forum.lissyara.su

Код: Выделить всё

#!/bin/sh
fw="/sbin/ipfw -q "
$fw -f flush
$fw add check-state
$fw -f pipe flush
$fw -f queue flush
IIF="ng0"
NatIP="хх.хх.хх.хх"
LanOut="rl0"
LanIn="rl1"
LanIp="192.168.1.2"

#NAT--------->
$fw nat 123 config ip ${NatIP} log
$fw add 10 nat 123 ip from 192.168.1.0/24 to any
$fw add 20 nat 123 ip from any to ${NatIP}
#Loopback-------->
${fw} add allow ip from any to any via lo
${fw} add deny ip from any to 127.0.0.0/8
${fw} add deny ip from 127.0.0.0/8 to any
#Allow host local------>
${fw} add allow ip from ${LanIp} to any in via ${LanIn}
${fw} add allow ip from any to ${LanIp} out via ${LanIn}
#Allow host inet--------->
${fw} add allow tcp from any to ${NatIP}  via ${IIF}
#----------------------->

${fw} add deny ip from any to any

Код: Выделить всё

den# ipfw show
00010   3276    522153 nat 123 ip from 192.168.1.0/24 to any
00020   1013     70026 nat 123 ip from any to хх.хх.хх.хх
00100      0         0 check-state
00200      0         0 allow ip from any to any via lo
00300      1        60 deny ip from any to 127.0.0.0/8
00400      0         0 deny ip from 127.0.0.0/8 to any
00500      0         0 allow ip from 192.168.1.2 to any in via rl1
00600    996     69016 allow ip from any to 192.168.1.2 out via rl1
00700      0         0 allow tcp from any to хх.хх.хх.хх via ng0
00800    234     11409 deny ip from any to any
65535 636186 205346488 allow ip from any to any