Проброс порта (ipfw + natd)

[NR]

Не могу настроить доступ к IP-камере из Интернет Уже неделю
rl0 - локалка, tun0 - gsm модем

/etc/>>uname -a

Код: Выделить всё

FreeBSD bsd.otpo.loc 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Mon Jun 21 16:19:09 MSD 2010

/etc/>>ifconfig -a

Код: Выделить всё

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        inet 192.168.0.6 netmask 0xffffff00 broadcast 192.168.0.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        inet 11.11.111.111 --> 10.0.0.2 netmask 0xffffffff
        Opened by PID 13989

rc.conf

Код: Выделить всё

gateway_enable="YES"
hostname="bsd.otpo.loc"
ifconfig_rl0="inet 192.168.0.6  netmask 255.255.255.0"

keymap="ru.koi8-r"
mousechar_start="3"
moused_enable="YES"
moused_port="/dev/psm0"
moused_type="auto"
saver="logo"
scrnmap="koi8-r2cp866"
sshd_enable="YES"



ftpd_enable="YES"
ftpd_flags="-D -l -m"

ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="megafon"


natd_enable="YES"
natd_interface="tun0"
natd_flags="-f /etc/natd.conf"
#natd_flags="-dynamic -redirect_port tcp 192.168.0.20:8080 8080 -f /etc/natd.conf"
firewall_enable="YES"
firewall_script="/etc/my.firewall"

natd.conf

Код: Выделить всё

interface tun0
dynamic yes
same_ports yes
use_sockets yes
port 8668
redirect_port tcp 192.168.0.20:8080 8080
log yes

Routing tables

Код: Выделить всё

Internet:
Destination	        	Gateway            	Flags    	Refs      	Use  	Netif Expire
default            		10.0.0.2           	UGS         	0  	1386418   tun0
10.0.0.2           		link#4             	UHS         	0        	0   	  tun0
ip-11-11-111-111.n 	link#4             	UHS         	0        	0    	  lo0
localhost          		link#3             	UH          	0     	4037    	  lo0
192.168.0.0        		link#2             	U           	              2  	2898963    rl0
bsd                		link#2             	UHS         	0        	0    	  lo0

ipfw show

Код: Выделить всё

00100  0     0 allow ip from any to any via lo0
00200  0     0 deny ip from any to 127.0.0.0/8
00300  0     0 deny ip from 127.0.0.0/8 to any
00400  0     0 deny ip from 192.168.0.0/24 to any in via tun0
00500  0     0 deny ip from 11.11.111.111 to any in via rl0
00600  0     0 deny ip from any to 172.16.0.0/12 in via tun0
00700  0     0 deny ip from any to 192.168.0.0/16 in via tun0
00800  0     0 deny ip from any to 0.0.0.0/8 in via tun0
00900  0     0 deny ip from any to 169.254.0.0/16 in via tun0
01000  0     0 deny ip from any to 224.0.0.0/4 in via tun0
01100  0     0 deny ip from any to 240.0.0.0/4 in via tun0
01200  0     0 deny icmp from any to any frag
01300  0     0 deny log logamount 100 icmp from any to 255.255.255.255 in via tun0
01400  0     0 deny log logamount 100 icmp from any to 255.255.255.255 out via tun0
01500  0     0 divert 8668 ip from 192.168.0.0/24 to any out via tun0
01600  0     0 divert 8668 ip from any to 11.11.111.111 in via tun0
01700  0     0 allow tcp from any to 192.168.0.20 dst-port 8080 via rl0
01800  0     0 allow tcp from any to 192.168.0.20 dst-port 8080 via tun0
01900  3   120 count ip from not 192.168.0.0/24 to 192.168.0.103 out via rl0
02000  0     0 count ip from not 192.168.0.0/24 to 192.168.0.104 out via rl0
02100  0     0 count ip from not 192.168.0.0/24 to 192.168.0.109 out via rl0
02200  0     0 deny ip from 172.16.0.0/12 to any out via tun0
02300  0     0 deny ip from 192.168.0.0/16 to any out via tun0
02400  0     0 deny ip from 0.0.0.0/8 to any out via tun0
02500  0     0 deny ip from 169.254.0.0/16 to any out via tun0
02600  0     0 deny ip from 224.0.0.0/4 to any out via tun0
02700  0     0 deny ip from 240.0.0.0/4 to any out via tun0
02800  0     0 allow icmp from any to any icmptypes 0,8,11
02900 57  4212 allow ip from any to 192.168.0.0/24 in via rl0
03000 52 22358 allow ip from 192.168.0.0/24 to any out via rl0
03100  3   120 allow tcp from any to any established
03200  0     0 allow tcp from any to any dst-port 53
03300  0     0 allow tcp from any 53 to any
03400  0     0 allow udp from any to any dst-port 53
03500  0     0 allow udp from any 53 to any
03600  0     0 allow udp from any to any dst-port 123 via tun0
03700  0     0 allow tcp from any to 11.11.111.111 dst-port 53 in via tun0 setup
03800  0     0 allow tcp from any to 11.11.111.111 dst-port 80 in via tun0 setup
03900  0     0 allow tcp from any to 11.11.111.111 dst-port 20,21 in via tun0 setup
04000  0     0 allow tcp from any to 11.11.111.111 dst-port 25 in via tun0 setup
04100  0     0 allow tcp from any to 11.11.111.111 dst-port 22 in via tun0 setup
04200  0     0 allow tcp from any to 11.11.111.111 dst-port 49152-65535 via tun0
04300  0     0 deny log logamount 100 tcp from any to 11.11.111.111 in via tun0 setup
04400  0     0 allow tcp from 11.11.111.111 to any out via tun0 setup
04500  3   144 allow tcp from any to 11.11.111.111 in via rl0 setup
04600  0     0 allow tcp from 192.168.0.0/24 to any dst-port 5190 in via rl0 setup
04700  0     0 allow tcp from 192.168.0.20 to not 192.168.0.0/24 in via rl0 setup
65535  1    68 deny ip from any to any

Код: Выделить всё

tcpdump -i tun0 dst port 8080

ничего не отлавливает

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[NR]

ppp.conf

Код: Выделить всё

default:
 set log Phase Chat LCP IPCP CCP tun command
 ident user-ppp VERSION (built COMPILATIONDATE)
 enable dns

megafon:
 set device /dev/cuaU0.0
 set speed 460800

 set dial "\"\" \
     AT OK \
     AT OK \
     ATS0=0 OK \
     AT OK \
     AT&FE0V1X1&D2&C1S0=0 OK \
     AT OK \
     AT+CGDCONT=1,\\\"IP\\\",\\\"FixedIP.nw\\\" OK \
     ATDT*99# CONNECT"

 set login
 set authname "mobile"
 set authkey "internet"

 disable ipv6cp
 disable pap
 disable chap


 #set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255
 add default HISADDR

[NR]

ipfw show

Код: Выделить всё

00100   0     0 allow ip from any to any via lo0
00200   0     0 deny ip from any to 127.0.0.0/8
00300   0     0 deny ip from 127.0.0.0/8 to any
00400   0     0 deny ip from 192.168.0.0/24 to any in via tun0
00500   0     0 deny ip from 78.25.106.232 to any in via rl0
00600   0     0 deny ip from any to 172.16.0.0/12 in via tun0
00700   0     0 deny ip from any to 192.168.0.0/16 in via tun0
00800   0     0 deny ip from any to 0.0.0.0/8 in via tun0
00900   0     0 deny ip from any to 169.254.0.0/16 in via tun0
01000   0     0 deny ip from any to 224.0.0.0/4 in via tun0
01100   0     0 deny ip from any to 240.0.0.0/4 in via tun0
01200   0     0 deny icmp from any to any frag
01300   0     0 deny log logamount 100 icmp from any to 255.255.255.255 in via tun0
01400   0     0 deny log logamount 100 icmp from any to 255.255.255.255 out via tun0
01500   9  1442 divert 8668 ip from 192.168.0.0/24 to any out via tun0
01600  56 16763 divert 8668 ip from any to 78.25.106.232 in via tun0
01700   0     0 allow tcp from any to 192.168.0.20 dst-port 8080 via rl0
01800   0     0 allow tcp from any to 192.168.0.20 dst-port 8080 via tun0
01900  12 10511 count ip from not 192.168.0.0/24 to 192.168.0.103 out via rl0
02000   0     0 count ip from not 192.168.0.0/24 to 192.168.0.104 out via rl0
02100   0     0 count ip from not 192.168.0.0/24 to 192.168.0.109 out via rl0
02200   0     0 deny ip from 172.16.0.0/12 to any out via tun0
02300   0     0 deny ip from 192.168.0.0/16 to any out via tun0
02400   0     0 deny ip from 0.0.0.0/8 to any out via tun0
02500   0     0 deny ip from 169.254.0.0/16 to any out via tun0
02600   0     0 deny ip from 224.0.0.0/4 to any out via tun0
02700   0     0 deny ip from 240.0.0.0/4 to any out via tun0
02800   0     0 allow icmp from any to any icmptypes 0,8,11
02900 270 70722 allow ip from any to 192.168.0.0/24 in via rl0
03000 214 43114 allow ip from 192.168.0.0/24 to any out via rl0
03100  40 23810 allow tcp from any to any established
03200   0     0 allow tcp from any to any dst-port 53
03300   0     0 allow tcp from any 53 to any
03400  16  1046 allow udp from any to any dst-port 53
03500  19  4352 allow udp from any 53 to any
03600  58  4408 allow udp from any to any dst-port 123 via tun0
03700   0     0 allow tcp from any to 78.25.106.232 dst-port 53 in via tun0 setup
03800   0     0 allow tcp from any to 78.25.106.232 dst-port 80 in via tun0 setup
03900   0     0 allow tcp from any to 78.25.106.232 dst-port 20,21 in via tun0 setup
04000   0     0 allow tcp from any to 78.25.106.232 dst-port 25 in via tun0 setup
04100   0     0 allow tcp from any to 78.25.106.232 dst-port 22 in via tun0 setup
04200   0     0 allow tcp from any to 78.25.106.232 dst-port 49152-65535 via tun0
04300   0     0 deny log logamount 100 tcp from any to 78.25.106.232 in via tun0 setup
04400   1    48 allow tcp from 78.25.106.232 to any out via tun0 setup
04500   0     0 allow tcp from any to 78.25.106.232 in via rl0 setup
04600   0     0 allow tcp from 192.168.0.0/24 to any dst-port 5190 in via rl0 setup
04700   0     0 allow tcp from 192.168.0.20 to not 192.168.0.0/24 in via rl0 setup
04800   1    48 allow tcp from 192.168.0.103 to not 192.168.0.0/24 in via rl0 setup
04900   0     0 allow tcp from 192.168.0.104 to not 192.168.0.0/24 in via rl0 setup
05000   0     0 allow tcp from 192.168.0.109 to not 192.168.0.0/24 in via rl0 setup
05100   0     0 allow tcp from 192.168.0.222 to not 192.168.0.0/24 in via rl0 setup
05200   0     0 allow tcp from 192.168.0.3 to not 192.168.0.0/24 in via rl0 setup
65535  27  2055 deny ip from any to any