Создана виртуальная сеть на GNS3 и Vmware 7.1
1. Cisco ios
Cisco IOS Software, 3600 Software (C3660-JS-M), Version 12.4(15)T9, RELEASE SOFTWARE (fc5)
2. Proxy server - > VM host only freebsd 8.1 (192.168.40.0/29)
FreeBSD 8.1-RELEASE #0: Tue Sep 6 19:38:13 UTC 2011 Test@ns.myhome.net:/usr/src/sys/i386/compile/MYKERNEL
ipfw2 initialized, divert enabled, nat loadable, rule-based forwarding enabled, default to deny, logging disabled
/>ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:3b:bf:eb
inet 192.168.40.3 netmask 0xfffffff8 broadcast 192.168.40.7
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
>ipfw show
00100 200 32486 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
65000 14358 6717746 allow ip from any to any
65535 0 0 deny ip from any to any
3. 4. LAN1-2 две VM host only XP (192.168.41.0/29, 192.168.42.0/29 )
Код: Выделить всё
Указан proxy 192.168.40.3 port 3128
Код: Выделить всё
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip wccp version 1
ip wccp web-cache redirect-list SQUID
!
!
ip cef
no ip domain lookup
ip name-server 8.8.8.8
ip name-server 192.168.40.3
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface FastEthernet0/0
description -= GW_ISP: DHCP =-
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Ethernet1/0
description -= GW_DMZ: 192.168.40.2 =-
ip address 192.168.40.2 255.255.255.248
ip nat inside
ip virtual-reassembly
half-duplex
no cdp enable
!
interface Ethernet1/1
description -= GW_LAN1: 192.168.41.2 =-
ip address 192.168.41.2 255.255.255.248
ip wccp web-cache redirect in
ip nat inside
ip virtual-reassembly
half-duplex
no cdp enable
!
interface Ethernet1/2
description -= GW_LAN2: 192.168.42.2 =-
ip address 192.168.42.2 255.255.255.248
ip wccp web-cache redirect in
ip nat inside
ip virtual-reassembly
half-duplex
no cdp enable
!
no ip http server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.2
!
ip access-list extended SQUID
remark -= PROXY: 192.168.40.3 =-
permit tcp 192.168.41.0 0.0.0.7 any eq www
permit tcp 192.168.42.0 0.0.0.7 any eq www
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
Код: Выделить всё
http_port 192.168.40.3:3128
wccp_router 192.168.40.2
1. Инет работает на всех виртуалках LAN1-2 и пакеты ходят через интерфейс FreeBSD em0
Код: Выделить всё
>tcpdump -i em0 -n port 3128 or 2048
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
16:56:01.234637 IP 192.168.40.3.2048 > 192.168.40.2.2048: UDP, length 52
16:56:01.262088 IP 192.168.40.2.2048 > 192.168.40.3.2048: UDP, length 64
16:56:11.244483 IP 192.168.40.3.2048 > 192.168.40.2.2048: UDP, length 52
Если поднять gre0 и добавить правило fw в ipfw, то пакеты через это правило не ходят!
Код: Выделить всё
>ifconfig gre0
gre0: flags=b051<UP,POINTOPOINT,RUNNING,LINK0,LINK1,MULTICAST> metric 0 mtu 1476
tunnel inet 192.168.40.3 --> 192.168.40.2
inet 192.168.40.3 --> 10.1.1.1 netmask 0xffffffff
>ipfw show
00040 0 0 fwd 192.168.40.3,3128 log logamount 100 tcp from any to any dst-port 80 via gre0
00100 322 53868 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
65000 18190 8236238 allow ip from any to any
65535 0 0 deny ip from any to any