Дополнение к этому балансировка на два каналаharmless писал(а):Все таки мне удалось сделать доступ к серверу по обоим каналам одновременно:
#cat /etc/firewall.shНо распредиление трафика по двум каналам еще не вышлоКод: Выделить всё
#!/bin/sh ############################################# #**** FireWall - конфигурационный файл *****# ############################################# # бинарник ipfw FwCMD="/sbin/ipfw -q " # шаблон таблицы FwTable="${FwCMD} table " # Шаблон трубы FwPipe="${FwCMD} pipe " #*******************************************# #**** ISP1 ****# #*******************************************# # Локальная сеть NetOut_ISP1="1.1.1.0/24" # IP сервера в сети ISP1 IpOut_ISP="1.1.1.2" # Интерфейс, смотрящий в сеть ISP1 LanOut_ISP1="vr0" GW_ISP="1.1.1.2" /usr/sbin/setfib -0 route add default ${GW_ISP1} #*******************************************# #*******************************************# #**** Все что качается ISP2 ****# #*******************************************# # Локальная сеть ISP2 NetOut_ISP2="2.2.2.0/24" # IP сервера в сети ISP2 IpOut_Magnus="2.2.2.2" # Интерфейс, смотрящий в сеть ISP2 LanOut_ISP="re0" GW_Magnus="2.2.2.1" /usr/sbin/setfib -1 route add default ${GW_ISP2} ############################################# #*******************************************# #* Все что качается локальной сети *# #*******************************************# # Локальная сеть NetIn="10.0.0.0/24" # IP сервера в локальной сети IpIn="10.0.0.1" # Интерфейс, смотрящий в локальную сеть LanIn="em0" ############################################# #*******************************************# #***************** СЕРВИСЫ *****************# #*******************************************# #* DNS,WEB,SMTP,SMTPS,POP3,POP3S,IMAP,IMAPS,FTP,FTP-passive,NTP *# TCP="20,ftp,50000-60000,domain,smtp,smtps,pop3,pop3s,imap,imaps,http,https" UDP="domain,ntp" ############################################# ############################################# ${FwCMD} disable one_pass ############################################# ################# CLEAN ALL ################# ${FwCMD} -f flush ${FwCMD} -f pipe flush ${FwCMD} -f queue flush ${FwCMD} -f sched flush ${FwCMD} nat 4 config if ${LanOut_ISP1} unreg_only same_ports reset log ${FwCMD} nat 5 config if ${LanOut_ISP2} unreg_only same_ports reset log #*******************************************# ${FwCMD} add reass in # Общие правила защиты сервера ${FwCMD} add skipto 65534 icmp from any to any frag ${FwCMD} add skipto 65534 icmp from any to any in icmptypes 5,9,13,14,15,16,17 ${FwCMD} add skipto 65534 dst-ip me ipoptions ssrr,lsrr,rr,ts ${FwCMD} add reject tcp from any to any { tcpflags syn,fin,ack,psh,rst,urg or tcpflags !syn,!fin,!ack,!psh,!rst,!urg } ${FwCMD} add reject tcp from any to any not established tcpflags fin # LoopBack lo0 ${FwCMD} add skipto 15000 in via lo0 ${FwCMD} add skipto 20000 out via lo0 # ISP1 LanOut_ISP1 ${FwCMD} add skipto 25000 in via ${LanOut_ISP1} ${FwCMD} add skipto 30000 out via ${LanOut_ISP1} # ISP2 LanOut_ISP2 ${FwCMD} add skipto 35000 in via ${LanOut_ISP2} ${FwCMD} add skipto 40000 out via ${LanOut_ISP2} # Lan ${FwCMD} add skipto 45000 in via ${LanIn} ${FwCMD} add skipto 50000 out via ${LanIn} # Deny statement for any other packets ${FwCMD} add skipto 65534 via any ############################# # LoopBack lo0 # IN pass ${FwCMD} add 15000 count in via lo0 ${FwCMD} add permit in via lo0 # Out pass ${FwCMD} add 20000 count out via lo0 ${FwCMD} add permit out via lo0 # ISP1 LanOut_ISP1 # IN pass ${FwCMD} add 25000 count in via ${LanOut_ISP1} ${FwCMD} add skipto 65534 icmp from any to any dst-ip 255.255.255.255 in via ${LanOut_ISP1} ${FwCMD} add skipto 65534 not dst-ip ${IpOut_ISP1} in via ${LanOut_ISP1} ${FwCMD} add skipto 65534 src-ip 127.0.0.0/8 in via ${LanOut_Bit} ${FwCMD} add nat 4 dst-ip ${IpOut_ISP1} in via ${LanOut_ISP1} ${FwCMD} add permit tcp from any to any dst-ip ${IpOut_ISP1} in via ${LanOut_ISP1} established ${FwCMD} add set 5 permit tcp from any to any dst-ip ${IpOut_ISP1} dst-port ${TCP} in via ${LanOut_ISP1} setup keep-state ${FwCMD} add set 5 permit udp from any to any dst-ip ${IpOut_ISP1} dst-port ${UDP} in via ${LanOut_ISP1} keep-state ${FwCMD} add set 5 permit log tcp from any to any dst-ip ${IpOut_ISP1} dst-port 22 in via ${LanOut_ISP1} setup keep-state ${FwCMD} add permit dst-ip table\(100\) in via ${LanOut_ISP1} ${FwCMD} add permit icmp from any to any dst-ip ${IpOut_ISP1} in via ${LanOut_ISP1} keep-state ${FwCMD} add skipto 65534 in via ${LanOut_ISP1} # OUT pass ${FwCMD} add 30000 count out via ${LanOut_ISP1} ${FwCMD} add skipto 65534 icmp from any to any dst-ip 255.255.255.255 out via ${LanOut_ISP1} ${FwCMD} add skipto 65534 dst-ip 127.0.0.0/8 out via ${LanOut_ISP1} ${FwCMD} add nat global src-ip table\(100\) out via ${LanOut_ISP1} ${FwCMD} add skipto 34000 src-ip ${IpOut_ISP1} out via ${LanOut_ISP1} ${FwCMD} add fwd ${GW_ISP2} src-ip ${IpOut_ISP2} ${FwCMD} add nat 4 src-ip table\(100\) out via ${LanOut_ISP1} ${FwCMD} add 34000 permit src-ip ${IpOut_ISP1} out via ${LanOut_ISP1} keep-state ${FwCMD} add skipto 65534 out via ${LanOut_ISP1} # ISP2 LanOut_ISP2 # IN pass ${FwCMD} add 35000 count in via ${LanOut_ISP2} ${FwCMD} add skipto 65534 not dst-ip ${IpOut_ISP2} in via ${LanOut_ISP2} ${FwCMD} add skipto 65534 icmp from any to any dst-ip 255.255.255.255 in via ${LanOut_ISP2} ${FwCMD} add skipto 65534 src-ip 127.0.0.0/8 in via ${LanOut_ISP2} ${FwCMD} add nat 5 dst-ip ${IpOut_ISP2} in via ${LanOut_ISP2} ${FwCMD} add permit tcp from any to any dst-ip ${IpOut_ISP2} in via ${LanOut_ISP2} established ${FwCMD} add set 5 permit tcp from any to any dst-ip ${IpOut_ISP2} dst-port ${TCP} in via ${LanOut_ISP2} setup keep-state ${FwCMD} add set 5 permit udp from any to any dst-ip ${IpOut_ISP2} dst-port ${UDP} in via ${LanOut_ISP2} keep-state ${FwCMD} add set 5 permit log tcp from any to any dst-ip ${IpOut_ISP2} dst-port 22 in via ${LanOut_ISP2} setup keep-state ${FwCMD} add permit dst-ip table\(100\) in via ${LanOut_ISP2} ${FwCMD} add permit icmp from any to any dst-ip ${IpOut_ISP2} in via ${LanOut_ISP2} keep-state ${FwCMD} add skipto 65534 in via ${LanOut_ISP2} # OUT pass ${FwCMD} add 40000 count out via ${LanOut_ISP2} ${FwCMD} add skipto 65534 icmp from any to any dst-ip 255.255.255.255 out via ${LanOut_ISP2} ${FwCMD} add skipto 65534 dst-ip 127.0.0.0/8 out via ${LanOut_ISP2} ${FwCMD} add nat global src-ip table\(100\) out via ${LanOut_ISP2} ${FwCMD} add skipto 44000 src-ip ${IpOut_ISP2} out via ${LanOut_ISP2} ${FwCMD} add fwd ${GW_ISP1} src-ip ${IpOut_ISP1} ${FwCMD} add nat 5 src-ip table\(100\) out via ${LanOut_ISP2} ${FwCMD} add 44000 permit src-ip ${IpOut_ISP2} out via ${LanOut_ISP2} keep-state ${FwCMD} add skipto 65534 out via ${LanOut_ISP2} # Lan # IN pass ${FwCMD} add 45000 count in via ${LanIn} ${FwCMD} add skipto 65534 src-ip 127.0.0.0/8 in via ${LanIn} ${FwCMD} add set 2 setfib 1 in via ${LanIn} ${FwCMD} add permit in via ${LanIn} # OUT pass ${FwCMD} add 50000 count out via ${LanIn} ${FwCMD} add skipto 65534 dst-ip 127.0.0.0/8 out via ${LanIn} ${FwCMD} add permit out via ${LanIn} ${FwCMD} add 65534 deny via any
Делаем замену
Код: Выделить всё
# Lan
# IN pass
${FwCMD} add 45000 count in via ${LanIn}
${FwCMD} add skipto 65534 src-ip 127.0.0.0/8 in via ${LanIn}
${FwCMD} add set 2 setfib 1 in via ${LanIn}
${FwCMD} add permit in via ${LanIn}
Код: Выделить всё
# Lan
# IN pass
${FwCMD} add 45000 count in via ${LanIn}
${FwCMD} add skipto 65534 src-ip 127.0.0.0/8 in via ${LanIn}
${FwCMD} add prob 0.5 skipto 45100 in via ${LanIn}
${FwCMD} add set 2 setfib 0 in via ${LanIn} keep-state
${FwCMD} add permit in via ${LanIn}
${FwCMD} add 45100 set 2 setfib 1 in via ${LanIn} keep-state
${FwCMD} add permit in via ${LanIn}
И еще для увеличения производительности в секциях по направлениях трафика можно удалить параметры via ${if_name} но направление оставить