Есть проблема, решил поменять на роутерах фрю на 8.2. Вроде и NAT побыстрее и прочее.
NAT запустил, но не могу разобраться с пробросом портов с изменением номера порта
/etc/rc.conf
Код: Выделить всё
hostname="router"
font8x14="cp866-8x14"
font8x16="cp866b-8x16"
font8x8="cp866-8x8"
mousechar_start="3"
#___configure_interfaces____
ifconfig_em0="inet 192.168.253.1 netmask 255.255.255.0"
ifconfig_em1="inet 192.168.254.99 netmask 255.255.255.0"
defaultrouter="192.168.254.1"
#___conigure_services_______
gateway_enable="YES"
sshd_enable="YES"
squid_enable="YES"
named_enable="YES"
dhcpd_enable="YES"
dhcpd_ifaces="em0"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
firewall_enable="YES"
firewall_script="/etc/firewall"
firewall_nat_enable="YES"
firewall_nat_interface="em1"
dummynet_enable="YES"
Код: Выделить всё
options IPFIREWALL
options IPFIREWALL_NAT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
options IPSEC
options IPSEC_FILTERTUNNEL
options LIBALIAS
device crypto
Код: Выделить всё
net.inet.ip.fw.one_pass=1
Код: Выделить всё
#!/bin/sh
ipfw -f flush
LanOut="em1"
LanIn="em0"
IpOut="192.168.254.99"
IpIn="192.168.253.1"
dns1="192.168.253.1"
NetMask="24"
NetIn="192.168.253.0"
#Хождение через loopbask
ipfw add 10 allow all from any to any via lo0
ipfw add 20 fwd 127.0.0.1,3128 tcp from 192.168.253.0/24 to any dst-port 80 via $LanIn
#------------------------------------------
ipfw nat 1 config if $LanOut log reset same_ports redirect_port tcp 192.168.253.40:4899 4899
ipfw add 100 nat 1 tcp from any to $IpOut 4899 via $LanOut
ipfw add 100 allow tcp from any to 192.168.253.40 4899 via $LanIn
ipfw nat 2 config if $LanOut log reset same_ports redirect_port tcp 192.168.253.115:3389 3390
ipfw add 200 nat 3 tcp from any to $IpOut 3390 via $LanOut
ipfw add 200 allow tcp from any to 192.168.253.115 3389 via $LanIn
#---------------NAT--------------------------------------
ipfw nat 10 config if $LanOut
ipfw add 500 nat 10 ip from any to any via $LanOut
#Разрешения для локалки
ipfw add 700 allow tcp from 192.168.0.0/24 to any via $LanIn
#Разрешаю ssh
ipfw add 800 allow tcp from any to any 22 via $LanIn
#Разрошение на соединение, не прерывать соединение и получение фрагментир покетов
ipfw add 900 allow all from $IpOut to any out via $LanOut setup
ipfw add 910 allow tcp from any to any established
ipfw add 920 allow tcp from any to any frag
#Разрешение DNS
ipfw add 1000 allow udp from $dns1 53 to $IpOut in via $LanOut
ipfw add 1000 allow udp from $IpOut to $dns1 53 keep-state
#Запрет NETBIOS
ipfw add 1100 deny udp from any to any 137,138 via $LanOut
ipfw add 1100 deny tcp from any to any 135,139 via $LanOut
#DHCP
ipfw add 1200 allow udp from any to 192.168.0.1 67 via $LanIn keep-state
#ssh,smtp,pop,http
ipfw add 1300 allow tcp from any to $IpOut 22,25,110,80 via $LanOut setup
#Сброс опознавания
ipfw add 1400 reset tcp from any to $IpOut 113 via $LanOut
Код: Выделить всё
16:10:22.583336 IP 192.168.254.21.54175 > 192.168.253.115.3389: Flags [S], seq 3615645881, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:10:22.583745 ARP, Request who-has 192.168.253.1 tell 192.168.253.115, length 46
16:10:22.583753 ARP, Reply 192.168.253.1 is-at 00:1b:21:c6:08:6b, length 28
16:10:22.583994 IP 192.168.253.115.3389 > 192.168.254.21.54175: Flags [S.], seq 166832142, ack 3615645882, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:10:22.584188 IP 192.168.254.21.54175 > 192.168.253.115.3389: Flags [R], seq 3615645882, win 0, length 0
Если поставить стандартный порт 3389....то
Код: Выделить всё
16:28:58.059018 IP 192.168.254.21.54592 > 192.168.253.115.3389: Flags [S], seq 340847803, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:28:58.059412 ARP, Request who-has 192.168.253.1 tell 192.168.253.115, length 46
16:28:58.059420 ARP, Reply 192.168.253.1 is-at 00:1b:21:c6:08:6b, length 28
16:28:58.059660 IP 192.168.253.115.3389 > 192.168.254.21.54592: Flags [S.], seq 402049147, ack 340847804, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:28:58.059864 IP 192.168.254.21.54592 > 192.168.253.115.3389: Flags [.], ack 1, win 256, length 0
16:28:58.060113 IP 192.168.254.21.54592 > 192.168.253.115.3389: Flags [P.], ack 1, win 256, length 19
16:28:58.063159 IP 192.168.253.115.3389 > 192.168.254.21.54592: Flags [.], ack 20, win 256, length 0
16:28:58.063284 IP 192.168.253.115.3389 > 192.168.254.21.54592: Flags [P.], ack 20, win 256, length 19
16:28:58.258628 IP 192.168.254.21.54592 > 192.168.253.115.3389: Flags [.], ack 20, win 256, length 0
16:28:59.211906 STP 802.1w, Rapid STP, Flags [Forward], bridge-id 8000.20:fd:f1:9b:52:80.800c, length 47
16:28:59.984169 IP 192.168.254.21.54592 > 192.168.253.115.3389: Flags [F.], seq 20, ack 20, win 256, length 0
16:28:59.984357 IP 192.168.253.115.3389 > 192.168.254.21.54592: Flags [.], ack 21, win 256, length 0
16:28:59.984479 IP 192.168.253.115.3389 > 192.168.254.21.54592: Flags [R.], seq 20, ack 21, win 0, length 0