forum.lissyara.su

Код: Выделить всё

${fwcmd} add 4500 divert 8668 ip from ${vpn_inet} to any out via ${EXT}
${fwcmd} add 4510 fwd ${gs_gw} ip from ${IP_EXT} to any
${fwcmd} add 4520 divert 8668 ip from any to ${IP_EXT} in via ${EXT}
${fwcmd} add 4530 allow ip from any to ${vpn_inet} in via ${EXT}

${fwcmd} add 4501 divert 8778 ip from ${vpn_inet_stk} to any
${fwcmd} add 4511 fwd ${stk_gw} ip from ${IP_EXT_STK} to any
${fwcmd} add 4521 divert 8778 ip from any to ${IP_EXT_STK}
${fwcmd} add 4531 allow ip from any to ${vpn_inet_stk}

Код: Выделить всё

fwcmd="/sbin/ipfw -q"
${fwcmd} -f flush
${fwcmd} pipe flush
${fwcmd} queue flush
SSH="10.0.7.0{1-7}";

${fwcmd} add 9 allow tcp from ${SSH} to me 22
${fwcmd} add 9 allow tcp from me 22 to ${SSH}
${fwcmd} add 10 deny tcp from any to me dst-port 22,135-139,445,3306,5505,9990,9996,1812,1813

${fwcmd} add 021 allow ip from 10.0.6.0/23 to me
${fwcmd} add 022 allow ip from me to 10.0.6.0/23

krsix_ip="172.17.2**.0/26";
vpn_inet="192.168.10.0/25";
vpn_inet_stk="192.168.11.0/25";
inet_ip="84.2*.***.***/28";
gs_gw="84.2*.***.*";
stk_gw="10.0.*.*";
INT_VPN="ng*";
IP_EXT_STK="10.0.6.*";
inet_6="10.0.6.0{********}";
inet_7="10.0.7.0{********}";
${fwcmd} add 4000 allow all from ${krsix_ip} to any
${fwcmd} add 4001 allow all from any to ${krsix_ip}

${fwcmd} add 5000 allow all from ${inet_ip} to any
${fwcmd} add 5001 allow all from any to ${inet_ip}

${fwcmd} add 4500 divert 8668 ip from ${vpn_inet} to any out via ${EXT}
${fwcmd} add 4510 fwd ${gs_gw} ip from ${IP_EXT} to any
${fwcmd} add 4520 divert 8668 ip from any to ${IP_EXT} in via ${EXT}
${fwcmd} add 4530 allow ip from any to ${vpn_inet} in via ${EXT}
${fwcmd} add 4501 divert 8778 ip from ${vpn_inet_stk} to any
${fwcmd} add 4511 fwd ${stk_gw} ip from ${IP_EXT_STK} to any
${fwcmd} add 4521 divert 8778 ip from any to ${IP_EXT_STK}
${fwcmd} add 4531 allow ip from any to ${vpn_inet_stk}



${fwcmd} add 4110 allow ip from ${inet_6} to any in via ${INT}
${fwcmd} add 4111 allow ip from ${inet_7} to any in via ${INT}
${fwcmd} add 4121 divert 8668 ip from ${inet_6} to any out xmit ${EXT}
${fwcmd} add 4122 divert 8668 ip from ${inet_7} to any out xmit ${EXT}
${fwcmd} add 4131 divert 8668 ip from any to ${IP_EXT} in via ${EXT}
${fwcmd} add 4141 allow ip from any to ${inet_6} in via ${EXT}
${fwcmd} add 4142 allow ip from any to ${inet_7} in via ${EXT}
${fwcmd} add 4170 allow ip from any to ${inet_6} recv ${EXT} xmit ${INT}
${fwcmd} add 4170 allow ip from any to ${inet_7} recv ${EXT} xmit ${INT}
${fwcmd} add 5300 allow all from me to any
${fwcmd} add 5301 allow all from any to me

Код: Выделить всё

 divert 8778 log logamount 100 ip from 192.168.11.52 to any
fwd шлюз_второго_канала ip from ip_интерфейса_второго канала to any out via rl0

Код: Выделить всё

 1  10.100.100.10  2.779 ms  4.725 ms  6.703 ms
 2  10.100.100.10  8.709 ms !H  9.674 ms !H  11.660 ms !H

Код: Выделить всё

05101         0           0                     divert 8778 ip from 192.168.11.0/24 to any out via rl2
05201         0           0                     fwd 10.0.7.7 ip from 10.0.7.15 to any out via rl2
05301  35446814 37343784966        divert 8668 log logamount 100 ip from 192.168.10.0/24 to any out via rl1
05401     62046    77376812            fwd 84.22.1**.1 log logamount 100 ip from 84.22.1**.2 to any out via rl1
05501         0           0                    divert 8778 ip from any to 10.0.7.5 in via rl0
05601  28490585 16983034146       divert 8668 ip from any to 84.22.1**.2 in via rl1
05701        23        2181                 allow ip from 192.168.10.0/23 to any in via ng*
05801  28442420 16980467659       allow ip from not 192.168.10.0/23 to 192.168.10.0/23

Код: Выделить всё

Dec 10 15:27:34 user kernel: ipfw: 5201 Forward to 10.0.7.7 UDP 10.0.7.15:60895 194.87.0.50:33448 out via rl1

Код: Выделить всё

netstat -rn | grep 10.0.7.7
10.0.7.7           00:*0:4*:*b:90:3a  UHLS        1       84    rl2

Код: Выделить всё

options         NETGRAPH
options         NETGRAPH_BPF
options         NETGRAPH_IFACE
options         NETGRAPH_KSOCKET
options         NETGRAPH_MPPC_ENCRYPTION
options         NETGRAPH_PPP
options         NETGRAPH_PPTPGRE
options         NETGRAPH_SOCKET
options         NETGRAPH_TCPMSS
options         NETGRAPH_VJC
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=100
options         IPFIREWALL_FORWARD
options         IPDIVERT
options         DUMMYNET
options	   TCP_DROP_SYNFIN

Код: Выделить всё

05301 divert 8668 log logamount 100 ip from 192.168.10.0/24 to any out via rl1
05350 allow ip from 84.22.1**.2 to any out via rl1
05601 divert 8668 ip from any to 84.22.1**.2 in via rl1
05602 divert 8669 log logamount 100 ip from 192.168.11.5 to any xmit rl2
05603 fwd 10.0.7.7 log logamount 100 ip from 10.0.7.15 to any out via rl2
05604 divert 8669 ip from any to 10.0.7.15 in via rl2
05605 allow ip from any to 192.168.10.0/23 in via rl1
05701 allow ip from 192.168.10.0/23 to any in via ng*
05801 allow ip from not 192.168.10.0/23 to 192.168.10.0/23

Код: Выделить всё

# ipfw show 5301-5801
05301  52318564  49684788338    divert 8668 log logamount 100 ip from 192.168.10.0/24 to any out via rl1
05350     51611      4296224          allow ip from 84.22.1**.2 to any out via rl1
05601  46916045  33677951487     divert 8668 ip from any to 84.22.1**.2 in via rl1
05602         0            0                  divert 8669 log logamount 100 ip from 192.168.11.5 to any xmit rl2
05603         0            0                  fwd 10.0.7.7 log logamount 100 ip from 10.0.7.15 to any out via rl2
05604         0            0                  divert 8669 ip from any to 10.0.7.15 in via rl2
05605     70873     77154797          allow ip from any to 192.168.10.0/23 in via rl1
05701        23         2181                allow ip from 192.168.10.0/23 to any in via ng*
05801  46731593  33595191230      allow ip from not 192.168.10.0/23 to 192.168.10.0/23

Код: Выделить всё

  netstat -rn | grep -v : | grep -v ng

Destination        Gateway            Flags    Refs      Use  Netif Expire
default            84.22.139.1        UGS         0 72265613    rl1
10                 link#3             UC          0        0    rl2
10.0.6/24          10.0.7.1           UGS         0 302468130    rl0 =>
10.0.6/23          link#1             UC          0        0    rl0
10.100.100.10      127.0.0.1          UH          0        0    lo0
84.22.139/24       link#2             UC          0        0    rl1
127.0.0.1          127.0.0.1          UH          0   117301    lo0