14
« เมื่อ: 06 เมษายน 2009, 18:51:05 »
#!/bin/bash
Lan="192.168.9.0/24"
Any="0.0.0.0/0"
E="eth1"
ip link set lo up
ip link set eth0 up
ip link set eth1 up
ip link set ppp0 up
# ----- find & gateway
eth0_addr=`ifconfig | grep -A1 eth0 | tail -1 | cut -d : -f 2 | cut -f 1 -d " "`
eth1_addr=`ifconfig | grep -A1 eth1 | tail -1 | cut -d : -f 2 | cut -f 1 -d " "`
ppp0_addr=`ifconfig | grep -A1 ppp0 | tail -1 | cut -d : -f 2 | cut -f 1 -d " "`
ppp0_gw=`ip route | grep ppp0 | head -1 | cut -f 1 -d " "`
ip route flush cache
ip route flush table main
ip route flush table 50 all > /dev/null
ip route flush table 100 all > /dev/null
ip route flush table 101 all > /dev/null
ip route flush table 200 all > /dev/null
ip route flush table 201 all > /dev/null
ip route flush table 250 all > /dev/null
ip route add $ppp0_gw dev ppp0 proto static src $ppp0_addr
ip route add 192.168.1.1 dev eth0 proto static src 192.168.1.9
ip route add $Lan dev eth1 proto static src 192.168.9.1
ip route add default via 192.168.1.1 dev eth0
ip route replace table 50 $ppp0_gw dev ppp0 proto static src $ppp0_addr
ip route replace table 50 192.168.1.1 dev eth0 proto static src 192.168.1.9
ip route replace table 50 $Lan dev eth1 proto static src 192.168.9.1
ip route replace table 100 $ppp0_gw dev ppp0 proto static src $ppp0_addr
ip route replace table 100 192.168.1.1 dev eth0 proto static src 192.168.1.9
ip route replace table 100 default via 192.168.1.1 dev eth0
ip route replace table 101 $ppp0_gw dev ppp0 proto static src $ppp0_addr
ip route replace table 101 192.168.1.1 dev eth0 proto static src 192.168.1.9
ip route replace table 101 default via $ppp0_gw dev ppp0
ip route replace table 200 default via 192.168.1.1 dev eth0 proto static src 192.168.1.9
ip route replace table 200 prohibit default proto static metric 1
ip route replace table 201 default via $ppp0_gw dev ppp0 proto static src $ppp0_addr
ip route replace table 201 prohibit default proto static metric 1
ip route replace table 250 default scope global equalize nexthop via $ppp0_gw dev ppp0 weight 1 nexthop via 192.168.1.1 dev eth0 weight 1
ip rule add from all lookup 50 prio 50
ip rule add from all fwmark 0x8000 lookup 100 prio 100
ip rule add from all fwmark 0x8001 lookup 101 prio 101
ip rule add from $eth0_addr lookup 200 prio 200
ip rule add from $ppp0_addr lookup 201 prio 201
ip rule add from all lookup 250 prio 250
modprobe ip_nat_ftp
modprobe ip_tables
modprobe iptable_nat
modprobe ipt_conntrack
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_nat_irc
modprobe ip_nat_snmp_basic
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i $E -j ACCEPT
iptables -A INPUT -i $E -j ACCEPT
iptables -A OUTPUT -o $E -j ACCEPT
iptables -t filter -A INPUT -i $E -j ACCEPT
iptables -t filter -A OUTPUT -o $E -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
echo "1" > /proc/sys/kernel/core_uses_pid
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/conf/$E/proxy_arp
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# To proxy
if [ -f /var/run/squid.pid ]; then
iptables -t nat -A PREROUTING -i $E -p tcp -s $Lan -d $Any -m multiport --destination-port 80,5977,9898 -j REDIRECT --to-port 8080
iptables -t filter -A INPUT -i $E -p tcp -s $Lan -d $Any -m multiport --destination-port 80,5977,9898 -j ACCEPT
iptables -t filter -A OUTPUT -o $E -p tcp -s $Lan -d $Any -m multiport --destination-port 80,5977,9898 -j ACCEPT
fi
iptables -t mangle -A POSTROUTING -o eth0 -j CONNMARK --set-mark 0x8000
iptables -t mangle -A POSTROUTING -o eth0 -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -o ppp0 -j CONNMARK --set-mark 0x8001
iptables -t mangle -A POSTROUTING -o ppp0 -j CONNMARK --restore-mark
#iptables -t mangle -A PREROUTING -i $E -s $Lan -p tcp -d $Any -m multiport --destination-port 80 -j MARK --set-mark 0x8000
iptables -t mangle -A PREROUTING -i $E -s $Lan -p tcp -d $Any -m multiport --destination-port 1863,6667,5050,5190,3389,9099,9770,2009,8021 -j MARK --set-mark 0x8001
#-
iptables -t mangle -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
ผมทำอะไรผิดไปป่าว