Возникла проблема с пониманием логики работы kernel based nat в freebsd 7.
Раньше использовал natd-там было всё более понятно.
Имеется роутер, стоящий в домовой сети. Инет на него получается через vpn.
fxp2 - интерфейс смотрящий в сеть провайдера $TCEXE имеет ип $TCEXE_IP
fxp0 - интерфейс смотрящий в домашнюю сеть $MAFNET имеет ип $MAF_IP
ng0 - впн-интерфейс, имеет ип $INET_IP
На роутере так же крутится www-сервер на 80 порту.
Для построения правил используется скрипт:
Код: Выделить всё
#!/usr/local/bin/bash
IPFW="/sbin/ipfw -q"
DEFAULTACTION="reset"
#------------------------Networks----------------------------------
TCEXE="10.0.0.0/8,172.16.0.0/15,89.19.160.130,89.19.160.132"
MAFNET="172.32.0.0/25"
#------------------------My_IPS------------------------------------
TCEXE_IP="172.17.152.35"
INET_IP="$(cat /etc/myip)"
MAF_IP="172.32.0.254"
#------------------------Other IPs---------------------------------
ALLMYIPS="${INET_IP},${MAF_IP},${TCEXE_IP}"
LOCALNETS="${TCEXE},${MAFNET}"
#------------------------------------------------------------------
case "$1" in
start)
echo 'Configuring IPFW...'
${IPFW} -f pipe flush
${IPFW} -f queue flush
${IPFW} -f flush
${IPFW} add 90 allow all from any to any
#разрешаю полный доступ к роутеру на всякий случай
${IPFW} add 1000 allow all from 172.32.0.0/24 to me
${IPFW} add 1001 allow all from me to 172.32.0.0/24
#---------------------------------Divert------------------------------
#3000
${IPFW} nat delete 8668
${IPFW} nat 8668 config ip ${INET_IP} log reset same_ports
${IPFW} add 3000 nat 8668 all from ${MAFNET} to not ${LOCALNETS} out recv fxp0 xmit ng0
${IPFW} nat delete 8669
${IPFW} nat 8669 config ip ${TCEXE_IP} log reset same_ports
${IPFW} add 3010 nat 8669 all from ${MAFNET} to ${TCEXE} out recv fxp0 xmit fxp2
${IPFW} add 3030 nat 8668 all from not ${LOCALNETS} to ${INET_IP} in recv ng0
${IPFW} add 3040 nat 8669 all from ${TCEXE} to ${TCEXE_IP} in recv fxp2
#----------------------------------------------------------------------
${IPFW} add 3060 allow all from me to any
${IPFW} add 3060 allow icmp from any to me
${IPFW} add 3070 allow tcp from any to me established
${IPFW} add 3080 allow udp from any to me 123,1023-65535
${IPFW} add 3095 allow gre from any to me
#---------------------------------Allow from MAF to TCEXE------------
${IPFW} add 4000 allow all from ${MAFNET} to ${TCEXE}
${IPFW} add 4100 allow all from ${TCEXE} to ${MAFNET}
#---------------------------------Allow from MAF to INET---------
${IPFW} add 4500 allow all from ${MAFNET} to not ${LOCALNETS}
${IPFW} add 4600 allow all from not ${LOCALNETS} to ${MAFNET}
#----------------------------------------------------------------------
${IPFW} add 65534 ${DEFAULTACTION} log logamount 0 all from any to any
${IPFW} delete 90
;;
stop)
echo 'Configuring IPFW...'
${IPFW} flush
${IPFW} add 65534 allow all from any to any
;;
*)
echo "Usage: `basename $0` { start | stop | restart}"
exit 64
esac
ext_server - внешний сервер использованный для тестирования
Код: Выделить всё
[root@ext_server ~]$ telnet mafet.ru 80
Trying 89.19.167.253...
Connected to mafet.ru.
Escape character is '^]'.
Код: Выделить всё
#!/usr/local/bin/bash
#8669 - 172.17.152.35
#8670 - 172.32.26.254
#8672 - 89.19.167.253
IPFW="/sbin/ipfw -q"
DEFAULTACTION="reset"
#------------------------Networks----------------------------------
TCEXE="10.0.0.0/8,172.16.0.0/15,89.19.160.130,89.19.160.132"
MAFNET="172.32.0.0/25"
#------------------------My_IPS------------------------------------
TCEXE_IP="172.17.152.35"
INET_IP="$(cat /etc/myip)"
MAF_IP="172.32.0.254"
#------------------------Other IPs---------------------------------
BLOCK_IP="172.16.53.102"
ALLMYIPS="${INET_IP},${MAF_IP},${TCEXE_IP}"
LOCALNETS="${TCEXE},${MAFNET}"
#------------------------------------------------------------------
case "$1" in
start)
echo 'Configuring IPFW...'
${IPFW} -f pipe flush
${IPFW} -f queue flush
${IPFW} -f flush
${IPFW} add 90 allow all from any to any
${IPFW} add 1000 allow all from 172.32.0.0/24,10.10.10.10,10.0.0.60 to me
${IPFW} add 1001 allow all from me to 172.32.0.0/24,10.10.10.10,10.0.0.60
#---------------------------------Divert------------------------------
#3000
${IPFW} nat delete 8668
${IPFW} nat 8668 config ip ${INET_IP} log deny_in reset same_ports
${IPFW} add 3000 nat 8668 all from ${MAFNET} to not ${LOCALNETS} out recv fxp0 xmit ng0
${IPFW} nat delete 8669
${IPFW} nat 8669 config ip ${TCEXE_IP} log deny_in reset same_ports
${IPFW} add 3010 nat 8669 all from ${MAFNET} to ${TCEXE} out recv fxp0 xmit fxp2
${IPFW} add 3030 nat 8668 all from not ${LOCALNETS} to ${INET_IP} in recv ng0
${IPFW} add 3040 nat 8669 all from ${TCEXE} to ${TCEXE_IP} in recv fxp2
#----------------------------------------------------------------------
${IPFW} add 3060 allow all from me to any
${IPFW} add 3060 allow icmp from any to me
${IPFW} add 3070 allow tcp from any to me established
${IPFW} add 3080 allow udp from any to me 123,1023-65535
${IPFW} add 3095 allow gre from any to me
#---------------------------------Allow from GODE to TCEXE------------
${IPFW} add 4000 allow all from ${MAFNET} to ${TCEXE}
${IPFW} add 4100 allow all from ${TCEXE} to ${MAFNET}
#---------------------------------Allow from MAF&GODE to INET---------
# ${IPFW} add 4499 allow all from 172.32.0.0/24 to any limit src-addr 1
${IPFW} add 4500 allow all from ${MAFNET} to not ${ALLMYIPS},${LOCALNETS}
${IPFW} add 4600 allow all from not ${ALLMYIPS},${LOCALNETS} to ${MAFNET}
#----------------------------------------------------------------------
${IPFW} add 65534 ${DEFAULTACTION} log logamount 0 all from any to any
${IPFW} delete 90
;;
stop)
echo 'Configuring IPFW...'
${IPFW} flush
${IPFW} add 65534 allow all from any to any
divert
;;
stop2)
echo 'Configuring IPFW...'
${IPFW} flush
${IPFW} add 65534 allow all from any to any
;;
*)
echo "Usage: `basename $0` { start | stop | restart}"
exit 64
esac
Как с учётом этого всего мне заставить работать инет с сетью на роутере и на машинах за NAT-ом и иметь только определенный диапазон открытых портов на роутере.[/i]