для сайта, на который постоянно ломятся китайцы и пытаются его ddos. Я создал, начальство перед тем как я его включу на постоянной основе и подниму несколько взаимозаменяемых ppoe, требуют проверить по такой схеме. Сейчас у нас стоит windows kerio который поднимает ppoe и рулит правилами. На нем дополнительно прописано две подсети 10.65.1.253 и 10.65.2.253 для теста
rc.conf имеет такой вид:
Код: Выделить всё
hostname="vorota"
ifconfig_em1="inet 10.65.2.254 netmask 255.255.255.0"
defaultrouter="10.65.1.253"
ifconfig_em0="inet 10.65.1.254 netmask 255.255.255.248"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
firewall_script="/etc/firewall.my"
firewall_quiet="NO"
firewall_logging="YES"
sshd_enable="YES"
#STATIC MARSHRUTY
static_routes="internalnet2"
route_internalnet2="-net 10.65.2.0/24 10.65.1.254"
#NATD
natd_enable="YES"
natd_interface="em1"
natd_flags="-m -f /etc/natd.conf"
#ICMP
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
#-ipv6
ipv6_network_interfaces="none"
ipv6_activate_all_interfaces="NO"
ipv6addrctl_enable="NO"
ip6addrctl_policy="ipv4_prefer"
ipv6_activate_all_interfaces="NO"
#sendmail disable
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
#localisation
keymap="ru.koi8-r.kbd"
#mouse
usbd_enable="YES"
usbd_flags=""
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
Код: Выделить всё
#!/bin/sh
#ipfw resetlog
fwcmd="/sbin/ipfw"
extinterface="em1"
intinterface="em0"
#zamena na domru
extip="10.65.2.254"
intip="10.65.1.254"
extnet="10.65.2.0/24"
intnet="10.65.1.248/29"
natdinterface="em1"
#dns1="109.194.16.1"
#dns2="109.194.17.1"
dns1="10.65.2.253"
dns2="10.65.1.253"
${fwcmd} -f flush
#lo0
${fwcmd} add pass all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny all from 127.0.0.0/8 to any
#zapretit lubie pakety dlia sety localnet na vneshnem int
#${fwcmd} add deny all from ${intnet} to any in via ${extinterface}
#zapretit lubie pakety dlia sety extnet nahodiahihsa na vnutrennem int
#${fwcmd} add deny all from ${extnet} to any in via ${intinterface}
#zapretit dostup k privatnim setiam nahod snaruzhi
#${fwcmd} add deny all from any to 10.0.0.0/8 via ${extinterface}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${extinterface}
#${fwcmd} add deny all from any to 192.168.0.0/16 via ${extinterface}
#zapretit dostup k shirokoveshatelnim setiam
#${fwcmd} add deny all from any to 0.0.0.0/8 via ${extinterface}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${extinterface}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${extinterface}
#${fwcmd} add deny all from any to 240.0.0.0/4 via ${extinterface}
#razreshit obmen mezhdu podsetiamy
${fwcmd} add allow ip from 10.65.2.0/24 to 10.65.1.248/29
${fwcmd} add allow ip from 10.65.1.248/29 to 10.65.2.0/24
#Razreshit ping dlia testov
${fwcmd} add allow icmp from any to any via ${intinterface}
${fwcmd} add allow icmp from any to any via ${extinterface}
#razreshit rabotu natd po transliachii adresov
${fwcmd} add divert natd all from any to any via ${natdinterface}
#${fwcmd} add divert natd all from any to any out via ${natdinterface}
#${fwcmd} add divert natd all from any to any out via ${natdinterface}
#${fwcmd} add divert natd all from ${natdinterface} to any via ${extinterface}
${fwcmd} add divert natd all from any to ${extip} via ${natdinterface}
#razreshit porty na saite
${fwcmd} add allow tcp from any to any 80
#${fwcmd} add divert 80 tcp from any to 10.65.1.251 80 via ${natdinterface}
${fwcmd} add allow tcp from any to any 443
#${fwcmd} add divert 443 tcp from any to 10.65.1.251 443 via ${natdinterface}
${fwcmd} add allow tcp from any to any 1022
#${fwcmd} add divert 1022 tcp from any to 10.65.1.251 22 via ${natdinterface}
${fwcmd} add allow tcp from any 20 to 10.65.2.254 1024-65535 via ${extinterface}
${fwcmd} add fwd 10.65.1.251,80 tcp from any to any 80 via ${natdinterface}
${fwcmd} add fwd 10.65.1.251,443 tcp from any to any 443 via ${natdinterface}
${fwcmd} add fwd 10.65.1.251,1022 tcp from any to any 1022 via ${natdinterface}
#razreshit porty na kerio i zatem zapretit
${fwcmd} add allow all from any to 10.65.1.253 via ${extinterface}
#${fwcmd} add divert natd all from any to 10.65.1.253 via ${natdinterface}
${fwcmd} add deny tcp from any to 10.65.1.253 80 via ${extinterface}
${fwcmd} add deny tcp from any to 10.65.1.253 443 via ${extinterface}
#zapretit dostup iz privantih setei snaruzhi
#${fwcmd} add deny all from 0.0.0.0/8 to any via ${extinterface}
#${fwcmd} add deny all from 169.254.0.0/8 to any via ${extinterface}
#${fwcmd} add deny all from 224.0.0.0/8 to any via ${extinterface}
#${fwcmd} add deny all from 240.0.0.0/8 to any via ${extinterface}
#BULKARAMBA
#razreshit dostup k saitu i kerio vnutri seti 11.95
${fwcmd} add allow all from any to 10.65.1.251 via ${intinterface}
${fwcmd} add allow all from any to 10.65.1.253 via ${intinterface}
#razreshit hozhdenie paketov vnutri sety localnet cherez vnutrennii interface
${fwcmd} add allow all from any to any via ${intinterface}
#razreshit vihod vseh tipov pakerov cherez vneshniy interface
${fwcmd} add allow tcp from ${extip} to any out via ${extinterface}
#Razreshit vse ustanovlennie soedinenia
${fwcmd} add allow tcp from any to any established
#Razreshit dostavku fragmetov paketov
${fwcmd} add allow all from any to any frag
#razreshit otvety s dns serverov c 53 porta po udp na vse mashini
${fwcmd} add allow udp from ${dns1} 53 to any in via ${extinterface}
${fwcmd} add allow udp from ${dns2} 53 to any in via ${extinterface}
${fwcmd} add allow udp from ${extip} to ${dns1} 53 keep-state
${fwcmd} add allow udp from ${extip} to ${dns2} 53 keep-state
#zapretit vse broadkasty
${fwcmd} add deny ip from any to 255.255.255.255
#zapretit rabotu po windows netbios portam
${fwcmd} add deny udp from any to any 137,138 via ${extinterface}
${fwcmd} add deny tcp from any to any 135,139 via ${extinterface}
#DHCP
#${fwcmd} add allow udp from any to any to 255.255.255.255 67,68,69 via ${localinterface}
#razreshit ssh i pochtu
#${fwcmd} add allow tcp from any to ${extip} 22 via ${extinterface}
#${fwcmd} add allow tcp from any to ${extip} 25 via ${extinterface}
#zapretit ident zaprosy
${fwcmd} add reset tcp from any to ${extip} 113 via ${extinterface}
${fwcmd} add 65534 deny log ip from any to any
Код: Выделить всё
/etc/natd.conf
use_sockets yes\
verbose no\
log_ipfw_denied yes\
redirect_port tcp 10.65.1.251:80 80\
redirect_port tcp 10.65.1.251:443 443\
redirect_port tcp 10.65.1.251:1022 20
то показывается что пакет уходит в нат divert 8668 ip from any to any via em1 и дальше по правилам не идет, почему? Я действительно уже много времени потратил на этот свой затык, так что если вы меня подтолкнете я вам буду очень признателен
Отправлено спустя 13 минут 37 секунд:
А именно срабатывает правило разрешить обмен между подсетями, пакет приходит на em0 затем divert на em1 и затухает