Резервный канал

Простые/общие вопросы по UNIX системам. Спросите здесь, если вы новичок

Модераторы: vadim64, terminus

Правила форума
Убедительная просьба юзать теги [cоde] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
Barbos
проходил мимо
Сообщения: 4
Зарегистрирован: 2015-03-11 13:05:09

Резервный канал

Непрочитанное сообщение Barbos » 2015-03-11 13:09:25

Здравствуйте,
при изменении:
route change default 10.0.0.1
остаются в интернет только пользователи сквида меняем обратно:
route change default 170.112.31.1 - все в работе.

Пользователи с прямым подключением остаются без интернета.
Предполагаю косяк с правилами ipfw.

Прошу помощи.

Подробности:
провайдер 1 - статический ip
провайдер 2 - pppoe, статический ip, mpd5

FreeBSD 10.1

Ядро с опциями:

Код: Выделить всё

options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=100
options         IPDIVERT
options         DUMMYNET
options         IPFIREWALL_NAT
options         LIBALIAS
options         ROUTETABLES=2
options         IPFIREWALL_FORWARD
rc.conf:

Код: Выделить всё

hostname="inet"
gateway_enable="YES"

defaultrouter="170.112.31.1"

setfib1_enable="YES" #Это второй провайдер,
setfib1_defaultroute="10.0.0.1"

#Локалка
ifconfig_re2="inet 192.168.101.254 netmask 0xffffff00"
#Провайдер 2 с pppoe
ifconfig_re1="inet 192.168.0.1 netmask 0xffffff00 -rxcsum -tso"
#провайдер 1, статичный ip
ifconfig_re0="inet 170.112.31.48 netmask 255.255.255.192 -rxcsum -tso"

squid_enable="YES"

firewall_enable="YES"
firewall_script="/etc/ipfw.rule"
firewall_type="open"

mpd_enable="YES"
ipfw:

Код: Выделить всё

#!/bin/sh
ipfw="/sbin/ipfw"

iProv1="re0"
Prov1IP="170.112.31.48"

iProv2="re1"
Prov2IP="192.168.0.1"

iLocalNet="re2"
LocalIP="192.168.101.254"
LocalNet="192.168.101.0/24"

#Opredeleniya portov=============================================================
ssh="22"
video="37777"
pochta="25, 110, 465, 993, 995"
#********************************************************************************

${ipfw} -f flush
${ipfw} nat 1 delete

#================================================================================
${ipfw} add 50 deny ip from any to any not verrevpath in
${ipfw} add 100 deny ip from any to any frag
${ipfw} add 120 reject ip from 192.168.0.0/16 to any in recv ${iProv1}, ${iProv2}
${ipfw} add 125 reject ip from any to 192.168.0.0/16 in recv ${iProv1}, ${iProv2}
${ipfw} add 130 reject ip from 172.16.0.0/12 to any in recv ${iProv1}, ${iProv2}
${ipfw} add 135 reject ip from any to 172.16.0.0/12 in recv ${iProv1}, ${iProv2}
${ipfw} add 140 reject ip from 169.254.0.0/16 to any in recv ${iProv1}, ${iProv2}
${ipfw} add 145 reject ip from any to 169.254.0.0/16 in recv ${iProv1}, ${iProv2}
${ipfw} add 150 reject ip from ${LocalNet} to any in via ${iProv1}, ${iProv2}
${ipfw} add 200 reject tcp from any to any not established tcpflags fin
${ipfw} add 250 reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
${ipfw} add 300 reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
${ipfw} add 350 deny all from any 137-139 to any
${ipfw} add 400 deny all from any to any dst-port 137-139
#********************************************************************************

#Internet bez proksi.=Tablica 1 zanyata bruteblockd==============================
${ipfw} table 2 add 192.168.101.36
${ipfw} table 2 add 192.168.101.197
${ipfw} table 2 add 192.168.101.21
${ipfw} table 2 add 192.168.101.12
#********************************************************************************

#Pryamoy dostup k etim IP=(table 3)==============================================
${ipfw} table 3 add 195.149.70.70    #Mesplan
#********************************************************************************

#Zapreshaem vse, chto nalovil bruteblockd========================================
${ipfw} add 450 deny all from table\(1\) to me
#********************************************************************************

#Razreshaem vse po loopback======================================================
${ipfw} add 500 allow all from any to any via lo0
#********************************************************************************

#Razreshaem squid================================================================
${ipfw} add 550 allow all from ${LocalNet} to ${LocalIP}
${ipfw} add 600 allow all from any to any uid squid
#********************************************************************************

#SSH=============================================================================
${ipfw} add 650 allow tcp from any to me ${ssh} keep-state
#********************************************************************************

#Konfiguriruem NAT===============================================================
${ipfw} nat 1 config log if ${iProv1} reset same_ports deny_in
${ipfw} nat 2 config log if ${iProv2} reset same_ports deny_in
#********************************************************************************

#Pochta v NAT====================================================================
${ipfw} add 700 nat 1 ip from ${LocalNet} to any ${pochta} out via ${iProv1}
${ipfw} add 701 nat 2 ip from ${LocalNet} to any ${pochta} out via ${iProv2}
#********************************************************************************

#Videonabludeniye================================================================
${ipfw} add 750 nat 1 ip from ${LocalNet} to any ${video} out via ${iProv1}
${ipfw} add 751 nat 2 ip from ${LocalNet} to any ${video} out via ${iProv2}
#********************************************************************************

#DNS iz localki ot KD============================================================
${ipfw} add 800 nat 1 udp from ${LocalNet} to any 53 out via ${iProv1}
${ipfw} add 801 nat 2 udp from ${LocalNet} to any 53 out via ${iProv2}
#********************************************************************************

#Internet bez proksi=============================================================
${ipfw} add 850 nat 1 ip from table\(2\) to any out via ${iProv1}
${ipfw} add 851 nat 2 ip from table\(2\) to any out via ${iProv2}
${ipfw} add 900 nat 1 ip from ${LocalNet} to table\(3\) out via ${iProv1}
${ipfw} add 901 nat 2 ip from ${LocalNet} to table\(3\) out via ${iProv2}
${ipfw} add 950 nat 1 ip from any to any in via ${iProv1}
${ipfw} add 951 nat 2 ip from any to any in via ${iProv2}
#********************************************************************************

#Razreshaem vse chto v nat popalo================================================
#Dostup bez proksi
${ipfw} add 1000 allow all from table\(2\) to not ${LocalNet} in via ${iLocalNet}
#Dostup bez proksi k nekotorum saytam
${ipfw} add 1050 allow all from ${LocalNet} to table\(3\) in via ${iLocalNet}
#Dostup k pochte
${ipfw} add 1100 allow all from ${LocalNet} to not ${LocalNet} ${pochta} in via ${iLocalNet}
#Dostup k DNS
${ipfw} add 1150 allow udp from ${LocalNet} to not ${LocalNet} 53 in via ${iLocalNet}
#Dostup k videonabludeniyu
${ipfw} add 1200 allow all from ${LocalNet} to not ${LocalNet} ${video} in via ${iLocalNet}
#********************************************************************************

#Poluchaem otvety================================================================
${ipfw} add 1250 allow all from not ${LocalNet} to ${LocalNet} in via ${iProv1}
${ipfw} add 1251 allow all from not ${LocalNet} to ${LocalNet} in via ${iProv2}
${ipfw} add 1300 allow all from not ${LocalNet} to ${LocalNet} out via ${iLocalNet}
*********************************************************************************

#Razreshaem shlyzy hodit v inet==================================================
${ipfw} add 1350 allow all from me to any
#********************************************************************************
Последний раз редактировалось f_andrey 2015-03-11 13:15:18, всего редактировалось 1 раз.
Причина: Автору. пожалуйста, выбирайте соответствующий раздел форума.

Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

Аватара пользователя
Alex Keda
стреляли...
Сообщения: 35465
Зарегистрирован: 2004-10-18 14:25:19
Откуда: Made in USSR
Контактная информация:

Резервный канал

Непрочитанное сообщение Alex Keda » 2015-03-11 14:12:14

Правила файрволла покажите
А не конфиг
Убей их всех! Бог потом рассортирует...

Barbos
проходил мимо
Сообщения: 4
Зарегистрирован: 2015-03-11 13:05:09

Резервный канал

Непрочитанное сообщение Barbos » 2015-03-11 14:44:11

Правила вот:

ipfw:

Код: Выделить всё

#!/bin/sh
ipfw="/sbin/ipfw"

iProv1="re0"
Prov1IP="170.112.31.48"

iProv2="re1"
Prov2IP="192.168.0.1"

iLocalNet="re2"
LocalIP="192.168.101.254"
LocalNet="192.168.101.0/24"

#Opredeleniya portov=============================================================
ssh="22"
video="37777"
pochta="25, 110, 465, 993, 995"
#********************************************************************************

${ipfw} -f flush
${ipfw} nat 1 delete

#================================================================================
${ipfw} add 50 deny ip from any to any not verrevpath in
${ipfw} add 100 deny ip from any to any frag
${ipfw} add 120 reject ip from 192.168.0.0/16 to any in recv ${iProv1}, ${iProv2}
${ipfw} add 125 reject ip from any to 192.168.0.0/16 in recv ${iProv1}, ${iProv2}
${ipfw} add 130 reject ip from 172.16.0.0/12 to any in recv ${iProv1}, ${iProv2}
${ipfw} add 135 reject ip from any to 172.16.0.0/12 in recv ${iProv1}, ${iProv2}
${ipfw} add 140 reject ip from 169.254.0.0/16 to any in recv ${iProv1}, ${iProv2}
${ipfw} add 145 reject ip from any to 169.254.0.0/16 in recv ${iProv1}, ${iProv2}
${ipfw} add 150 reject ip from ${LocalNet} to any in via ${iProv1}, ${iProv2}
${ipfw} add 200 reject tcp from any to any not established tcpflags fin
${ipfw} add 250 reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
${ipfw} add 300 reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
${ipfw} add 350 deny all from any 137-139 to any
${ipfw} add 400 deny all from any to any dst-port 137-139
#********************************************************************************

#Internet bez proksi.=Tablica 1 zanyata bruteblockd==============================
${ipfw} table 2 add 192.168.101.36
${ipfw} table 2 add 192.168.101.197
${ipfw} table 2 add 192.168.101.21
${ipfw} table 2 add 192.168.101.12
#********************************************************************************

#Pryamoy dostup k etim IP=(table 3)==============================================
${ipfw} table 3 add 195.149.70.70    #Mesplan
#********************************************************************************

#Zapreshaem vse, chto nalovil bruteblockd========================================
${ipfw} add 450 deny all from table\(1\) to me
#********************************************************************************

#Razreshaem vse po loopback======================================================
${ipfw} add 500 allow all from any to any via lo0
#********************************************************************************

#Razreshaem squid================================================================
${ipfw} add 550 allow all from ${LocalNet} to ${LocalIP}
${ipfw} add 600 allow all from any to any uid squid
#********************************************************************************

#SSH=============================================================================
${ipfw} add 650 allow tcp from any to me ${ssh} keep-state
#********************************************************************************

#Konfiguriruem NAT===============================================================
${ipfw} nat 1 config log if ${iProv1} reset same_ports deny_in
${ipfw} nat 2 config log if ${iProv2} reset same_ports deny_in
#********************************************************************************

#Pochta v NAT====================================================================
${ipfw} add 700 nat 1 ip from ${LocalNet} to any ${pochta} out via ${iProv1}
${ipfw} add 701 nat 2 ip from ${LocalNet} to any ${pochta} out via ${iProv2}
#********************************************************************************

#Videonabludeniye================================================================
${ipfw} add 750 nat 1 ip from ${LocalNet} to any ${video} out via ${iProv1}
${ipfw} add 751 nat 2 ip from ${LocalNet} to any ${video} out via ${iProv2}
#********************************************************************************

#DNS iz localki ot KD============================================================
${ipfw} add 800 nat 1 udp from ${LocalNet} to any 53 out via ${iProv1}
${ipfw} add 801 nat 2 udp from ${LocalNet} to any 53 out via ${iProv2}
#********************************************************************************

#Internet bez proksi=============================================================
${ipfw} add 850 nat 1 ip from table\(2\) to any out via ${iProv1}
${ipfw} add 851 nat 2 ip from table\(2\) to any out via ${iProv2}
${ipfw} add 900 nat 1 ip from ${LocalNet} to table\(3\) out via ${iProv1}
${ipfw} add 901 nat 2 ip from ${LocalNet} to table\(3\) out via ${iProv2}
${ipfw} add 950 nat 1 ip from any to any in via ${iProv1}
${ipfw} add 951 nat 2 ip from any to any in via ${iProv2}
#********************************************************************************

#Razreshaem vse chto v nat popalo================================================
#Dostup bez proksi
${ipfw} add 1000 allow all from table\(2\) to not ${LocalNet} in via ${iLocalNet}
#Dostup bez proksi k nekotorum saytam
${ipfw} add 1050 allow all from ${LocalNet} to table\(3\) in via ${iLocalNet}
#Dostup k pochte
${ipfw} add 1100 allow all from ${LocalNet} to not ${LocalNet} ${pochta} in via ${iLocalNet}
#Dostup k DNS
${ipfw} add 1150 allow udp from ${LocalNet} to not ${LocalNet} 53 in via ${iLocalNet}
#Dostup k videonabludeniyu
${ipfw} add 1200 allow all from ${LocalNet} to not ${LocalNet} ${video} in via ${iLocalNet}
#********************************************************************************

#Poluchaem otvety================================================================
${ipfw} add 1250 allow all from not ${LocalNet} to ${LocalNet} in via ${iProv1}
${ipfw} add 1251 allow all from not ${LocalNet} to ${LocalNet} in via ${iProv2}
${ipfw} add 1300 allow all from not ${LocalNet} to ${LocalNet} out via ${iLocalNet}
*********************************************************************************

#Razreshaem shlyzy hodit v inet==================================================
${ipfw} add 1350 allow all from me to any
#********************************************************************************

logout_90
мл. сержант
Сообщения: 72
Зарегистрирован: 2014-01-27 5:36:26

Резервный канал

Непрочитанное сообщение logout_90 » 2015-03-11 16:47:47

Barbos писал(а): Правила вот:
Добрый день! Я так понимаю, надо вывод команды

Код: Выделить всё

ipfw list
Ну и на всякий случай

Код: Выделить всё

ipfw nat show config

Barbos
проходил мимо
Сообщения: 4
Зарегистрирован: 2015-03-11 13:05:09

Резервный канал

Непрочитанное сообщение Barbos » 2015-03-11 16:54:21

Здравствуйте,

вот ipfw show:

Код: Выделить всё

00050     9081     1335592 deny ip from any to any not verrevpath in
00100        0           0 deny ip from any to any frag
00120        0           0 reject ip from 192.168.0.0/16 to any in recv re0,re1
00125        0           0 reject ip from any to 192.168.0.0/16 in recv re0,re1
00130        0           0 reject ip from 172.16.0.0/12 to any in recv re0,re1
00135        0           0 reject ip from any to 172.16.0.0/12 in recv re0,re1
00140        0           0 reject ip from 169.254.0.0/16 to any in recv re0,re1
00145        0           0 reject ip from any to 169.254.0.0/16 in recv re0,re1
00150        0           0 reject ip from 192.168.101.0/24 to any in via re0,re1
00200        0           0 reject tcp from any to any not established tcpflags fin
00250        0           0 reject tcp from any to any tcpflags syn,fin,ack,psh,rst,urg
00300        0           0 reject tcp from any to any tcpflags !syn,!fin,!ack,!psh,!rst,!urg
00350    14766     1590734 deny ip from any 137-139 to any
00400        0           0 deny ip from any to any dst-port 137-139
00450        0           0 deny ip from table(1) to me
00500        4         200 allow ip from any to any via lo0
00550  3394178   391716649 allow ip from 192.168.101.0/24 to 192.168.101.254
00600 16459690 15881342657 allow ip from any to any uid squid
00650      878      166230 allow tcp from any to me dst-port 22 keep-state
00700   168103    48315140 nat 1 ip from 192.168.101.0/24 to any dst-port 25,110,465,993,995 out via re0
00701        0           0 nat 2 ip from 192.168.101.0/24 to any dst-port 25,110,465,993,995 out via re1
00750    40055     1674861 nat 1 ip from 192.168.101.0/24 to any dst-port 37777 out via re0
00751        0           0 nat 2 ip from 192.168.101.0/24 to any dst-port 37777 out via re1
00800    20306     1407501 nat 1 udp from 192.168.101.0/24 to any dst-port 53 out via re0
00801        0           0 nat 2 udp from 192.168.101.0/24 to any dst-port 53 out via re1
00850  1716447   668308999 nat 1 ip from table(2) to any out via re0
00851    34558     3393748 nat 2 ip from table(2) to any out via re1
00900     3445     1728936 nat 1 ip from 192.168.101.0/24 to table(3) out via re0
00901        0           0 nat 2 ip from 192.168.101.0/24 to table(3) out via re1
00902   144881    99562884 nat 1 ip from any to any via re0
00903     5129      505612 nat 1 ip from any to any via re1
00950  2594407  2635132126 nat 1 ip from any to any in via re0
00951        0           0 nat 2 ip from any to any in via re1
01000  1783369   681465583 allow ip from table(2) to not 192.168.101.0/24 in via re2
01050     3452     1729216 allow ip from 192.168.101.0/24 to table(3) in via re2
01100   153585    40133700 allow ip from 192.168.101.0/24 to not 192.168.101.0/24 dst-port 25,110,465,993,995 in via re2
01150    41437     2839792 allow udp from 192.168.101.0/24 to not 192.168.101.0/24 dst-port 53 in via re2
01200    40055     1674861 allow ip from 192.168.101.0/24 to not 192.168.101.0/24 dst-port 37777 in via re2
01250  2487419  2614474347 allow ip from not 192.168.101.0/24 to 192.168.101.0/24 in via re0
01251        0           0 allow ip from not 192.168.101.0/24 to 192.168.101.0/24 in via re1
01300  2487526  2614479799 allow ip from not 192.168.101.0/24 to 192.168.101.0/24 out via re2
01350  2094303   730895481 allow ip from me to any
65535    85536     5950250 deny ip from any to any
ipfw nat show config:

Код: Выделить всё

ipfw nat 2 config if re1 log deny_in same_ports reset
ipfw nat 1 config if re0 log deny_in same_ports reset

Barbos
проходил мимо
Сообщения: 4
Зарегистрирован: 2015-03-11 13:05:09

Резервный канал

Непрочитанное сообщение Barbos » 2015-03-12 14:23:59

Локализовал проблему.

Было:

Код: Выделить всё

сетевая карта - 192.168.0.1 (re2) -> mpd5 10.0.0.1 -> 89.209.XXX.XX (адрес выданный провайдером)
при изменении default router на 10.0.0.1 сквид работал, напрямую через нат - нет

Локализация:

Код: Выделить всё

изменил адрес локальной сетевой с 192.168.0.1 на 192.168.0.254
сетевая карта - 192.168.0.254 (re2) -> роутер tp-link 192.168.0.1 -> 89.209.XXX.XX (адрес выданный провайдером)
при изменении default router на 192.168.0.1 - все заработало как надо.

Что в первом варианте может быть не так?