eu0 - смотрит в Интернет
eu1 - локальный интерфейс
tun0 - vpn соединение
Код: Выделить всё
# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
ether b8:27:eb:9f:19:56
inet 192.168.1.15 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ue1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80008<VLAN_MTU,LINKSTATE>
ether 34:76:c5:08:0b:3f
inet 172.16.1.1 netmask 0xffffff00 broadcast 172.16.1.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet 10.8.0.3 --> 10.8.0.1 netmask 0xffffff00
inet6 fddd:1194:1194:1194::1001 prefixlen 64
inet6 fe80::ba27:ebff:fe9f:1956%tun0 prefixlen 64 scopeid 0x4
groups: tun
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 3472
Код: Выделить всё
# netstat -nr4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
0.0.0.0/1 10.8.0.1 UGS tun0
default 192.168.1.1 UGS ue0
10.8.0.0/24 10.8.0.1 UGS tun0
10.8.0.1 link#4 UH tun0
10.8.0.3 link#4 UHS lo0
127.0.0.1 link#1 UH lo0
128.0.0.0/1 10.8.0.1 UGS tun0
172.16.1.0/24 link#3 U ue1
172.16.1.1 link#3 UHS lo0
178.32.216.92 192.168.1.1 UGHS ue0
192.168.1.0/24 link#2 U ue0
192.168.1.15 link#2 UHS lo0
rc.conf
Код: Выделить всё
# cat /etc/rc.conf
hostname="freebsdPI"
ifconfig_ue0="DHCP"
ifconfig_ue1="inet 172.16.1.1 netmask 255.255.255.0"
#
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_logging="YES"
natd_enable="YES"
natd_interface="ue0"
#
dnsmasq_enable="YES"
sshd_enable="YES
Код: Выделить всё
#!/bin/bash
IPTABLES="/sbin/iptables"
# ACCEPT everything by default.
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
# Set the nat/mangle/raw tables' chains to ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
# Cleanup - Delete all iptables-rules.
#------------------------------------------------------------------------------
# Delete all
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
# Delete all
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
# Zero all packets and counters.
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z
#------------------------------------------------------------------------------
$IPTABLES -t nat -A POSTROUTING -o ue0 -j MASQUERADE
$IPTABLES -A FORWARD -i ue0 -o ue1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i ue1 -o ue0 -j ACCEPT
#VPN
$IPTABLES -t nat -A POSTROUTING -o tun0 -j MASQUERADE
$IPTABLES -A FORWARD -i tun0 -o ue1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i ue1 -o tun0 -j ACCEPT
Код: Выделить всё
# iptables -vL -t filter
Chain INPUT (policy ACCEPT 154M packets, 197G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 2 packets, 614 bytes)
pkts bytes target prot opt in out source destination
104K 233M ACCEPT all -- ue0 ue1 anywhere anywhere state RELATED,ESTABLISHED
113K 12M ACCEPT all -- ue1 ue0 anywhere anywhere
151M 186G ACCEPT all -- tun0 ue1 anywhere anywhere state RELATED,ESTABLISHED
72M 12G ACCEPT all -- ue1 tun0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 73M packets, 16G bytes)
pkts bytes target prot opt in out source destination