Почта стоит за шлюзом на отдельной машине, в natd прописан проброс 25 порта на почтовый сервер. На обоих сервера FreeBSD 7. Шлюз ipfw+natd+squid. Почта Exim+dovecot
tcpdump на внешний и на внутренний интерефес дает следующее, на внешний интерфейс:
Код: Выделить всё
/usr/home/aleksey/>tcpdump -n -i fxp0 port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes
18:37:38.296148 IP 88.236.41.220.12089 > 87.245.165.251.25: S 416971547:416971547(0) win 65535 <mss 1452,nop,nop,sackOK>
18:37:38.818033 IP 82.146.166.144.1029 > 87.245.165.251.25: S 967478550:967478550(0) win 16384 <mss 1460,nop,nop,sackOK>
18:37:41.212719 IP 88.236.41.220.12089 > 87.245.165.251.25: S 416971547:416971547(0) win 65535 <mss 1452,nop,nop,sackOK>
18:37:41.824933 IP 82.146.166.144.1029 > 87.245.165.251.25: S 967478550:967478550(0) win 16384 <mss 1460,nop,nop,sackOK>
18:37:47.248306 IP 88.236.41.220.12089 > 87.245.165.251.25: S 416971547:416971547(0) win 65535 <mss 1452,nop,nop,sackOK>
18:37:47.755648 IP 82.146.166.144.1029 > 87.245.165.251.25: S 967478550:967478550(0) win 16384 <mss 1460,nop,nop,sackOK>
18:38:00.339771 IP 213.226.192.126.3995 > 87.245.165.251.25: S 186765182:186765182(0) win 65535 <mss 1460,nop,nop,sackOK>
18:38:03.210925 IP 213.226.192.126.3995 > 87.245.165.251.25: S 186765182:186765182(0) win 65535 <mss 1460,nop,nop,sackOK>
18:38:09.228907 IP 213.226.192.126.3995 > 87.245.165.251.25: S 186765182:186765182(0) win 65535 <mss 1460,nop,nop,sackOK>
18:39:12.944868 IP 213.226.192.126.3921 > 87.245.165.251.25: S 4013591335:4013591335(0) win 65535 <mss 1460,nop,nop,sackOK>
18:39:15.950930 IP 213.226.192.126.3921 > 87.245.165.251.25: S 4013591335:4013591335(0) win 65535 <mss 1460,nop,nop,sackOK>
18:39:21.961391 IP 213.226.192.126.3921 > 87.245.165.251.25: S 4013591335:4013591335(0) win 65535 <mss 1460,nop,nop,sackOK>
18:39:25.712374 IP 201.66.35.228.2813 > 87.245.165.251.25: S 236351132:236351132(0) win 65535 <mss 1452,nop,nop,sackOK>
18:39:28.798368 IP 201.66.35.228.2813 > 87.245.165.251.25: S 236351132:236351132(0) win 65535 <mss 1452,nop,nop,sackOK>
18:40:08.564449 IP 78.111.244.252.3813 > 87.245.165.251.25: S 3252254759:3252254759(0) win 2238 <mss 1440,nop,nop,sackOK>
18:40:11.574945 IP 78.111.244.252.3813 > 87.245.165.251.25: S 3252254759:3252254759(0) win 2238 <mss 1440,nop,nop,sackOK>
18:40:12.483874 IP 213.226.192.126.4643 > 87.245.165.251.25: S 1226242965:1226242965(0) win 65535 <mss 1460,nop,nop,sackOK>
18:40:15.446300 IP 213.226.192.126.4643 > 87.245.165.251.25: S 1226242965:1226242965(0) win 65535 <mss 1460,nop,nop,sackOK>
18:40:17.614032 IP 78.111.244.252.3813 > 87.245.165.251.25: S 3252254759:3252254759(0) win 2238 <mss 1440,nop,nop,sackOK>
...
18:42:25.150414 IP 94.178.153.14.64392 > 87.245.165.251.25: S 801406774:801406774(0) win 65535 <mss 1440,nop,nop,sackOK>
18:42:39.744974 IP 124.121.252.244.11037 > 87.245.165.251.25: S 963268206:963268206(0) win 65535 <mss 1452,nop,nop,sackOK>
18:42:40.116151 IP 83.239.61.54.3285 > 87.245.165.251.25: S 1328832444:1328832444(0) win 65535 <mss 1360,nop,nop,sackOK>
18:42:42.833549 IP 124.121.252.244.11037 > 87.245.165.251.25: S 963268206:963268206(0) win 65535 <mss 1452,nop,nop,sackOK>
18:42:42.998881 IP 83.239.61.54.3285 > 87.245.165.251.25: S 1328832444:1328832444(0) win 65535 <mss 1360,nop,nop,sackOK>
18:42:46.632237 IP 88.244.30.192.20212 > 87.245.165.251.25: S 292703994:292703994(0) win 65535 <mss 1452,nop,nop,sackOK>
18:42:48.757058 IP 124.121.252.244.11037 > 87.245.165.251.25: S 963268206:963268206(0) win 65535 <mss 1452,nop,nop,sackOK>
18:42:49.016874 IP 83.239.61.54.3285 > 87.245.165.251.25: S 1328832444:1328832444(0) win 65535 <mss 1360,nop,nop,sackOK>
18:42:49.552350 IP 88.244.30.192.20212 > 87.245.165.251.25: S 292703994:292703994(0) win 65535 <mss 1452,nop,nop,sackOK>
18:42:54.230763 IP 89.169.156.195.23970 > 87.245.165.251.25: S 2512861100:2512861100(0) win 65535 <mss 1440,nop,nop,sackOK>
18:42:55.486792 IP 88.244.30.192.20212 > 87.245.165.251.25: S 292703994:292703994(0) win 65535 <mss 1452,nop,nop,sackOK>
18:42:57.157695 IP 89.169.156.195.23970 > 87.245.165.251.25: S 2512861100:2512861100(0) win 65535 <mss 1440,nop,nop,sackOK>
18:42:59.742096 IP 124.121.252.244.11052 > 87.245.165.251.25: S 153615355:153615355(0) win 65535 <mss 1452,nop,nop,sackOK>
18:43:00.034035 IP 83.239.61.54.3307 > 87.245.165.251.25: S 4013242267:4013242267(0) win 65535 <mss 1360,nop,nop,sackOK>
18:43:02.749271 IP 124.121.252.244.11052 > 87.245.165.251.25: S 153615355:153615355(0) win 65535 <mss 1452,nop,nop,sackOK>
18:43:03.018756 IP 83.239.61.54.3307 > 87.245.165.251.25: S 4013242267:4013242267(0) win 65535 <mss 1360,nop,nop,sackOK>
18:43:03.193509 IP 89.169.156.195.23970 > 87.245.165.251.25: S 2512861100:2512861100(0) win 65535 <mss 1440,nop,nop,sackOK>
18:43:08.767281 IP 124.121.252.244.11052 > 87.245.165.251.25: S 153615355:153615355(0) win 65535 <mss 1452,nop,nop,sackOK>
18:43:09.033690 IP 83.239.61.54.3307 > 87.245.165.251.25: S 4013242267:4013242267(0) win 65535 <mss 1360,nop,nop,sackOK>
Код: Выделить всё
/var/log/>tcpdump -n -i rl0 port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
18:42:24.023694 IP 115.73.6.166.3642 > 192.168.0.7.25: R 27855734:27855734(0) ack 0 win 6144
Код: Выделить всё
log yes
same_ports yes
use_sockets yes
unregistered_only yes
redirect_port tcp 192.168.0.7:25 25
dynamic yes
Код: Выделить всё
#!/bin/sh
FwCMD="/sbin/ipfw"
LanOut="fxp0"
LanIn="rl0"
IpOut="87.245.165.251"
IpIn="192.168.0.5"
NetMask="24"
NetIn="192.168.0.0"
${FwCMD} -f flush
${FwCMD} add check-state
${FwCMD} add allow ip from any to any via lo0
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any
${FwCMD} add deny ip from any to 10.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${LanOut}
${FwCMD} add deny ip from any to 192.168.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 224.0.0.0/4 in via ${LanOut}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut}
${FwCMD} add deny icmp from any to any frag
${FwCMD} add deny log icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny log icmp from any to 255.255.255.255 out via ${LanOut}
${FwCMD} add fwd ${IpIn},2121 tcp from ${NetIn}/${NetMask} to any 21 via ${LanOu
${FwCMD} add fwd 127.0.0.1,3128 tcp from ${NetIn}/${NetMask} to any 80 via ${Lan
${FwCMD} add divert natd ip from ${NetIn}/${NetMask} to any out via ${LanOut}
${FwCMD} add divert natd ip from any to ${IpOut} in via ${LanOut}
${FwCMD} add deny ip from 10.0.0.0/8 to any out via ${LanOut}
${FwCMD} add deny ip from 172.16.0.0/12 to any out via ${LanOut}
${FwCMD} add deny ip from 192.168.0.0/16 to any out via ${LanOut}
${FwCMD} add deny ip from 0.0.0.0/8 to any out via ${LanOut}
${FwCMD} add deny ip from 169.254.0.0/16 to any out via ${LanOut}
${FwCMD} add deny ip from 224.0.0.0/4 to any out via ${LanOut}
${FwCMD} add deny ip from 240.0.0.0/4 to any out via ${LanOut}
${FwCMD} add allow tcp from any to any established
${FwCMD} add allow ip from ${IpOut} to any out xmit ${LanOut}
${FwCMD} add allow udp from any 53 to any via ${LanOut}
${FwCMD} add allow udp from any to any 123 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 21 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 49152-65535 via ${LanOut}
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
${FwCMD} add allow tcp from any to ${IpOut} 25 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 110 via ${LanOut}
${FwCMD} add allow tcp from any to any via ${LanIn}
${FwCMD} add allow udp from any to any via ${LanIn}
${FwCMD} add allow icmp from any to any via ${LanIn}
${FwCMD} add deny ip from any to any
пните в нужную сторону
