В сервере 3 интерфейса, входящий, NAT и внешние айпи.
Нужно пусть NAT через один канал, а внешние айпи через другой, при этом чтобы трафик продолжал считаться по старой схеме
rc.firewall:
Код: Выделить всё
#!/bin/sh
FwCMD="/sbin/ipfw"
#INTERFACES!!!!
LanOut="fxp0"
LanOut2="rl2"
RealIPif="rl1"
LanIn="rl0"
#
IpOut="77.108.79.253"
IpOut2="192.168.200.1"
IpIn1="192.168.100.1"
IpIn2="192.168.4.250"
RealIpIn="87.245.160.113"
NetIn="192.168.100.0/24"
NetIn2="192.168.4.0/24"
NetRealIn="87.245.160.0/24"
NetMask="24"
${FwCMD} -f flush
${FwCMD} -f pipe flush
${FwCMD} -f queue flush
${FwCMD} add check-state
#${FwCMD} add count log udp from any to any
#${FwCMD} add count log tcp from any to any dst-port 25
#Traffic counting
${FwCMD} add divert 10001 ip from any to any via ${LanOut}
${FwCMD} add divert 10002 ip from any to any via ${LanIn}
${FwCMD} add allow ip from any to any via lo0
${FwCMD} add allow all from any to 87.245.160.121
${FwCMD} add allow all from 87.245.160.121 to any
${FwCMD} add allow all from any to 87.245.160.115
${FwCMD} add allow all from 87.245.160.115 to any
${FwCMD} add allow all from any to 87.245.160.120
${FwCMD} add allow all from 87.245.160.120 to any
${FwCMD} add allow all from any to 87.245.160.116
${FwCMD} add allow all from 87.245.160.116 to any
${FwCMD} add allow all from any to 87.245.160.117
${FwCMD} add allow all from 87.245.160.117 to any
${FwCMD} add allow all from any to 87.245.160.118
${FwCMD} add allow all from 87.245.160.118 to any
${FwCMD} add allow all from any to 87.245.160.118
${FwCMD} add allow all from 87.245.160.118 to any
${FwCMD} add allow all from any to 87.245.160.122
${FwCMD} add allow all from 87.245.160.122 to any
#icmp
${FwCMD} add deny log icmp from any to any frag
${FwCMD} add deny log icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny log icmp from any to 255.255.255.255 out via ${LanOut}
${FwCMD} add deny log icmp from any to any in icmptype 5,9,13,14,15,16,17
${FwCMD} add deny log ip from any to ${IpOut} 137-139,445 in via ${LanOut}
${FwCMD} add deny log ip from any to ${IpOut} 137-139,445 in via ${LanIn}
${FwCMD} add deny log ip from any to 0.0.0.0/8,10.0.0.0/8,172.16.0.0/12,169.254.0.0/16,240.0.0.0/3 in via ${LanOut}
${FwCMD} add deny tcp from any to me 5190 via ${LanOut}
${FwCMD} add deny log tcp from any to me 3306,3128 via ${LanOut}
#PROXY
${FwCMD} add fwd 127.0.0.1,3128 tcp from 192.168.100.0/24 to any 80 via ${LanOut}
#for ip alias
/usr/local/etc/traf/rc.ip
${FwCMD} add divert natd ip from any to ${IpOut} via ${LanOut}
#PIPE IN
${FwCMD} add pipe 1 ip from ${IpOut} to ${NetIn}/${NetMask}
${FwCMD} pipe 1 config bw 3500Kbit/s
${FwCMD} add pipe 2 ip from ${IpIn1} to ${NetIn}/${NetMask}
${FwCMD} pipe 2 config bw 3500Kbit/s
${FwCMD} add pipe 3 ip from any to any tcpflags ack iplen 0-128
${FwCMD} pipe 3 config bw 3500Kbit/s
#${FwCMD} add skipto 39999 ip from any to any tcpflags ack iplen 0-128
#allow ssh,http,smpt,pop3,imap,mysql,vpn
${FwCMD} add allow ip from any to me 20,80,25,110,143,993,1723,3306,10001,10002
${FwCMD} add allow ip from me to any via ${LanOut}
${FwCMD} add allow gre from any to any
${FwCMD} add allow ip from any to any via tun0
#DEBUG
#${FwCMD} add allow ip from any to me
#${FwCMD} add allow ip from me to any
${FwCMD} add allow tcp from any to any established
${FwCMD} add allow udp from any to ${IpOut} 53 in via ${LanOut}
${FwCMD} add allow udp from ${IpOut} 53 to any out via ${LanOut}
${FwCMD} add allow udp from any 53 to ${IpOut} in via ${LanOut}
${FwCMD} add allow udp from ${IpOut} to any 53 out via ${LanOut}
${FwCMD} add allow icmp from any to any
#ALLOW LAN's
/usr/local/etc/traf/rc_allow.ip
${FwCMD} add count log udp from any to any
${FwCMD} add deny log tcp from any to any