из интереса, для общего развития, и ради, так сказать, взаимопомощи, реализовал схему сети на виртуалках в VMware
net1# ifconfig
Код: Выделить всё
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:95:10:8e
inet 10.10.241.241 netmask 0xffffff80 broadcast 10.10.241.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:95:10:98
inet 192.168.1.241 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:95:10:a2
inet 192.168.50.241 netmask 0xffffff00 broadcast 192.168.50.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:95:10:ac
inet 192.168.60.241 netmask 0xffffff00 broadcast 192.168.60.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:95:10:b6
inet 192.168.40.241 netmask 0xffffff00 broadcast 192.168.40.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em5: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:95:10:c0
inet 192.168.0.21 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet 127.0.0.1 netmask 0xff000000
net1# cat /etc/rc.conf
Код: Выделить всё
# This file now contains just the overrides from /etc/defaults/rc.conf.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
hostname="net1"
#hostname="host1.testnet.local"
keymap="ru.koi8-r"
sshd_enable="YES"
gateway_enable="YES" # Set to YES if this host will be a gateway
# dc0
ifconfig_em0="inet 10.10.241.241 netmask 255.255.255.128"
# sgte0
ifconfig_em1="inet 192.168.1.241 netmask 255.255.255.0"
# re0
ifconfig_em2="inet 192.168.50.241 netmask 255.255.255.0"
# fxp0
ifconfig_em3="inet 192.168.60.241 netmask 255.255.255.0"
# wlan0
ifconfig_em4="inet 192.168.40.241 netmask 255.255.255.0"
ifconfig_em5="DHCP"
net1# natstat -rn
natstat: Command not found.
net1# netstat -rn
Код: Выделить всё
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.1 UGS 0 0 em5
10.0.0.0/8 10.10.241.129 UGS 0 0 em0
10.10.241.128/25 link#1 U 0 1 em0
10.10.241.241 link#1 UHS 0 0 lo0
127.0.0.1 link#9 UH 0 4 lo0
192.168.0.0/24 link#6 U 1 456 em5
192.168.1.0/24 link#2 U 0 0 em1
192.168.1.241 link#2 UHS 0 0 lo0
192.168.40.0/24 link#5 U 0 15 em4
192.168.40.241 link#5 UHS 0 0 lo0
192.168.50.0/24 link#3 U 0 0 em2
192.168.50.241 link#3 UHS 0 0 lo0
192.168.60.0/24 link#4 U 0 0 em3
192.168.60.241 link#4 UHS 0 0 lo0
195.208.0.0/16 10.10.241.129 UGS 0 21 em0
net1# cat ipfw
Код: Выделить всё
#!/bin/sh
/sbin/sysctl net.inet.ip.fw.one_pass=0
fw=/sbin/ipfw
RadIf="em0"
RadIP="10.10.241.241"
RadLan="10.0.0.0/8"
MainWIf="em1"
MainWIP="192.168.1.241"
MainWLan="192.168.1.0/24"
MyIf="em2"
MyIP="192.168.50.241"
MyLan="192.168.50.0/24"
LocIf="em3"
LocIP="192.168.60.241"
LocLan="192.168.60.0/24"
WireIf="em4"
WireIP="192.168.40.241"
WireLan="192.168.40.0/24"
dc0_nets=" 10.0.0.0/8, 195.208.0.0/16"
${fw} -f flush
${fw} nat 2 config ip ${RadIP}
${fw} nat 1 config ip ${MainWIP}
${fw} pipe 1 config bw 3500kbit/s
${fw} pipe 2 config bw 3500kbit/s
${fw} pipe 3 config bw 3500kbit/s
${fw} pipe 4 config bw 3500kbit/s
${fw} pipe 5 config bw 3500kbit/s
${fw} pipe 6 config bw 3500kbit/s
${fw} add allow ip from any to me 22
${fw} add allow ip from me 22 to any
#${fw} add deny ip from any to any frag
${fw} add allow ip from any to any via lo0
echo
echo Back to the NAT
${fw} add nat 2 all from ${dc0_nets} to ${RadIP} in recv ${RadIf}
${fw} add nat 1 all from not ${dc0_nets} to ${MainWIP} in recv ${MainWIf}
echo
echo "MyLan <-> any ($MyLan <-> any)"
${fw} add nat 2 all from ${MyLan} to ${dc0_nets} out recv ${MyIf} xmit ${RadIf}
${fw} add nat 1 all from ${MyLan} to not ${dc0_nets} out recv ${MyIf} xmit ${MainWIf}
echo
echo "LocLan <-> RadIf ($LocLan <-> $RadIf)"
${fw} add pipe 1 all from ${LocLan} to ${dc0_nets} in recv ${LocIf}
${fw} add pipe 2 all from ${dc0_nets} to ${LocLan} out recv ${RadIf} xmit ${LocIf}
${fw} add nat 2 all from ${LocLan} to ${dc0_nets} out recv ${LocIf} xmit ${RadIf}
echo
echo "LocLan <-> MainWIf ($LocLan <-> $MainWIf)"
${fw} add pipe 3 all from ${LocLan} to not ${dc0_nets} in recv ${LocIf}
${fw} add pipe 4 all from not ${dc0_nets} to ${LocLan} out recv ${MainWIf} xmit ${LocIf}
${fw} add nat 1 all from ${LocLan} to not ${dc0_nets} out recv ${LocIf} xmit ${MainWIf}
echo
echo "WireLan <-> RadIf ($WireLan <-> $RadIf)"
${fw} add pipe 5 all from ${WireLan} to ${dc0_nets} in recv ${WireIf}
${fw} add pipe 6 all from ${dc0_nets} to ${WireLan} out recv ${RadIf} xmit ${WireIf}
${fw} add nat 2 all from ${WireLan} to ${dc0_nets} out recv ${WireIf} xmit ${RadIf}
echo
echo ""
${fw} add allow all from ${WireLan} to ${dc0_nets}, ${LocLan}, ${MyLan}, ${WireLan} in recv ${WireIf}
${fw} add allow all from ${dc0_nets} to ${WireLan} out recv ${RadIf} xmit ${WireIf}
${fw} add deny all from ${WireLan} to any in
echo
echo ololo
${fw} add allow log ip from any to any
net1# ipfw show
Код: Выделить всё
00100 188 12876 allow ip from any to me dst-port 22
00200 141 14556 allow ip from me 22 to any
00300 0 0 allow ip from any to any via lo0
00400 7 392 nat 2 ip from 10.0.0.0/8,195.208.0.0/16 to 10.10.241.241 in recv em0
00500 0 0 nat 1 ip from not 10.0.0.0/8,195.208.0.0/16 to 192.168.1.241 in recv em1
00600 0 0 nat 2 ip from 192.168.50.0/24 to 10.0.0.0/8,195.208.0.0/16 out recv em2 xmit em0
00700 0 0 nat 1 ip from 192.168.50.0/24 to not 10.0.0.0/8,195.208.0.0/16 out recv em2 xmit em1
00800 0 0 pipe 1 ip from 192.168.60.0/24 to 10.0.0.0/8,195.208.0.0/16 in recv em3
00900 0 0 pipe 2 ip from 10.0.0.0/8,195.208.0.0/16 to 192.168.60.0/24 out recv em0 xmit em3
01000 0 0 nat 2 ip from 192.168.60.0/24 to 10.0.0.0/8,195.208.0.0/16 out recv em3 xmit em0
01100 0 0 pipe 3 ip from 192.168.60.0/24 to not 10.0.0.0/8,195.208.0.0/16 in recv em3
01200 0 0 pipe 4 ip from not 10.0.0.0/8,195.208.0.0/16 to 192.168.60.0/24 out recv em1 xmit em3
01300 0 0 nat 1 ip from 192.168.60.0/24 to not 10.0.0.0/8,195.208.0.0/16 out recv em3 xmit em1
01400 16 640 pipe 5 ip from 192.168.40.0/24 to 10.0.0.0/8,195.208.0.0/16 in recv em4
01500 7 392 pipe 6 ip from 10.0.0.0/8,195.208.0.0/16 to 192.168.40.0/24 out recv em0 xmit em4
01600 7 280 nat 2 ip from 192.168.40.0/24 to 10.0.0.0/8,195.208.0.0/16 out recv em4 xmit em0
01700 16 640 allow ip from 192.168.40.0/24 to 10.0.0.0/8,195.208.0.0/16,192.168.60.0/24,192.168.50.0/24,192.168.40.0/24 in recv em4
01800 7 392 allow ip from 10.0.0.0/8,195.208.0.0/16 to 192.168.40.0/24 out recv em0 xmit em4
01900 8 570 deny ip from 192.168.40.0/24 to any in
02000 29 1875 allow log logamount 100 ip from any to any
65535 320 35623 allow ip from any to any
файер, естественно, далеко не весь, но часть с пайпами и натом по моему разумению работает
внутренние сетки бегают между собой и наружу. 192.168.40/24 не может бегать на 192.168.1/24
ограничение на доступ внешних локалок к внутренним оставлю в качестве домашнего задания
машина пингуется из всех сеток - 10.10.241.128/25 , 192.168.{1,40,50,60}/24 , 195.208/16
Кому интересно - вышлю пачку виртуалок, на которых производились опыты - суммарно около 4гектаров, оператики надо наверное 2 гектара (8 машин по 256 памяти)
:wq
Человек начинает получать первые наслаждения от знакомства с unix системами. Ему нужно помочь - дальше он сможет получать наслаждение самостоятельно ©
Ламер — не желающий самостоятельно разбираться. Не путать с новичком: ламер опасен и знает это!