NAT+IPFW
Добавлено: 2007-05-04 8:08:21
Привет всем!
сильно не пинайте...
ситуёвина такая не фуричит нихрена.....
нужно всего навсего чтоб через шлюз выходили без ограничения две подсетки.....
а всем остальным доступ был закрыт.....
может всё что пишу в правилах и ненужно
как правильно написать правила плз подскажите
сеть такая :
локалка 10.7.64.0/19 выходит наружу через шлюз с реальным айпи:
rc.conf
defaultrouter="83.xxx.xxx.17"
gateway_enable="YES"
keymap="ru.koi8-r"
linux_enable="YES"
saver="fire"
usbd_enable="YES"
sshd_enable="YES"
ifconfig_bge0="inet 10.7.66.250 netmask 255.255.224.0"
ifconfig_bge1="inet 83.xxx.xxx.18 netmask 255.255.255.240"
hostname="gtw6"
firewall_enable="YES"
firewall_script="/etc/rc.ipfw"
firewall_logging="YES"
natd_enable="YES"
natd_program="/sbin/natd"
natd_flags="-f /etc/natd.conf"
rc.ipfw
#!/bin/sh
FwCMD="/sbin/ipfw"
LanOut="bge1"
NetOut="83.xxx.xxx.16/28"
IpOut="83.xxx.xxx.18"
LanIn="bge0"
ip_lan="10.7"
NetIn="10.7.64.0/19"
${FwCMD} -f flush
${FwCMD} -f pipe flush
${FwCMD} -f queue flush
chour=`date '+%H'`
if [ ${chour} -lt 8 ]; then
${FwCMD} add pipe 1 ip from not ${NetIn} to ${NetIn}
${FwCMD} pipe 1 config bw 33600 bit/s
fi
if [ ${chour} -ge 17 ]; then
${FwCMD} add pipe 1 ip from not ${NetIn} to ${NetIn}
${FwCMD} pipe 1 config bw 33600 bit/s
fi
${FwCMD} add allow ip from any to any via lo0
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any
${FwCMD} add deny ip from ${NetIn} to any in via ${LanOut}
${FwCMD} add deny ip from ${NetOut} to any in via ${LanIn}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${LanOut}
${FwCMD} add deny ip from any to 192.168.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut}
${FwCMD} add deny icmp from any to any frag
${FwCMD} add deny log icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny log icmp from any to 255.255.255.255 out via ${LanOut}
${FwCMD} add fwd 10.7.66.252,3128 tcp from ${NetIn} to any 80 via ${LanOut}
${FwCMD} add divert natd ip from ${NetIn} to any out via ${LanOut}
${FwCMD} add divert natd ip from any to ${IpOut} in via ${LanOut}
${FwCMD} add deny ip from 172.16.0.0/12 to any out via ${LanOut}
${FwCMD} add deny ip from 192.168.0.0/16 to any out via ${LanOut}
${FwCMD} add deny ip from 0.0.0.0/8 to any out via ${LanOut}
${FwCMD} add deny ip from 169.254.0.0/16 to any out via ${LanOut}
${FwCMD} add deny ip from 224.0.0.0/4 to any out via ${LanOut}
${FwCMD} add deny ip from 240.0.0.0/4 to any out via ${LanOut}
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
${FwCMD} add allow ip from any to ${NetIn} in via ${LanIn}
${FwCMD} add allow ip from ${NetIn} to any out via ${LanIn}
${FwCMD} add allow tcp from any to any established
${FwCMD} add allow udp from any 53 to ${IpOut} in via ${LanOut}
${FwCMD} add allow udp from ${IpOut} to any 53 out via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 20,21 in via ${LanOut} setup
${FwCMD} add allow tcp from any to ${IpOut} 22 in via ${LanOut} setup
${FwCMD} add allow udp from any 27015-27025 to ${NetIn} in via ${LanOut}
${FwCMD} add allow udp from any 27015-27025 to ${NetIn} out via ${LanIn}
${FwCMD} add allow udp from ${NetIn} to any 27015-27025 in via ${LanIn}
${FwCMD} add allow udp from ${IpOut} to any 27015-27025 out via ${LanOut}
${FwCMD} add deny log tcp from any to ${IpOut} in via ${LanOut} setup
${FwCMD} add allow tcp from ${IpOut} to any out via ${LanOut} setup
${FwCMD} add allow tcp from any to ${IpOut} in via ${LanIn} setup
${FwCMD} add allow tcp from ${NetIn} to any 5190 in via ${LanIn} setup
${FwCMD} add allow tcp from ${ip_lan}.66.0/24to not ${NetIn} in via ${LanIn} setup
${FwCMD} add allow tcp from ${ip_lan}.68.0/24 to not ${NetIn} in via ${LanIn} setup
${FwCMD} add deny ip from any to any
natd.conf
use_sockets yes
same_ports yes
port 8868
interface bge1
сильно не пинайте...
ситуёвина такая не фуричит нихрена.....
нужно всего навсего чтоб через шлюз выходили без ограничения две подсетки.....
а всем остальным доступ был закрыт.....
может всё что пишу в правилах и ненужно
как правильно написать правила плз подскажите
сеть такая :
локалка 10.7.64.0/19 выходит наружу через шлюз с реальным айпи:
rc.conf
defaultrouter="83.xxx.xxx.17"
gateway_enable="YES"
keymap="ru.koi8-r"
linux_enable="YES"
saver="fire"
usbd_enable="YES"
sshd_enable="YES"
ifconfig_bge0="inet 10.7.66.250 netmask 255.255.224.0"
ifconfig_bge1="inet 83.xxx.xxx.18 netmask 255.255.255.240"
hostname="gtw6"
firewall_enable="YES"
firewall_script="/etc/rc.ipfw"
firewall_logging="YES"
natd_enable="YES"
natd_program="/sbin/natd"
natd_flags="-f /etc/natd.conf"
rc.ipfw
#!/bin/sh
FwCMD="/sbin/ipfw"
LanOut="bge1"
NetOut="83.xxx.xxx.16/28"
IpOut="83.xxx.xxx.18"
LanIn="bge0"
ip_lan="10.7"
NetIn="10.7.64.0/19"
${FwCMD} -f flush
${FwCMD} -f pipe flush
${FwCMD} -f queue flush
chour=`date '+%H'`
if [ ${chour} -lt 8 ]; then
${FwCMD} add pipe 1 ip from not ${NetIn} to ${NetIn}
${FwCMD} pipe 1 config bw 33600 bit/s
fi
if [ ${chour} -ge 17 ]; then
${FwCMD} add pipe 1 ip from not ${NetIn} to ${NetIn}
${FwCMD} pipe 1 config bw 33600 bit/s
fi
${FwCMD} add allow ip from any to any via lo0
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any
${FwCMD} add deny ip from ${NetIn} to any in via ${LanOut}
${FwCMD} add deny ip from ${NetOut} to any in via ${LanIn}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${LanOut}
${FwCMD} add deny ip from any to 192.168.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut}
${FwCMD} add deny icmp from any to any frag
${FwCMD} add deny log icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny log icmp from any to 255.255.255.255 out via ${LanOut}
${FwCMD} add fwd 10.7.66.252,3128 tcp from ${NetIn} to any 80 via ${LanOut}
${FwCMD} add divert natd ip from ${NetIn} to any out via ${LanOut}
${FwCMD} add divert natd ip from any to ${IpOut} in via ${LanOut}
${FwCMD} add deny ip from 172.16.0.0/12 to any out via ${LanOut}
${FwCMD} add deny ip from 192.168.0.0/16 to any out via ${LanOut}
${FwCMD} add deny ip from 0.0.0.0/8 to any out via ${LanOut}
${FwCMD} add deny ip from 169.254.0.0/16 to any out via ${LanOut}
${FwCMD} add deny ip from 224.0.0.0/4 to any out via ${LanOut}
${FwCMD} add deny ip from 240.0.0.0/4 to any out via ${LanOut}
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
${FwCMD} add allow ip from any to ${NetIn} in via ${LanIn}
${FwCMD} add allow ip from ${NetIn} to any out via ${LanIn}
${FwCMD} add allow tcp from any to any established
${FwCMD} add allow udp from any 53 to ${IpOut} in via ${LanOut}
${FwCMD} add allow udp from ${IpOut} to any 53 out via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 20,21 in via ${LanOut} setup
${FwCMD} add allow tcp from any to ${IpOut} 22 in via ${LanOut} setup
${FwCMD} add allow udp from any 27015-27025 to ${NetIn} in via ${LanOut}
${FwCMD} add allow udp from any 27015-27025 to ${NetIn} out via ${LanIn}
${FwCMD} add allow udp from ${NetIn} to any 27015-27025 in via ${LanIn}
${FwCMD} add allow udp from ${IpOut} to any 27015-27025 out via ${LanOut}
${FwCMD} add deny log tcp from any to ${IpOut} in via ${LanOut} setup
${FwCMD} add allow tcp from ${IpOut} to any out via ${LanOut} setup
${FwCMD} add allow tcp from any to ${IpOut} in via ${LanIn} setup
${FwCMD} add allow tcp from ${NetIn} to any 5190 in via ${LanIn} setup
${FwCMD} add allow tcp from ${ip_lan}.66.0/24to not ${NetIn} in via ${LanIn} setup
${FwCMD} add allow tcp from ${ip_lan}.68.0/24 to not ${NetIn} in via ${LanIn} setup
${FwCMD} add deny ip from any to any
natd.conf
use_sockets yes
same_ports yes
port 8868
interface bge1
