[FUGSPBR] Source routing & load balance no OpenBSD 3.6
Éderson Chimbida
ederson em bludata.com.br
Qui Nov 11 09:00:05 BRST 2004
Hi Folks !
Ai vai um script PF, é um "link merge", esse script foi usado para rodar um
provedor em uma cidadezinha aqui de SC, são 3 links adsl de 1Mb, tornando-se
um de "3Mb". Basta adaptar ao seu ambiente. PF é uma maravilha !!!!!
#Configuracao de Balanceamento de Link
# Definicoes de Variaveis
###############INICIO###########################
lan_net = "192.168.0.0/16"
prov_net = "200.180.124.0/25"
int_if = "xl1"
ext_if1 = "tun0"
ext_if2 = "tun1"
ext_if3 = "tun2"
prov_if = "xl0"
bancos_ip = "{170.66.0.0/16, 200.173.18.0/24, 200.152.233.0/24,
200.219.136.0/24, 200.174.17.0/24, 200.246.208.0/24, 200.248.254.0/24}"
ext_gw1 = "10.0.0.1"
ext_gw2 = "10.0.0.2"
ext_gw3 = "10.0.0.3"
prov_gw = "200.X.X.1"
my_ip = "200.X.X.9"
tuns_ifs = "{tun3, tun4, tun5, tun6, tun7, tun8, tun9, tun10, tun11, tun12,
tun13, tun14, tun15, tun16, tun17, tun18, tun19, tun20}"
routed_ifs = "{ xl1, tun3, tun4, tun5, tun6, tun7, tun8, tun9, tun10, tun11,
tun12, tun13, tun14, tun15, tun16, tun17, tun18, tun19, tun20}"
###############FIM##############################
# Regras para deixar o pf ¨Mais Agressivo¨ :-) - Detalhes no man....
###############INICIO###########################
set timeout {tcp.first 60, tcp.opening 15, tcp.established 86400, tcp.closing
300, tcp.finwait 15, tcp.closed 15, udp.first 30, udp.single 15, udp.multiple
30, icmp.first 10, icmp.error 5, other.first 30, other.single 15,
other.multiple 30, frag 30, interval 10}
set limit { states 50000, frags 25000 }
set optimization aggressive
###############FIM##############################
# Regra que tratas os pcotes fragmentados
###############INICIO###########################
#scrub in all fragment reassemble
#scrub out all fragment reassemble
###############FIM##############################
# Regra que tratas as filas de controle de tráfego
###############INICIO###########################
#altq on xl1 cbq bandwidth 3Mb queue { http, mail, other }
#queue http bandwidth 30% cbq(borrow red)
#queue mail bandwidth 30% cbq(borrow red)
#queue other bandwidth 40% cbq(default)
###############FIM##############################
# Regra que faz o Proxy Transparente
###############INICIO###########################
#rdr on $int_if proto tcp from $lan_net to any port 80 -> 127.0.0.1 port 3128
#rdr on $int_if proto tcp from $lan_net to 200.X.X.2 port 3128 -> 127.0.0.1
port 3128
###############FIM##############################
# Regra que tratas os problemas de conexção FTP - Tem que ativar tbm no Inetd
###############INICIO###########################
#rdr on $int_if proto tcp from $lan_net to any port 21 -> 127.0.0.1 port 8021
###############FIM##############################
# Regras de NAT
###############INICIO###########################
nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)
nat on $ext_if3 from $lan_net to any -> ($ext_if3)
nat on $ext_if1 from $my_ip to any -> ($ext_if1)
nat on $ext_if2 from $my_ip to any -> ($ext_if2)
nat on $ext_if3 from $my_ip to any -> ($ext_if3)
nat on $prov_if from $lan_net to any -> ($prov_if)
###############FIM##############################
#######REGRA DE LIBERACAO DE SITES DE BANCOS ################
rdr on $int_if proto tcp from $lan_net to $bancos_ip port 80 -> 200.X.X.2
port 3128
###############################################################
block in quick on xl1 proto tcp from 192.168.124.0/24 to any port
{ 6660,6661,6662,6663,6664,6665,6666,6667,6668,6669,7000,7001,7002,7003 }
block in quick on xl1 proto tcp from 192.168.2.6 to any port
{ 6660,6661,6662,6663,6664,6665,6666,6667,6668,6669,7000,7001,7002 }
block in quick on xl1 proto tcp from 192.168.15.0/24 to any
block in quick on xl1 proto tcp from 192.168.3.17 to any
block in quick on xl1 proto tcp from any to 192.168.1.72
#block in quick on xl1 proto tcp from any to 200.180.124.2 port 3128
block in quick on xl1 proto tcp from any to any port 1214
block in quick on xl1 proto tcp from 192.168.1.246 to any
#block in quick on xl1 proto tcp from any to 200.180.124.2 port 3128
block in quick on xl1 proto tcp from any to 192.168.2.34
block in quick on xl1 proto tcp from any to 192.168.2.100
block in quick on xl1 proto udp from any to 192.168.2.34
block in quick on xl1 proto tcp from 200.82.53.211 to any
block in quick on xl1 proto tcp from any to 200.82.53.211
block in quick on xl1 proto tcp from 200.207.200.26 to any
block in quick on xl1 proto tcp from any to 200.207.200.26
# Regras para liberar o trafego da rede interna - condicionando o controle de
banda
###############INICIO###########################
#pass in on xl1 inet proto tcp from $lan_net to any port 80 keep state queue
http
#pass in on xl1 inet proto tcp from $lan_net to any port 443 keep state queue
http
#pass in on xl1 inet proto tcp from $lan_net to any port 25 keep state queue
mail
#pass in on xl1 inet proto tcp from $lan_net to any port 110 keep state queue
mail
#pass in on xl1 inet proto tcp from $lan_net to any port 143 keep state queue
mail
pass in from 192.168.1.0/24 to any
pass in from any to 192.168.1.0/24
pass in from 192.168.2.0/24 to any
pass in from 192.168.3.0/24 to any
pass in from any to 192.168.2.0/24
pass in from any to 192.168.3.0/24
pass out from 192.168.1.0/24 to any
pass out from any to 192.168.1.0/24
pass out from 192.168.2.0/24 to any
pass out from 192.168.3.0/24 to any
pass out from any to 192.168.2.0/24
pass out from any to 192.168.3.0/24
#deny in from any to any
#deny out from any to any
pass out on $int_if from any to $lan_net
pass in quick on $int_if from $lan_net to $int_if
###############FIM##############################
#block in quick on xl1 proto tcp from 192.168.1.81 to any
#block in quick on xl1 proto tcp from any to 192.168.1.81
#block in quick on xl1 proto tcp from any to 192.168.1.165
block in quick on xl1 proto tcp from 200.199.201.81 to any
block in quick on xl1 proto tcp from 192.168.1.98 to any
block in quick on xl1 proto tcp from any to 192.168.1.98
block in quick on xl1 proto tcp from any to any port {135,136,137,138,139}
block in quick on xl1 proto udp from any to any port {135,136,137,138,139}
block in quick on xl1 proto tcp from any port {135,136,137,138,139} to any
block in quick on xl1 proto udp from any port {135,136,137,138,139} to any
# Regras para desviar tráfegos roteados de
# portas específicas por um link específico
###############INICIO###########################
pass in quick on $routed_ifs route-to ($prov_if $prov_gw) proto tcp from
$lan_net to any port
{23,4000,5900,6660,6661,6662,6663,6664,6665,6666,6667,6669,7000,7001,7777,8002}
###############FIM##############################
# Regras para fazer o Load Balance do Tráfego Local do Proxy
###############INICIO###########################
pass out quick route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2), ($ext_if3
$ext_gw3) } round-robin proto tcp from $my_ip to !$prov_net port 80
pass out quick route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2), ($ext_if3
$ext_gw3) } round-robin proto tcp from $my_ip to !$prov_net port 443
#pass out quick route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2), ($ext_if3
$ext_gw3) } round-robin proto tcp from $my_ip to !$prov_net port 21
###############FIM##############################
# Regras para fazer o Load Balance do Tráfego roteado
###############INICIO###########################
pass in on $routed_ifs route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2),
($ext_if3 $ext_gw3) } round-robin proto tcp from $lan_net to !$prov_net port
80 flags S/SA modulate state queue http
pass in on $routed_ifs route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2),
($ext_if3 $ext_gw3) } round-robin proto tcp from $lan_net to !$prov_net port
443 flags S/SA modulate state queue http
pass in on $routed_ifs route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2),
($ext_if3 $ext_gw3) } round-robin proto tcp from $lan_net to !$prov_net port
25 flags S/SA modulate state queue mail
pass in on $routed_ifs route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2),
($ext_if3 $ext_gw3) } round-robin proto tcp from $lan_net to !$prov_net port
110 flags S/SA modulate state queue mail
pass in on $routed_ifs route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2),
($ext_if3 $ext_gw3) } round-robin proto tcp from $lan_net to !$prov_net flags
S/SA modulate state queue other
pass in on $routed_ifs route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2),
($ext_if3 $ext_gw3) } round-robin proto { udp, icmp } from $lan_net to !
$prov_net keep state queue other
###############FIM##############################
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
pass out on $ext_if3 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if3 proto { udp, icmp } from any to any keep state
pass out on $prov_if proto tcp from any to any flags S/SA modulate state
pass out on $prov_if proto { udp, icmp } from any to any keep state
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if1 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if1 route-to ($prov_if $prov_gw) from $prov_if to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if2 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if2 route-to ($prov_if $prov_gw) from $prov_if to any
pass out on $ext_if3 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if3 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if3 route-to ($prov_if $prov_gw) from $prov_if to any
pass out on $prov_if route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $prov_if route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $prov_if route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
--
Éderson H. Chimbida
_______________________________________________________________
Para enviar um novo email para a lista: fugspbr em fugspbr.org
Sair da Lista: http://lists.fugspbr.org/listinfo.cgi
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
Mais detalhes sobre a lista de discussão freebsd