Beltrane, Comenta a seguinte linha no teu script d firewall:
#ptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j MASQUERADE Isso não tá te ajudando, tú já tá fazendo nat N:1 com a seguinte regra no teu script: iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p udp -j SNAT --to 192.168.4.3 iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p tcp -j SNAT --to 192.168.4.3 Só use "MASQUERADE", quando o ip de saida for dinâmico, no seu caso está fixo. 2010/4/28 Carlos Beltrame <beltr...@ieee.org>: > Ola pessoal, volto eu com mais problemas pedidno ajuda =] > O sinal de internet xega via radio pela eth1 configurada como 192.168.4.3, e > atraves do firewall compartilhando para minha rede 192.168.0.0/24. A > intensão é rodar squid transparente e até funciona, porem a rede ta lenta, o > acesso a sites e download ta lento, qdo acesso direto com o AP que recebe o > sinal de fora no meu pc, a net voa kkkkk. O msn principalmente, qdo conecta, > fica uns 2 minutos conectado e dp cai. Enfim, segue abaixo meu firewall.sh e > meu squid.conf gostaria de saber se há como melhorar o desempenho, se ha > algo errado. Procurei comentar minha intensao em cada linha abaixo: > > ==============firewall==================== > #!/bin/bash > > ## Apaga quaisquer regras que por ventura existam > iptables -F > iptables -X > iptables -t nat -F > iptables -t nat -X > #### Regras de policiamento #### > > ## bloqueia qualquer pacote que não seja explicitament permitio > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT DROP > > ## Permite acesso a interface loopback > iptables -A INPUT -i lo -j ACCEPT > > ## Permite apenas entrada das respostas as conexões desaida > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > #protecao contra port scanners ocultos > iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit > 1/s -j ACCEPT > iptables -t filter -A INPUT -p icmp --icmp-type echo-request -m limit > --limit 1/s -j ACCEPT > > #Protecao contra ataques > iptables -A INPUT -m state --state INVALID -j DROP > > #setando delay minimo > iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 53 -j TOS --set-tos > Minimize-Delay > iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 80 -j TOS --set-tos > Minimize-Delay > iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 443 -j TOS --set-tos > Minimize-Delay > iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 10000 -j TOS --set-tos > Minimize-Delay > > #### OUTPUT #### > # Permite que o servidor acesse outras maquinas > iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > ### PREROUTING ### > iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j > REDIRECT --to-port 3128 > iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p udp --dport 80 -j > REDIRECT --to-port 3128 > > ### FORWARD ### > > # Connection tracking (aceita pacotes para conexoes já estabelecidas) > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > ## Redireciona dados dos administradores > /etc/firewall/admin/adminporta.sh > /etc/firewall/admin/adminssh.sh > > ## Redireciona dados dos usuarios squid e outro barramento > #exemplo: > # iptables -I INPUT -s 192.168.0.106 -p tcp --dport 3128 -j ACCEPT > # iptables -A FORWARD -s 192.168.0.106 -o eth1 -j ACCEPT > /etc/firewall/liberados/liberados.sh > > #### POSTROUTING #### > > ## Compartilhamento da internet > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p udp -j SNAT --to > 192.168.4.3 > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p tcp -j SNAT --to > 192.168.4.3 > > > iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j MASQUERADE > iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS > -o eth1 --set-mss 1412 > > ### Ativa o modulo responsavel pelo encaminhamento de pacotes ### > echo 1 > /proc/sys/net/ipv4/ip_forward > ======================================================================== > > > ====================squid.conf=========================== > http_port 3128 transparent > visible_hostname INTERNET > > cache_mem 512 MB > maximum_object_size_in_memory 64 KB > maximum_object_size 700 MB > minimum_object_size 0 KB > > cache_swap_low 90 > cache_swap_high 95 > > cache_dir ufs /var/spool/squid 50000 16 256 > > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > > cache deny QUERY > acl apache rep_header Server ^Apache > broken_vary_encoding allow apache > access_log /var/log/squid/access.log squid > hosts_file /etc/hosts > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 # https > acl SSL_ports port 563 # snews > acl SSL_ports port 873 # rsync > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl Safe_ports port 631 # cups > acl Safe_ports port 873 # rsync > acl Safe_ports port 901 # SWAT > acl Safe_ports port 6881 > acl purge method PURGE > acl CONNECT method CONNECT > > acl servidor src 192.168.0.1 > > acl horario time 00:30-06:00 > acl proibir_dominio dstdomain "/etc/squid/bloqueio" > acl proibir_url url_regex -i "/etc/squid/bloqurl" > > acl aceitar_dom dstdomain "/etc/squid/aceitar" > > http_access deny proibir_dominio !horario > http_access deny proibir_url !horario > > http_access allow aceitar_dom > http_access allow manager localhost > http_access deny manager > http_access allow purge localhost > http_access deny purge > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost > http_access allow servidor > http_access allow all > http_reply_access allow all > icp_access allow all > coredump_dir /var/spool/squid > =========================================================== > > Espero ter sido claro, no aguardo, gde abraço. > > Yours Truly > Carlos Beltrame - Eletrical Engineer > IEEE - HTC Brazilian Representative > Mobile: +55 18-9795-5271 > MSN : c_beltr...@hotmail.com > Skype : zebacking > UNESP - Campus of Ilha Solteira > > > -- - Catulo Kruuse Hansen LPI000199593 LPIC-2 CompTIA Linux+ CLA (Novell Certified Linux Administrator) Data Center Technical Specialist catulohansen.blogspot.com -- To UNSUBSCRIBE, email to debian-user-portuguese-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/s2x85da0e3a1004281954o75229275zb177b4893ddb...@mail.gmail.com