat
$IPTABLES -t nat -A POSTROUTING -j wan1_snat
}
# Flushes the NAT tables
flush_NAT () {
# First this function needs to make sure that the
# proper NAT chains actually exists, if not then
# create them and exit
echo `$IPTABLES -n -L -t nat` | grep -F -q "Chain wan1_snat"
if [[ $? -eq 0 ]]; then
# The NAT chain was found so find out which interface
# is being flushed then flush that chain
if [[ "$interface" == "$wan0" ]]; then
$IPTABLES -t nat -F wan0_dnat
$IPTABLES -t nat -F wan0_snat
elif [[ "$interface" == "$wan1" ]]; then
$IPTABLES -t nat -F wan1_dnat
$IPTABLES -t nat -F wan1_snat
fi
else
# The NAT chain was not found so create it
setup_NAT
fi
}
# Flushes the routing tables
flush_routing () {
# find out which interface to flush
if [[ "$interface" == "$wan0" ]]; then
unset_wan0
elif [[ "$interface" == "$wan1" ]]; then
unset_wan1
fi
$IP route flush cache
}
# Sets up the NAT tables
set_NAT () {
# Determite if the NAT tables needs to be flushed
# and updated, also determite if the interface was
# previously expired
if [[ "$old_ip_address" != "$new_ip_address" ||
-e $wan0_file || -e $wan1_file ]]; then
# The old and new ip address are not the same, update
# the NAT table, or the interface was expired/failed
flush_NAT
# Find out which interface to set
if [[ "$interface" == "$wan0" ]]; then
iptable_wan0
$IPTABLES -t nat -A wan0_dnat -j RETURN
$IPTABLES -t nat -A wan0_snat -j RETURN
# Remove the expired file
rm -f $wan0_file
elif [[ "$interface" == "$wan1" ]]; then
iptable_wan1
$IPTABLES -t nat -A wan1_dnat -j RETURN
$IPTABLES -t nat -A wan1_snat -j RETURN
# Remove the expired file
rm -f $wan1_file
fi
fi
#if [[ "$old_routers" != "$new_routers" ]]; then
#
# # The old and new routers does not match, so update the
# # nat TABLE
#fi
}
# Sets up the routing tables
set_routing () {
# Determite which interface needs the tables be set
if [[ "$interface" == "$wan0" ]]; then
set_wan0
elif [[ "$interface" == "$wan1" ]]; then
set_wan1
fi
$IP route flush cache
}
# This block determite which $reason code is passed to this script
case "$reason" in
# MEDIUM - Ignore, linux does not do medium (media)
"MEDIUM" )
exit 0
;;
# PREINIT - Initalizes interface for action
"PREINIT" )
# Touch the file for the expired interface
if [[ "$interface" == "$wan0" ]]; then
touch $wan0_file
elif [[ "$interface" == "$wan1" ]]; then
touch $wan1_file
fi
;;
# BOUND - Flushes and reset the routing tables, then find out
# If the ip address of the interface has changed and update
# the NAT table if needed
# RENEW - Same as BOUND
# REBIND - Same as BOUND
# REBOOT - Same as BOUND
"BOUND" | "RENEW" | "REBIND" | "REBOOT" )
set_NAT
flush_routing
set_routing
;;
# EXPIRE - No IP address on interface, flush NAT & Routing
# FAIL - Same as EXPIRE
"EXPIRE" | "FAIL" )
flush_NAT
flush_routing
# Touch the file for the expired interface
if [[ "$interface" == "$wan0" ]]; then
touch $wan0_file
elif [[ "$interface" == "$wan1" ]]; then
touch $wan1_file
fi
;;
# TIMEOUT - If the exit value is 0, the NAT & routing needs to be setup/fixed
# otherwise if the exit value is 1, we need to flush NAT & routing like EXPIRE/FAIL
"TIMEOUT" )
# Determite the exit value
if [[ "$exit_status" -eq "0" ]]; then
set_NAT
flush_routing
set_routing
else
flush_NAT
flush_routing
fi
;;
esac
Basically this script makes a few assumption: You have dual WAN, Both of the WAN uses DHCP to get their IP address, the DHCP client is "dhclient"
Anyway how to use it, you copy the script and paste it into a file named "dhclient-exit-hooks" which is a file that dhclient-script will call everytime it finishes an step, aka PREINIT, BIND, EXPIRE, TIMEOUT, etc...
Anyway it depends on your distro on where you place the script at, for OpenBSD it would probably go into "/etc" then for gentoo, it would go into "/etc/dhcp" and it just depends.
This script takes care of removing and setting up the routing table and NAT rules for both WAN, and on how to config it below is an list of the various functions that may need to be changed to adapt it to your own needs...
* set_wan0 - This route sets up the routing table for the wan0
* unset_wan0 - This route removes/clear up the routing table for wan0
* set_wan1 - This route sets up the routing table for wan1
* unset_wan1 - This route removes/clear the routing table for wan0
* iptable_wan0 - This route sets up the NAT for iptables for wan0
* iptable_wan1 - This route sets up the NAT for iptables for wan0
Then the two parameters at the top of the scripts would be: wan0="eth0" & wan1="eth1", these are your wan0 and wan1 interface.
I hope this clears it up enough so its useful for someone
---------------
Sajna már nem emlékszem hol találtam. Hátha ahsznos lesz. Nekem még nem volt időm megfelelően átszerkeszteni, kipróbálni.
- A hozzászóláshoz be kell jelentkezni
köszi! kifogom próbálni, amint él mindkét netünk, most épp meghalt az egyik....
átszerkesztem a nekem mefelelőre és mondom hogy mi lett a végeredmény.
- A hozzászóláshoz be kell jelentkezni