Стоит задача завернуть веб трафик со шлюза на сквид(на другой машине), затем пускать его без фильтрации.
То есть маршрут будет примерно таким.
PC -> GW -> Proxy -> GW -> Internet
В Циске есть кое-что под названием WCCP. Надо реализовать нечто подобное.
Буду рад услышать какие нибудь подсказки.
п.с.
как вы увидите в конфиге шлюза, я пробовал
Код: Выделить всё
rdr proto tcp from any to any port www -> $ip_proxy port 8080
Ниже - конфиги PF.
Шлюз:
Код: Выделить всё
$ uname -a FreeBSD ast-hq-srv-gw01 9.1-RELEASE-p3 FreeBSD 9.1-RELEASE-p3 #0: Mon Apr 29 18:27:25 UTC 2013 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
Код: Выделить всё
## --- VARS ----------------------------------------------------------------- ##
if_int="de1"
if_guestwifi="de2"
if_ext="de0"
if_tun="tun0"
ip_ext="x.x.x.x/32"
ip_int="10.1.0.1/32"
ip_proxy = "10.1.0.4/32"
ports_lanout_tcp = "{ ssh, smtp, domain, www, https, 22, ntp, 43, ftp, ftp-data, 3389, 53, 8000, 81 }"
ports_lanout_udp = " { domain, ntp, 53, 500, 4500 }"
ports_in = " {1194, 8329, 3389} "
icmp_types = "{ echoreq, unreach }"
net_local = "10.1.0.0/24"
net_vpn = "10.0.1.0/24"
net_guestwifi = "10.1.255.0/24"
state_mod = "flags S/SA modulate state"
state_syn = "flags S/SA synproxy state"
table <blockedip> persist file "/usr/local/etc/pf.block.ip.conf"
## --- OPTIONS ------------------------------------------------------------------ ##
set block-policy drop
set state-policy floating
set loginterface $if_ext
set optimization normal
set skip on lo0
## --- NORMALIZATION ------------------------------------------------------------- ##
scrub in all
scrub on $if_ext all reassemble tcp
## --- QUEUEING ------------------------------------------------------------------ ##
#altq on $if_ext cbq bandwidth 80Mb queue {normal, high, top}
#queue normal bandwidth 40% priority 1 cbq (default borrow)
#queue high bandwidth 50% priority 5 cbq (borrow ecn)
#queue top bandwidth 10% priority 7 cbq (borrow)
## --- NAT RDR ------------------------------------------------------------------- ##
# RDR to SQUID
#rdr proto tcp from any to any port www -> $ip_proxy port 8080
nat on $if_ext from $net_local to any -> ($if_ext)
nat on $if_ext from $net_guestwifi to any -> ($if_ext)
## --- FILTERING ----------------------------------------------------------------- ##
block in log all
block return
block in quick from urpf-failed
antispoof log for $if_ext
block drop in log (all) quick on $if_ext from <blockedip> to any
block drop out log (all) quick on $if_ext from any to <blockedip>
# allow icmp
pass log inet proto icmp all icmp-type $icmp_types keep state
# allow ssh but block bruteforce
pass inet proto tcp from any to $ip_ext port ssh flags S/SA keep state (max-src-conn 5, max-src-conn-rate 5/30, overload <blockedip> flush global)
# allow in on $ports_in
pass in quick on $if_ext proto {tcp, udp} from any to $ip_ext port $ports_in $state_mod
# this rule allows any traffic initiated from the server
pass out quick on $if_ext inet proto {tcp, udp, icmp} from $if_ext to any $state_mod
# allow LAN to access $ports_lanout_tcp/udp
pass in quick on $if_int proto tcp from $net_local to any port $ports_lanout_tcp $state_mod
pass in quick on $if_int proto udp from $net_local to any port $ports_lanout_udp
# allow only certain ports on Guest WIFI
pass in quick on $if_guestwifi proto tcp from $net_guestwifi to any port $ports_lanout_tcp $state_mod
pass in quick on $if_guestwifi proto udp from $net_guestwifi to any port $ports_lanout_udp
# allow vpn clients to LAN
pass in quick on $if_tun proto {tcp, udp} from $net_vpn to $net_local
pass out quick on $if_int proto {tcp, udp} from $net_vpn to $net_local
pass out quick on $if_int inet proto {tcp, udp, icmp} from $ip_int to any
# allow torrent on 50505
pass in quick on $if_int proto {tcp, udp} from 10.1.0.230 to any
pass in quick on $if_ext proto {tcp, udp} from any to 10.1.0.23 port 50505
Прокся;
Код: Выделить всё
$ uname -a FreeBSD ast-hq-srv-proxy01 9.1-RELEASE-p3 FreeBSD 9.1-RELEASE-p3 #0: Mon Apr 29 18:27:25 UTC 2013 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
Код: Выделить всё
## --- VARS ----------------------------------------------------------------- ##
if_int="de0"
ip_int="10.1.0.4/32"
ip_gw ="10.1.0.1/32"
icmp_types = "{ echoreq, unreach }"
net_local = "10.1.0.0/23"
state_mod = "flags S/SA modulate state"
state_syn = "flags S/SA synproxy state"
table <blockedip> persist file "/usr/local/etc/pf.block.ip.conf"
## --- OPTIONS ------------------------------------------------------------------ ##
set block-policy drop
set state-policy floating
set loginterface $if_int
set optimization normal
set skip on lo0
## --- NORMALIZATION ------------------------------------------------------------- ##
scrub in all
scrub on $if_int all reassemble tcp
## --- QUEUEING ------------------------------------------------------------------ ##
## --- NAT RDR ------------------------------------------------------------------- ##
## --- FILTERING ----------------------------------------------------------------- ##
block log all
block return
block in quick from urpf-failed
antispoof log for $if_int
block drop in log (all) quick on $if_int from <blockedip> to any
block drop out log (all) quick on $if_int from any to <blockedip>
# allow icmp
pass log inet proto icmp all icmp-type $icmp_types keep state
# allow 8080
pass in quick on $if_int proto tcp from $ip_gw to any port 8080 $state_mod
# allow DNS
pass out quick on $if_int proto udp from any to any port 53 keep state
# block ssh bruteforce
pass inet proto tcp from any to $ip_int port ssh flags S/SA keep state (max-src-conn 2, max-src-conn-rate 2/30, overload <blockedip> flush global)