Терь подробнее:
Поднята фря 8.2, настроил IPFW и как мне кажется)) NATd. Подключение к инету через PPPoE
rc.conf:
Код: Выделить всё
## Net Settings ##
gateway_enable="YES"
hostname="proxy.domain.ru"
ifconfig_re0="inet 192.168.1.222 netmask 255.255.255.0"
ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="bwc"
firewall_enable="YES"
firewall_script="/etc/list.ipfw"
firewall_logging="YES"
natd_enable="YES"
natd_interface="tun0"
natd_flags="-f /etc/natd.conf"
tcp_extensions="NO"
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
Код: Выделить всё
unregistered_only yes
use_sockets yes
#deny_incoming yes
same_ports yes
#interface tun0
#verbose no
#log no
#port 8668
redirect_port tcp 192.168.1.21:5060 5060
Код: Выделить всё
${FwCMD} -f flush
${FwCMD} 00100 add allow all from any to any via lo0
${FwCMD} 00101 add deny all from any to 127.0.0.0/8
${FwCMD} 00102 add deny all from 127.0.0.0/8 to any
${FwCMD} 00200 add check-state
#deny hacker
${FwCMD} 10 add drop ip from any to 58.65.234.17
${FwCMD} 10 add drop ip from 58.65.234.17 to any
${FwCMD} 10 add drop ip from any to 69.50.160.212
${FwCMD} 10 add drop ip from 69.50.160.212 to any
${FwCMD} add deny ip from any to 10.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${LanOut}
#${FwCMD} add deny ip from any to 192.168.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut}
${FwCMD} add deny icmp from any to any frag
${FwCMD} add deny log icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny log icmp from any to 255.255.255.255 out via ${LanOut}
############################################ FireWall In #########################################
# #
${FwCMD} add divert natd ip from ${NetIn}/${NetMask} to any out xmit ${LanOut}
${FwCMD} add divert natd ip from any to ${IpOut} in recv ${LanOut}
${FwCMD} add deny ip from 10.0.0.0/8 to any out via ${LanOut}
${FwCMD} add deny ip from 172.16.0.0/12 to any out via ${LanOut}
#${FwCMD} add deny ip from 192.168.0.0/16 to any out via ${LanOut}
${FwCMD} add deny ip from 0.0.0.0/8 to any out via ${LanOut}
${FwCMD} add deny ip from 169.254.0.0/16 to any out via ${LanOut}
${FwCMD} add deny ip from 224.0.0.0/4 to any out via ${LanOut}
${FwCMD} add deny ip from 240.0.0.0/4 to any out via ${LanOut}
${FwCMD} 300 add allow tcp from any to any established
${FwCMD} 301 add allow ip from ${IpOut} to any out xmit ${LanOut} keep-state
${FwCMD} 303 add allow udp from any 53 to any via ${LanOut}
${FwCMD} 304 add allow udp from any to any 123 via ${LanOut}
${FwCMD} 305 add allow tcp from any to ${IpOut} 22 via ${LanOut}
${FwCMD} 306 add allow tcp from 192.168.1.116 to ${IpIn} 22 via ${LanIn}
${FwCMD} 307 add pass tcp from any to ${IpOut} 20,21 in via ${LanOut}
${FwCMD} 308 add pass tcp from any to ${IpOut} 49000-50000 in via ${LanOut}
${FwCMD} 309 add allow tcp from any to ${IpOut} 80 via ${LanOut}
${FwCMD} 310 add allow tcp from any to ${IpOut} 25 in via ${LanOut} setup
${FwCMD} 311 add allow icmp from any to any out icmptype 8
${FwCMD} 312 add allow icmp from any to any in icmptype 0
${FwCMD} 313 add allow ip from any to any via ${LanIn}
${FwCMD} add divert natd ip from 192.168.1.21 5060 to any out xmit ${LanOut}
${FwCMD} add pass tcp from any to 192.168.1.21 5060 in recv ${LanOut}
Код: Выделить всё
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_FORWARD
options IPDIVERT
options DUMMYNET
Код: Выделить всё
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
ether 1c:6f:65:85:e9:ec
inet 192.168.1.222 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=3808<VLAN_MTU,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
ether 00:02:44:71:89:9a
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet 127.0.0.1 netmask 0xff000000
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
options=80000<LINKSTATE>
inet 81.18.118.295 --> 2.2.2.3 netmask 0xffffffff
Opened by PID 492
${FwCMD} 309 add allow tcp from any to ${IpOut} 80 via ${LanOut}
поместить ниже правила
${FwCMD} add divert natd ip from any to ${IpOut} in recv ${LanOut}
То зайти на станицу не могу и тотже ipfw show говорит что пакеты проходят через правило ${FwCMD} add divert natd ip from any to ${IpOut} in recv ${LanOut} и все дальше никуда.
Уважаемые знатоки, что я сделал не так и как мне перенаправить трафик к лок. машине?
Помогите пожлста или направьте куда копать...
P.S Бороздил инет форум и сайти по бзде, много читал, пробовал разные файлы и правила... Но где то затыка. Борьба переволила уже за вторую неделю...
Буду очень благодарен за помощь, и я так понял тема довольно стандартная...