Jump to content

Infraestructura/CCGSM

From Wikimania

/etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

## eth0 - IPLAN1
auto eth0
iface eth0 inet static
	address 190.2.21.21
	netmask 255.255.255.252
	network 190.2.21.20
	broadcast 190.2.21.23
	gateway 190.2.21.22

## eth1 - DMZ y Hacklab
#auto eth1
#iface eth1 inet static
#	address 10.1.0.1
#	netmask 255.255.255.0

## eth2 - Enlace con Alvear
auto eth2
iface eth2 inet static
	address 10.2.0.1
	netmask 255.255.0.0

## eth3 - IPLAN2
#auto eth3
#iface eth3 inet static
#	address 200.68.88.17
#	netmask 255.255.255.252
	#gateway 200.68.88.18

# eth3 - DMZ y Hacklab
auto eth3
iface eth3 inet static
	address 10.1.0.1
	netmask 255.255.0.0

# eth1 - IPLAN2
auto eth1
iface eth1 inet static
	address 200.68.88.17
	netmask 255.255.255.252
	#gateway 200.68.88.18

## eth4 - Enlace con Bauen
auto eth4
iface eth4 inet static
	address 10.4.0.1
	netmask 255.255.0.0
	network 10.4.0.0
	broadcast 10.4.0.255

## eth5 - sala-muino sala-madres entrada 
auto eth5
iface eth5 inet static
	address 10.5.0.1
	netmask 255.255.0.0

## eth6 - sala-c sala-d
auto eth6
iface eth6 inet static
	address 10.6.0.1
	netmask 255.255.0.0

## eth8 - redundante 
auto eth7
iface eth7 inet static
	address 10.7.0.1
	netmask 255.255.0.0

## eth8 - Speedy
auto eth8
iface eth8 inet static
	address 200.5.112.242
	netmask 255.255.255.128
	#gateway 200.5.112.241

/etc/dhcp3/dhcpd.conf

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# option definitions common to all supported networks...
option domain-name "wikimania.bal.org.ar"; # by fefu 20090821
option domain-name-servers ns1, ns2; # by fefu 20090821

default-lease-time 3600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative; # by fefu 20090816

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

shared-network ccgsm1.wikimania.bal.org.ar {
	subnet 10.1.0.0 netmask 255.255.0.0 {
	            option routers gwccgsm1;
                range 10.1.1.1 10.1.254.254;
    }
}

shared-network ccgsm5.wikimania.bal.org.ar {
	subnet 10.5.0.0 netmask 255.255.0.0 {
	            option routers gwccgsm5;
                range 10.5.1.1 10.5.254.254;
    }
}

shared-network ccgsm6.wikimania.bal.org.ar {
	subnet 10.6.0.0 netmask 255.255.0.0 {
	            option routers gwccgsm6;
                range 10.6.1.1 10.6.254.254;
    }
}

shared-network ccgsm7.wikimania.bal.org.ar {
	subnet 10.7.0.0 netmask 255.255.0.0 {
	            option routers gwccgsm7;
                range 10.7.1.1 10.7.254.254;
    }
} 

# Enlaces
shared-network ccgsm2.wikimania.bal.org.ar {
    # Para administrar todo desde el ccgsm incluso con el servidor alvear apagado es que ponemos la ruta predeterminada en el ccgsm
    subnet 10.2.0.0 netmask 255.255.0.0 {
            range 10.2.1.1 10.2.254.254;
	        option routers gwccgsm-alvear;
    }

    host ap-ccgsm-alvear { 
	    option routers gwccgsm-alvear;
        hardware ethernet 00:15:6D:BD:9B:9D;
        fixed-address ap-ccgsm-alvear;
    }

    host ap-alvear-ccgsm { # vamos a probar de routear sin option routers
        hardware ethernet 00:15:6D:BD:6F:AE;
        fixed-address ap-alvear-ccgsm;
    }

}

shared-network bauen.wikimania.bal.org.ar {
	option routers gwbahuen1;

	subnet 10.4.0.0 netmask 255.255.0.0 {
                range 10.4.1.1 10.4.254.254;
    }
 
    host ap-bauenpenthouse { 
                hardware ethernet 00:4F:62:09:59:55;
                fixed-address ap-bauenpenthouse;
    }

    host ap-ccgsm-bauen { 
        hardware ethernet 00:15:6D:BE:9C:C8;
        fixed-address ap-ccgsm-bauen;
    }

    host ap-bauen-ccgsm { 
        hardware ethernet 00:15:6D:BE:9C:90;
        fixed-address ap-bauen-ccgsm;
    }

}

# Access Points
host ap-hacklab { 
    hardware ethernet 00:15:6D:D4:FF:69;
    fixed-address ap-hacklab;
    }

host ap-muino { 
    hardware ethernet 00:15:6D:D6:25:2B;
    fixed-address ap-muino;
    }

host ap-madres { 
    hardware ethernet 00:15:6D:D6:23:3B;
    fixed-address ap-madres;
    }

host ap-c { 
    hardware ethernet 00:15:6D:D4:FF:61;
    fixed-address ap-c;
    }

host ap-f { 
    hardware ethernet 00:15:6D:D6:24:7A;
    fixed-address ap-f;
    }

host ap-d { 
    hardware ethernet 00:15:6D:D6:23:1C;
    fixed-address ap-d;
    }

host ap-hall { 
    hardware ethernet 00:15:6D:D6:23:1B;
    fixed-address ap-hall;
    }

host ap-hall2 { 
    hardware ethernet 00:15:6D:D4:FF:8D;
    fixed-address ap-hall2;
    }

host ap-entrada { 
    hardware ethernet 00:15:6D:D6:24:AA;
    fixed-address ap-entrada;
    }

# Video server
host video-muino { 
    hardware ethernet 00:24:21:7a:26:1c; # tute
    fixed-address video-muino;
    }

host video-madres { 
    hardware ethernet 00:24:21:7A:26:EA;
    fixed-address video-madres;
    }

host video-c { 
    hardware ethernet 00:24:21:7a:26:b6;
    fixed-address video-c;
    }

host video-f { 
    hardware ethernet  00:24:21:7a:2b:64;
    fixed-address video-f;
                }

host video-d { 
    hardware ethernet 00:24:21:7a:25:8c;
    fixed-address video-d;
    }

/etc/bind/named.conf

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";

acl "ourlocalnets" {
        127.0.0.1;
        190.2.21.21;
        200.68.88.17;
        10.1.0.0/16;
        10.2.0.0/16;
        10.3.0.0/16;
        10.4.0.0/16;
        10.5.0.0/16;
        10.6.0.0/16;
        10.7.0.0/16;
        10.8.0.0/16;
//        10.0.0.0/8;
};

view "internal" {
        match-clients { ourlocalnets; };

        zone "." {
                type hint;
                file "/etc/bind/db.root";
        };

        zone "localhost" {
                type master;
                file "/etc/bind/db.local";
        };

        zone "127.in-addr.arpa" {
                type master;
                file "/etc/bind/db.127";
        };

        zone "0.in-addr.arpa" {
                type master;
                file "/etc/bind/db.0";
        };

        zone "255.in-addr.arpa" {
                type master;
                file "/etc/bind/db.255";
        };

        zone "10.in-addr.arpa" {
                type master;
                file "/etc/bind/wikimania.bal.org.ar-interna-reversas";
        };

        zone "wikimania.bal.org.ar" {
                allow-transfer { 10.2.0.4; };
                allow-update { 10.2.0.4; };
                type master;
                file "/etc/bind/wikimania.bal.org.ar-interna";
        };

};

view "external" {
        match-clients { any; };

        //recursion no;

        zone "localhost" {
                type master;
                file "/etc/bind/db.local";
        };

        zone "127.in-addr.arpa" {
                type master;
                file "/etc/bind/db.127";
        };

        zone "0.in-addr.arpa" {
                type master;
                file "/etc/bind/db.0";
        };

        zone "255.in-addr.arpa" {
                type master;
                file "/etc/bind/db.255";
        };

        zone "wikimania.bal.org.ar" {
                allow-transfer { 10.4.0.6; 10.4.0.23; 10.2.0.4; 190.228.30.152; 200.32.106.149; };
                allow-update { 10.4.0.6; 10.4.0.23; 10.2.0.4; 190.228.30.152; 200.32.106.149; };
                type master;
                file "/etc/bind/wikimania.bal.org.ar-externa";
        };

};

/etc/bind/named.conf.options

options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	// forwarders {
	// 	0.0.0.0;
	// };

	auth-nxdomain no;    # conform to RFC1035
        //allow-query { any; };
	//listen-on-v6 { any; };
        allow-transfer { 190.228.30.152; };
};

/etc/bind/wikimania.bal.org.ar-externa

; wikimania.bal.org.ar
$TTL 86400
@ IN SOA ccgsm.bal.org.ar. hostmaster.wikimania.bal.org.ar. (
                        2009083203      ;serial
                        1200            ;slave refresh
                        600             ;slave retry
                        604800          ;slave expiration
                        3600 )          ;negative ttl

                NS ccgsm.bal.org.ar.
                NS alvear.bal.org.ar.
;
                MX      10      ccgsm.bal.org.ar.
ccgsm           A       190.2.21.21
;alvear          A      190.3.21.21
public          CNAME   ccgsm
conferences     CNAME   ccgsm
ftp     CNAME   ccgsm

/etc/bind/wikimania.bal.org.ar-interna

; wikimania.bal.org.ar
$TTL 86400
@ IN SOA ccgsm.wikimania.bal.org.ar. hostmaster.wikimania.bal.org.ar. (
                        2009082702      ;serial
                        1200            ;slave refresh
                        600             ;slave retry
                        604800          ;slave expiration
                        3600 )          ;negative ttl

                NS ccgsm.bal.org.ar.
                NS alvear.bal.org.ar.
;
                MX      10      ccgsm.bal.org.ar.
; Servidores
alvear		    A   10.2.0.4
ccgsm           A   10.4.0.1
nagios		A   10.4.0.5	; servidor de tute con nagios

;
; CNAMEs
ns1	                    CNAME	ccgsm
ns2	                    CNAME	alvear
public                  CNAME   ccgsm
conferences             CNAME   ccgsm
proxy                   CNAME   ccgsm
ftp                     CNAME   ccgsm
;
; Gateways
gwccgsm1		        A	    10.1.0.1; gateway de iplan y otros fefu 20090821
gwalvear1		        A       10.21.0.1; gateway de clientes en alvear fefu 20090825
gwalvear2		        CNAME   alvear; gateway de clientes en alvear fefu 20090825
gwccgsm2		        A	    10.2.0.1; gateway de eth2 fefu 20090825
gwccgsm-alvear          CNAME   gwccgsm2; gateway para el enlace alvar-gccsm fefu 20090825
gwbahuen1		        A       10.4.0.1; gateway bahuen-ccgsm fefu 20090821
gwccgsm5		        A	    10.5.0.1; gateway de eth5 fefu 20090821
gwccgsm6		        A	    10.6.0.1; gateway de eth6 y otros fefu 20090821
gwccgsm7		        A	    10.7.0.1; gateway de eth7 y otros fefu 20090821
;
ap-muino                A       10.5.0.2  ;MAC 00156DD6252B
ap-madres               A       10.5.0.4  ;MAC 00156DD6233B
ap-f                    A       10.7.0.2  ;MAC 00156DD6247A
ap-c                    A       10.6.0.2  ;MAC 00156DD4FF61
ap-d                    A       10.7.0.4  ;MAC 00156DD6231C
ap-hall                 A       10.6.0.4  ;MAC 00156DD6231B
ap-hall2		A	10.6.0.5  ;MAC 00:15:6D:D4:FF:8D guido 20090827
ap-hacklab              A       10.1.0.3  ;MAC 00156DD4FF69
ap-entrada              A       10.5.0.6  ;MAC 00156DD624AA
ap-alvear               A       10.21.0.2 ;MAC 00156DD624CF tut
ap-alvear2		A   	10.21.0.3 ;MAC 00156DD62527 kensuke 20090826
ap-bauenpenthouse       A       10.4.0.4  ;MAC 004F62095955 fefu 20090821 
;
; Enlaces
ap-ccgsm-alvear         A       10.2.0.2 ;MAC 00156DBE9B9D
ap-alvear-ccgsm         A       10.2.0.3 ;MAC 00156DBD6FAE fefu 20090822
ap-ccgsm-bauen          A       10.4.0.2 ;MAC 00156DBE9CC8
ap-bauen-ccgsm          A       10.4.0.3 ;MAC 00156DBE9C90 tute
;
; Equipos para Streaming
video-server    		A	    10.4.0.25 ;MAC 
video-muino             A       10.4.0.24 ;MAC 00:24:21:7a:26:1c
video-madres            A       10.4.0.23 ;MAC 00:24:21:7a:26:ea
video-c	                A       10.4.0.22 ;MAC 00:24:21:7a:26:b6
video-f                 A       10.4.0.21 ;MAC 00:24:21:7a:2b:64
video-d                 A       10.4.0.20 ;MAC 00:24:21:7a:25:8c
swich1		        	A       10.5.0.2 ;tute 20
swich2      			A	    10.1.0.4 ;tute 20

/etc/bind/wikimania.bal.org.ar-interna-reversas

;
; BIND reverse data file for Wikimania internal IPs 
;
$TTL	86400
@ IN SOA ccgsm.wikimania.bal.org.ar. hostmaster.wikimania.bal.org.ar. (
                        2009082801      ;serial
                        1200            ;slave refresh
                        600             ;slave retry
                        604800          ;slave expiration
                        3600 )          ;negative ttl

        IN	NS ccgsm.bal.org.ar.
       	IN	NS alvear.bal.org.ar.
;

1.0.4	IN	PTR	ccgsm.
2.0.4	IN	PTR	ap-ccgsm-bauen.
3.0.4	IN	PTR	ap-bauen-ccgsm.
4.0.4	IN	PTR	ap-bauhenpenthouse.
5.0.4	IN	PTR	nagios.

1.0.2	IN	PTR	gwccgsm2.
2.0.2	IN	PTR	ap-ccgsm-alvear.
3.0.2	IN	PTR	ap-alvear-ccgsm.
4.0.2	IN	PTR	alvear.

1.0.1	IN	PTR	gwccgsm1.
3.0.1	IN	PTR	ap-hacklab.
4.0.1	IN	PTR	swich2.
5.0.1	IN	PTR	video-server.



1.0.5   IN      PTR     gwccgsm5.
2.0.5   IN      PTR     ap-muino. ; o swich1???
3.0.5   IN      PTR     video-muino.
4.0.5   IN      PTR     ap-madres.
5.0.5   IN      PTR     video-madres.
6.0.5   IN      PTR     ap-entrada.

1.0.6   IN      PTR     gwccgsm6.
2.0.6   IN      PTR     ap-c.
3.0.6   IN      PTR     video-c.
4.0.6   IN      PTR     ap-hall.
5.0.6   IN      PTR     ap-hall2.

1.0.7   IN      PTR     gwccgsm7.
2.0.7   IN      PTR     ap-f.
3.0.7   IN      PTR     video-f.
4.0.7   IN      PTR     ap-d.
5.0.7   IN      PTR     video-d.

1.0.21  IN      PTR     gwalvear1.
2.0.21  IN      PTR     ap-alvear.
3.0.21  IN      PTR     ap-alvear2.

/ect/squid/squid.conf

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl SSL_ports port 443		# https
acl SSL_ports port 563		# snews
acl SSL_ports port 873		# rsync
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl Safe_ports port 631		# cups
acl Safe_ports port 873		# rsync
acl Safe_ports port 901		# SWAT
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localnet
http_access allow localhost

http_access deny all

icp_access allow localnet
icp_access deny all

http_port 3128 transparent
http_port 8080 

hierarchy_stoplist cgi-bin ?

cache_dir aufs /var/spool/squid 30000 16 256 

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern (Release|Package(.gz)*)$	0	20%	2880
refresh_pattern http://windowsupdate.microsoft.com/ 0  80% 604800 reload-into-ims 
refresh_pattern http://windowsupdate.com/           0  80% 604800 reload-into-ims
refresh_pattern http://*.windowsupdate.com/         0  80% 604800 reload-into-ims
refresh_pattern http://symantecliveupdate.com       0  80% 604800 reload-into-ims
refresh_pattern -i debian                              0  80% 86400 reload-into-ims
refresh_pattern -i .*.deb$                             0  80% 86400 reload-into-ims
refresh_pattern -i .*.tar.*                            0  80% 86400 reload-into-ims
refresh_pattern .		0	20%	4320

acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

extension_methods REPORT MERGE MKACTIVITY CHECKOUT

hosts_file /etc/hosts

coredump_dir /var/spool/squid

/etc/samba/smb.conf

[global]
   workgroup = WIKIMANIA
   netbios name = CCGSM
   server string = Wikimania Linux Server
   security = share

[conferences]
   path=/srv/public/conferences
   guest ok = yes
   browseable = yes
   read only = yes
   #write list  = salas

[public]
   path=/srv/public/public
   guest ok = yes
   browseable = yes
   create mask = 0444
   directory mask = 0555
   read only = no

/etc/iproute2/rt_tables

#
# reserved values
#
255	local
254	main
253	default
0	unspec
#
# local
#
1   iplan1
2   iplan2

3 speedy

/etc/apache2/sites-enabled/001-conferences

<VirtualHost *:80>
	ServerName conferences
	ServerAlias conferences.wikimania.bal.org.ar
	DocumentRoot /srv/public/conferences

	<Directory /srv/public/conferences>
                Options Indexes Includes FollowSymLinks MultiViews
                IndexOptions +FoldersFirst +IconsAreLinks +ScanHTMLTitles
                HeaderName /HEADER.html
                ReadmeName /README.html
		IndexIgnore HEADER.html
		IndexIgnore README.html
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>
</VirtualHost>

/etc/apache2/sites-enabled/002-public

<VirtualHost *:80>
	ServerName public
	ServerAlias public.wikimania.bal.org.ar
	DocumentRoot /srv/public/public

	<Directory /srv/public/public>
                Options Indexes Includes FollowSymLinks MultiViews
                IndexOptions +FoldersFirst +IconsAreLinks +ScanHTMLTitles
                HeaderName /HEADER.html
                ReadmeName /README.html
		IndexIgnore HEADER.html
		IndexIgnore README.html
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>
</VirtualHost>

/etc/rc.local

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
/root/ccgsm-firewall-nat.sh
/root/ccgsm-balanceo.sh -f
/root/ccgsm-rutas.sh
exit 0

/root/ccgsm-firewall-nat.sh

#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# nat MASQUERADE
iptables -t nat -A POSTROUTING -s 10.1.0.0/16 -d 0.0.0.0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.2.0.0/16 -d 0.0.0.0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.4.0.0/16 -d 0.0.0.0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.5.0.0/16 -d 0.0.0.0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.6.0.0/16 -d 0.0.0.0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.7.0.0/16 -d 0.0.0.0/0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# localhost ACCEPT
iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
# icmp ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
# ssh ACCEPT
#iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP
# iptables -A INPUT -p tcp --dport 1990 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 1990 -m state --state NEW -j ACCEPT
  # -m recent --set --name SSH
# iptables -A INPUT -p tcp --dport 1990 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j DROP

# http ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 111 -m state --state NEW -j ACCEPT
# https ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# munin
iptables -A INPUT -p tcp --dport 4949 -m state --state NEW -j ACCEPT
# iperf ACCEPT
iptables -A INPUT -p tcp --dport 5001 -m state --state NEW -j ACCEPT
# syslog ACCEPT
#iptables -A INPUT -p udp --dport 541 -m state --state NEW -j ACCEPT


# tcp related ACCEPT
#iptables -A INPUT -p tcp -m state --state RELATED -j ACCEPT
# new DROP
#iptables -A INPUT -i eth1 -p tcp -m state --state NEW,INVALID -j DROP
# related ACCEPT
iptables -A FORWARD -i eth1 -p tcp -m state --state RELATED -j ACCEPT


#Fodwar ___________________________________________________________
#para fodwardear puertos internos. usar puerto publico asi. 80 web ip interna 10.4.0.5 = puero externo 80(puerto)+4(red)+5(ip)

#doy salida al nagios provisorio al puerto 8005 por dominio/iplan ccgsm.wikimania.bal.org tute 22
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8045 -j DNAT --to 10.4.0.5:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2245 -j DNAT --to 10.4.0.5:22

# SQUID
#iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i eth3 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i eth4 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i eth5 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i eth6 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i eth7 -p tcp --dport 80 -j REDIRECT --to-port 3128

/root/ccgsm-balanceo.sh

#!/bin/bash -x

##
##190.2.21.20/30 dev eth0  proto kernel  scope link  src 190.2.21.21
##200.68.88.16/30 dev eth3  proto kernel  scope link  src 200.68.88.17
##10.4.0.0/24 dev eth4  proto kernel  scope link  src 10.4.0.1
##10.2.0.0/16 dev eth2  proto kernel  scope link  src 10.2.0.1
##default via 190.2.21.22 dev eth0

# INTERFACES
IF_IPLAN1='eth0'
IF_IPLAN2='eth1'
IF_SPEEDY='eth8'

# WEIGHT
W1=10
W2=10
W3=4

#ISP
IP_IPLAN1='190.2.21.21'
IP_IPLAN2='200.68.88.17'
IP_SPEEDY='200.5.112.242'

# GATEWAYS
GW_IPLAN1='190.2.21.22'
GW_IPLAN2='200.68.88.18'
GW_SPEEDY='200.5.112.241'

# NETWORKS
NW_IPLAN1='190.2.21.20/30'
NW_IPLAN2='200.68.88.16/30'
NW_SPEEDY='200.5.112.240/29'

IN_IPLAN1=$IP_IPLAN1'/'$(echo $NW_IPLAN1 | awk -F\/ '{print $2}')
IN_IPLAN2=$IP_IPLAN2'/'$(echo $NW_IPLAN2 | awk -F\/ '{print $2}')
IN_SPEEDY=$IP_SPEEDY'/'$(echo $NW_SPEEDY | awk -F\/ '{print $2}')

# TABLES
TB_IPLAN1='iplan1'
TB_IPLAN2='iplan2'
TB_SPEEDY='speedy'

TB1=$(grep "$TB_IPLAN1" /etc/iproute2/rt_tables | awk '{print $2}')
TB2=$(grep "$TB_IPLAN2" /etc/iproute2/rt_tables | awk '{print $2}')
TB3=$(grep "$TB_SPEEDY" /etc/iproute2/rt_tables | awk '{print $2}')

RT_TABLES='/etc/iproute2/rt_tables'

if [ "$TB1" != "$TB_IPLAN1" ]
then
    echo "Add $TB_IPLAN1 to $RT_TABLES"
    echo "1 $TB_IPLAN1" >>$RT_TABLES
fi

if [ "$TB2" != "$TB_IPLAN2" ]
then
    echo "Add $TB_IPLAN2 to $RT_TABLES"
    echo "2 $TB_IPLAN2" >>$RT_TABLES
fi

if [ "$TB3" != "$TB_SPEEDY" ]
then
    echo "Add $TB_SPEEDY to $RT_TABLES"
    echo "3 $TB_SPEEDY" >>$RT_TABLES
fi

function usage()
{
    echo
    echo "Uso:"
    echo "# $0 [options]"
    echo " -f, --force          fuerza la ejecución, por defecto no ejecuta, solo muestra."
    echo " -h, --help           ayuda"
    echo
    exit 1
}

while [ ! -z "$1" ];do
    case "$1" in
        -f|--force)
            FORCE=true
            shift 1
        ;;
        -h|--help)
            usage
        ;;
    esac
done

if [ $FORCE ]
then
    ECHO=' '
else
    ECHO='echo '
fi

# LIMPIO CACHE
$ECHO ip route flush cache
$ECHO ip addr flush $IF_IPLAN1
$ECHO ip addr flush $IF_IPLAN2
$ECHO ip addr flush $IF_SPEEDY

# LOCALHOST
$ECHO ip addr flush lo ip link set lo down
$ECHO ip addr add 127.0.0.1/8 dev lo
$ECHO ip link set lo up

##inet addr:10.4.0.1  Bcast:10.4.0.255  Mask:255.255.0.0
$ECHO ip addr flush eth4
$ECHO ip link set eth4 down
$ECHO ip addr add 10.4.0.1/16 dev eth4
$ECHO ip link set eth4 up

##10.2.0.0/16 dev eth2  proto kernel  scope link  src 10.2.0.1
$ECHO ip addr flush eth2
$ECHO ip link set eth2 down
$ECHO ip addr add 10.2.0.1/16 dev eth2
$ECHO ip link set eth2 up

# LIMPIO TABLAS
$ECHO route del default gateway $GW_IPLAN1 $IF_IPLAN1
$ECHO route del default gateway $GW_IPLAN2 $IF_IPLAN2
$ECHO route del default gateway $GW_SPEEDY $IF_SPEEDY
$ECHO ip route flush table 1
$ECHO ip route flush table 2
$ECHO ip route flush table 3


# TIRO ABAJO Y LEVANTO INTERFACES
$ECHO ip addr flush $IF_IPLAN1
$ECHO ip link set $IF_IPLAN1 down
$ECHO ip addr add $IN_IPLAN1 dev $IF_IPLAN1
$ECHO ip route add default via $GW_IPLAN1
$ECHO ip link set $IF_IPLAN1 up 

$ECHO ip addr flush $IF_IPLAN2
$ECHO ip link set $IF_IPLAN2 down
$ECHO ip addr add $IN_IPLAN2 dev $IF_IPLAN2
$ECHO ip route add default via $GW_IPLAN2
$ECHO ip link set $IF_IPLAN2 up 

$ECHO ip addr flush $IF_SPEEDY
$ECHO ip link set $IF_SPEEDY down
$ECHO ip addr add $IN_SPEEDY dev $IF_SPEEDY
$ECHO ip route add default via $GW_SPEEDY
$ECHO ip link set $IF_SPEEDY up 

# STATUS
$ECHO ip route

# TABLAS DE RUTEO
$ECHO ip route add $NW_IPLAN1 dev $IF_IPLAN1 src $IP_IPLAN1 table $TB_IPLAN1
$ECHO ip route add default via $GW_IPLAN1 table $TB_IPLAN1

$ECHO ip route add $NW_IPLAN2  dev $IF_IPLAN2 src $IP_IPLAN2 table $TB_IPLAN2
$ECHO ip route add default via $GW_IPLAN2 table $TB_IPLAN2

$ECHO ip route add $NW_SPEEDY  dev $IF_SPEEDY src $IP_SPEEDY table $TB_SPEEDY
$ECHO ip route add default via $GW_SPEEDY table $TB_SPEEDY

$ECHO ip route add $NW_IPLAN1 dev $IF_IPLAN1 src $IP_IPLAN1
$ECHO ip route add $NW_IPLAN2 dev $IF_IPLAN2 src $IP_IPLAN2
$ECHO ip route add $NW_SPEEDY dev $IF_SPEEDY src $IP_SPEEDY

$ECHO ip rule add from $IP_IPLAN1 table $TB_IPLAN1
$ECHO ip rule add from $IP_IPLAN2 table $TB_IPLAN2
$ECHO ip rule add from $IP_SPEEDY table $TB_SPEEDY

TEST_IP=google.com

ERROR1=1;ERROR2=1;ERROR3=1

TEST_PING1=$(ping -c 1 -W 2 -I $IP_IPLAN1 $TEST_IP)
ERROR1=$(echo $?)

TEST_PING2=$(ping -c 1 -W 2 -I $IP_IPLAN2 $TEST_IP)
ERROR2=$(echo $?)

TEST_PING3=$(ping -c 1 -W 2 -I $IP_SPEEDY $TEST_IP)
ERROR3=$(echo $?)

if [[ $ERROR1 -eq 0 && $ERROR2 -eq 0 && $ERROR3 -eq 0 ]] ;then

    echo $TB_IPLAN1 OK
    echo $TB_IPLAN2 OK
    echo $TB_SPEEDY OK

    echo Load Balanced by $TB_IPLAN1:$GW_IPLAN1 $TB_IPLAN2:$GW_IPLAN2 $TB_SPEEDY:$GW_SPEEDY
    $ECHO ip route add default scope global nexthop via $GW_IPLAN1 dev $IF_IPLAN1 weight $W1 \
                                            nexthop via $GW_IPLAN2 dev $IF_IPLAN2 weight $W2 \
                                            nexthop via $GW_SPEEDY dev $IF_SPEEDY weight $W3

elif [[ $ERROR1 -eq 0 && $ERROR2 -eq 0 && $ERROR3 -eq 1 ]] ;then

    echo $TB_IPLAN1 OK
    echo $TB_IPLAN2 OK
    echo $TB_SPEEDY ERROR

    echo Load Balanced by $TB_IPLAN1:$GW_IPLAN1 and $TB_IPLAN2:$GW_IPLAN2
    $ECHO ip route add default scope global nexthop via $GW_IPLAN1 dev $IF_IPLAN1 weight $W1 \
                                            nexthop via $GW_IPLAN2 dev $IF_IPLAN2 weight $W2

elif [[ $ERROR1 -eq 0 && $ERROR2 -eq 1 && $ERROR3 -eq 0 ]] ;then

    echo $TB_IPLAN1 OK
    echo $TB_IPLAN2 ERROR
    echo $TB_SPEEDY OK

    echo Load Balanced by $TB_IPLAN1:$GW_IPLAN1 and $TB_SPEEDY:$GW_SPEEDY
    $ECHO ip route add default scope global nexthop via $GW_IPLAN1 dev $IF_IPLAN1 weight $W1 \
                                            nexthop via $GW_SPEEDY dev $IF_SPEEDY weight $W3

elif [[ $ERROR1 -eq 1 && $ERROR2 -eq 0 && $ERROR3 -eq 0 ]] ;then

    echo $TB_IPLAN1 ERROR
    echo $TB_IPLAN2 OK
    echo $TB_SPEEDY OK

    echo Load Balanced by $TB_IPLAN2:$GW_IPLAN2 and $TB_SPEEDY:$GW_SPEEDY
    $ECHO ip route add default scope global nexthop via $GW_IPLAN2 dev $IF_IPLAN2 weight $W2 \
                                            nexthop via $GW_SPEEDY dev $IF_SPEEDY weight $W3

elif [[ $ERROR1 -eq 0 && $ERROR2 -eq 1 && $ERROR3 -eq 1 ]] ;then

    echo $TB_IPLAN1 OK
    echo $TB_IPLAN2 ERROR
    echo $TB_SPEEDY ERROR

    echo Not Load Balanced Only Default Gateway $TB_IPLAN1:$GW_IPLAN1
    $ECHO ip route add default scope global via $GW_IPLAN1 dev $IF_IPLAN1

elif [[ $ERROR1 -eq 1 && $ERROR2 -eq 0 && $ERROR3 -eq 1 ]] ;then

    echo $TB_IPLAN1 ERROR
    echo $TB_IPLAN2 OK
    echo $TB_SPEEDY ERROR

    echo Not Load Balanced Only Default Gateway $TB_IPLAN2:$GW_IPLAN2
    $ECHO ip route add default scope global via $GW_IPLAN2 dev $IF_IPLAN2

elif [[ $ERROR1 -eq 1 && $ERROR2 -eq 1 && $ERROR3 -eq 0 ]] ;then

    echo $TB_IPLAN1 ERROR
    echo $TB_IPLAN2 ERROR
    echo $TB_SPEEDY OK

    echo Not Load Balanced Only Default Gateway $TB_SPEEDY:$GW_SPEEDY
    $ECHO ip route add default scope global via $GW_SPEEDY dev $IF_SPEEDY

elif [[ $ERROR1 -eq 1 && $ERROR2 -eq 1 && $ERROR3 -eq 1 ]] ;then

    echo $TB_IPLAN1 ERROR
    echo $TB_IPLAN2 ERROR
    echo $TB_SPEEDY ERROR

    echo Not Load Balanced Only Default Gateway 10.2.0.4 ALVEAR
    $ECHO ip route add default scope global nexthop via 10.2.0.4 dev eth2
    
fi

## Saliendo solo por Iplan1 en eth0
##ip route add default scope global via $GW_IPLAN1 dev $IF_IPLAN1

## Saliendo solo por Iplan2 en eth1
##ip route add default scope global via $GW_IPLAN2 dev $IF_IPLAN2


# STATUS
$ECHO ip route

#/root/ccgsm-rutas.sh

/root/ccgsm-rutas.sh

#!/bin/bash 

# DMZ
route add -net 10.1.0.0 netmask 255.255.0.0 gw 10.1.0.1
# ALVEAR
route add -net 10.2.0.0 netmask 255.255.0.0 gw 10.2.0.1
route add -net 10.21.0.0/16 gw 10.2.0.4
# BAUEN
route add -net 10.4.0.0 netmask 255.255.0.0 gw 10.4.0.1
# 
route add -net 10.5.0.0 netmask 255.255.0.0 gw 10.5.0.1
# 
route add -net 10.6.0.0 netmask 255.255.0.0 gw 10.6.0.1
#
route add -net 10.7.0.0 netmask 255.255.0.0 gw 10.7.0.1