IPFW

[g.aleks]

Подскажите пожалуйста как сделать проброс портов для определенных IP адресов.
Сейчас можно с любого адреса подключится.

Код: Выделить всё

$ipfw nat 123 config log if $Ext_Iface reset same_ports deny_in \
redirect_port tcp 192.168.0.30:3389 11130
$ipfw add nat 123 all from any to any via $Ext_Iface

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[vadim64]

давайте весь конфиг фаервола

[g.aleks]

Фаервол сконфигурирован с опцией IPFIREWALL_DEFAULT_TO_ACCEPT

Код: Выделить всё

ipfw="/sbin/ipfw"

# External interface
Ext_Iface="alc0"
Ext_Ip="192.168.10.3"
Ext_Net="192.168.10.0/24"

# Internal interface
Lan_Iface="re0"
Lan_Ip="192.168.0.3"
Lan_Net="192.168.0.0/24"

# VPN interface
VPN_Iface="rl0"
VPN_Ip="192.168.1.103"
VPN_Net="192.168.1.0/24"

# Sbros pravil
$ipfw -f flush
$ipfw add check-state

# deny flood traffic
$ipfw add allow all from any to any via lo0
$ipfw add deny all from any to 127.0.0.0/8
$ipfw add deny all from 127.0.0.0/8 to any

# autoban
$ipfw add deny log logamount 0 all from table\(1\) to me

# deny internal network on out interface
$ipfw add deny log logamount 0 all from $Lan_Net to any in via $Ext_Iface

# deny external on internal interface
$ipfw add deny log logamount 0 all from $Ext_Net to any in via $Lan_Iface

# deny privat network on out interface
$ipfw add deny log logamount 0 all from any to 10.0.0.0/8 in via $Ext_Iface
$ipfw add deny log logamount 0 all from any to 172.16.0.0/12 in via $Ext_Iface
$ipfw add deny log logamount 0 all from any to 0.0.0.0/8 in via $Ext_Iface

# deny autoconf privat network
$ipfw add deny log logamount 0 all from any to 169.254.0.0/16 in via $Ext_Iface

# deny multicast
$ipfw add deny log logamount 0 all from any to 224.0.0.0/4 in via $Ext_Iface
$ipfw add deny log logamount 0 all from any to 240.0.0.0/4 in via $Ext_Iface

# deny fragment icmp
$ipfw add deny log logamount 0 icmp from any to any frag

#deny multicast icmp on out interface
$ipfw add deny log logamount 0 icmp from any to 255.255.255.255 in via $Ext_Iface
$ipfw add deny log logamount 0 icmp from any to 255.255.255.255 out via $Ext_Iface

# squid
$ipfw add fwd 127.0.0.1,3128 tcp from $Lan_Net to any 80 via $Ext_Iface

# deny traffic to private network via out interface
$ipfw add deny log logamount 0 all from 10.0.0.0/8 to any out via $Ext_Iface
$ipfw add deny log logamount 0 all from 172.16.0.0/12 to any out via $Ext_Iface
$ipfw add deny log logamount 0 all from 0.0.0.0/8 to any out via $Ext_Iface

# deny autoconf privat network
$ipfw add deny log logamount 0 all from 169.254.0.0/16 to any out via $Ext_Iface

# deny multicast
$ipfw add deny log logamount 0 all from 224.0.0.0/4 to any out via $Ext_Iface
$ipfw add deny log logamount 0 all from 240.0.0.0/4 to any out via $Ext_Iface

# ICMP
$ipfw add allow icmp from any to any icmptypes 0,3,8,11
$ipfw add deny log logamount 0 icmp from any to me in via $Ext_Iface icmptypes 5,9,10,13,15,17

# NTP
$ipfw add allow udp from any to any 123 keep-state

# FTP
$ipfw add allow tcp from any to $Ext_Ip 20,21 in via $Ext_Iface setup
$ipfw add allow tcp from any to $Ext_Ip 50000-50100 via $Ext_Iface

#WWW
$ipfw add allow all from any to $Ext_Ip 80 in via $Ext_Iface
# SSH
$ipfw add deny log logamount 0 tcp from any to $Ext_Ip 22 via $Ext_Iface setup
$ipfw add allow log logamount 0 tcp from any to $Ext_Ip 2724 via $Ext_Iface setup

# allow local traffic
$ipfw add allow ip from any to any via $Lan_Iface
$ipfw add allow ip from any to any via $VPN_Iface

$ipfw add deny log logamount 0 all from any to $Ext_Ip 3389 via $Ext_Iface setup

# NAT
$ipfw nat 123 config log if $Ext_Iface reset same_ports deny_in \
redirect_port tcp 192.168.0.30:3389 11130 \
redirect_port tcp 192.168.0.2:3389 11102 \
redirect_port tcp 192.168.0.20:3389 11120 \
redirect_port tcp 192.168.0.84:3389 11184 \
redirect_port tcp 192.168.0.100:3389 11100 \
redirect_port tcp 192.168.0.22:3389 11122 \
redirect_port tcp 192.168.0.22:443 11125

$ipfw add nat 123 all from any to any via alc0

[vadim64]

Код: Выделить всё

ipfw="/sbin/ipfw"

# Priveleged ip
$ipfw table 2 flush
$ipfw table 2 add whitehouse.gov

# External interface
Ext_Iface="alc0"
Ext_Ip="192.168.10.3"
Ext_Net="192.168.10.0/24"

# Internal interface
Lan_Iface="re0"
Lan_Ip="192.168.0.3"
Lan_Net="192.168.0.0/24"

# VPN interface
VPN_Iface="rl0"
VPN_Ip="192.168.1.103"
VPN_Net="192.168.1.0/24"

# Sbros pravil
$ipfw -f flush
$ipfw add check-state

# deny flood traffic
$ipfw add allow all from any to any via lo0
$ipfw add deny all from any to 127.0.0.0/8
$ipfw add deny all from 127.0.0.0/8 to any

# autoban
$ipfw add deny log logamount 0 all from table\(1\) to me

# deny internal network on out interface
$ipfw add deny log logamount 0 all from $Lan_Net to any in via $Ext_Iface

# deny external on internal interface
$ipfw add deny log logamount 0 all from $Ext_Net to any in via $Lan_Iface

# deny privat network on out interface
$ipfw add deny log logamount 0 all from any to 10.0.0.0/8 in via $Ext_Iface
$ipfw add deny log logamount 0 all from any to 172.16.0.0/12 in via $Ext_Iface
$ipfw add deny log logamount 0 all from any to 0.0.0.0/8 in via $Ext_Iface

# deny autoconf privat network
$ipfw add deny log logamount 0 all from any to 169.254.0.0/16 in via $Ext_Iface

# deny multicast
$ipfw add deny log logamount 0 all from any to 224.0.0.0/4 in via $Ext_Iface
$ipfw add deny log logamount 0 all from any to 240.0.0.0/4 in via $Ext_Iface

# deny fragment icmp
$ipfw add deny log logamount 0 icmp from any to any frag

#deny multicast icmp on out interface
$ipfw add deny log logamount 0 icmp from any to 255.255.255.255 in via $Ext_Iface
$ipfw add deny log logamount 0 icmp from any to 255.255.255.255 out via $Ext_Iface

# squid
$ipfw add fwd 127.0.0.1,3128 tcp from $Lan_Net to any 80 via $Ext_Iface

# deny traffic to private network via out interface
$ipfw add deny log logamount 0 all from 10.0.0.0/8 to any out via $Ext_Iface
$ipfw add deny log logamount 0 all from 172.16.0.0/12 to any out via $Ext_Iface
$ipfw add deny log logamount 0 all from 0.0.0.0/8 to any out via $Ext_Iface

# deny autoconf privat network
$ipfw add deny log logamount 0 all from 169.254.0.0/16 to any out via $Ext_Iface

# deny multicast
$ipfw add deny log logamount 0 all from 224.0.0.0/4 to any out via $Ext_Iface
$ipfw add deny log logamount 0 all from 240.0.0.0/4 to any out via $Ext_Iface

# ICMP
$ipfw add allow icmp from any to any icmptypes 0,3,8,11
$ipfw add deny log logamount 0 icmp from any to me in via $Ext_Iface icmptypes 5,9,10,13,15,17

# NTP
$ipfw add allow udp from any to any 123 keep-state

# FTP
$ipfw add allow tcp from any to $Ext_Ip 20,21 in via $Ext_Iface setup
$ipfw add allow tcp from any to $Ext_Ip 50000-50100 via $Ext_Iface

#WWW
$ipfw add allow all from any to $Ext_Ip 80 in via $Ext_Iface
# SSH
$ipfw add deny log logamount 0 tcp from any to $Ext_Ip 22 via $Ext_Iface setup
$ipfw add allow log logamount 0 tcp from any to $Ext_Ip 2724 via $Ext_Iface setup

# allow local traffic
$ipfw add allow ip from any to any via $Lan_Iface
$ipfw add allow ip from any to any via $VPN_Iface

$ipfw add deny log logamount 0 all from any to $Ext_Ip 3389 via $Ext_Iface setup

# NAT
$ipfw nat 1 config log if $Ext_Iface reset same_ports deny_in
$ipfw nat 2 config log if $Ext_Iface reset same_ports deny_in \
redirect_port tcp 192.168.0.30:3389 11130 \
redirect_port tcp 192.168.0.2:3389 11102 \
redirect_port tcp 192.168.0.20:3389 11120 \
redirect_port tcp 192.168.0.84:3389 11184 \
redirect_port tcp 192.168.0.100:3389 11100 \
redirect_port tcp 192.168.0.22:3389 11122 \
redirect_port tcp 192.168.0.22:443 11125

$ipfw add nat 2 all from table\(2\) to me via alc0
$ipfw add nat 2 all from any to table\(2\) via alc0
$ipfw add nat 1 all from any to any via alc0

примерно так

[g.aleks]

Огромное спасибо все работает. Я себе сделал что бы table 2 заполнялся из файла может будет кому интересно

Код: Выделить всё

ipfw="/sbin/ipfw"

#Priveleged ip
$ipfw table 2 flush
cat /путь/до/файла/с/адресами | while read ip;
$ipfw table 2 add $ip
done;

В файле с адресами обязательно надо внизу оставить пустую строку иначе не будет считываться последний адрес.

Тему можно закрыть с пометкой решено.

[vadim64]

а теперь проверьте что будет если файла нету или там абра-кадабра

[g.aleks]

Ни чего страшного не произошло, просто нет ни у кого доступа))) Меня это вполне устраивает.

[vadim64]

ну ок