Ipfw+Kernel Nat+Squid+Named
Добавлено: 2011-12-13 11:49:12
Дело было так: В некотором царстве, в некотором государстве жила-была организация. И понадобилось этой организации заполучить доступ в повсеместно-протянутую сеть, дабы люд чиновничий именуемый планктоном офисным мог пользоваться прелестями сети интернет, и вести дела свои праведные через ейную сеть. И начал делать шлюз добрый молодец - топикстартер. И случились на его пути заморочки не по плечу топикстартера. И бьёт челом админ начинающий и просит не гневаться а дать совету мудрого. За сим приступаю к описанию шлюза:
Описание огненной стены от напастей ограждающей:
Описание Squid'а гипертекст кэширующего:
/etc/rc.conf:
/etc/resolv.conf:
/usr/local/etc/dhcpd.conf:
/etc/namedb/named.conf:
До поры до той тёмной, когда запустил топикстартер Named робил фаервол хорошо, ограничивал скорость остальным и только одной счётной машине давал беспрепятственный пропуск в сеть интернет. Ну а после того, как запустил Named перестал корректно робить конфиг фаервола. То бишь скорость всем режет а доступ из таблицы 2-й так совсем не даёт. Как решить сию проблему и где ошибаюсь Я?
Код: Выделить всё
[Charlz_Klug@server-netnew ~]$ uname -a
FreeBSD server-netnew.server-net 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Tue Nov 29 13:10:51 UZT 2011 root@server-netnew.server-net:/usr/obj/usr/src/sys/GENERIC-2011-11-29 amd64
Код: Выделить всё
[Charlz_Klug@server-netnew ~]$ cat /usr/local/etc/ipfw.conf
#!/bin/sh
fw="/sbin/ipfw "
oif="tun0"
oip=`ifconfig tun0 | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk '{ print $2}'`
iif="em0"
iip="192.168.0.5"
lan="192.168.0.0/24"
pdc="192.168.0.207,192.168.0.118,192.168.0.164,192.168.0.243,192.168.0.242,192.168.0.137,192.168.0.30"
pl="192.168.0.222,192.168.0.252,192.168.0.170,192.168.0.240"
${fw} -f flush
${fw} table all flush
${fw} table 1 add 192.168.0.30
${fw} table 1 add 192.168.0.137
${fw} table 1 add 192.168.0.242
${fw} table 1 add 192.168.0.207
${fw} table 1 add 192.168.0.118
${fw} table 1 add 192.168.0.164
${fw} table 1 add 192.168.0.92
${fw} table 1 add 192.168.0.196
${fw} table 1 add 192.168.0.177
${fw} table 1 add 192.168.0.217
${fw} table 1 add 192.168.0.222
${fw} table 1 add 192.168.0.128
${fw} table 1 add 192.168.0.240
${fw} table 1 add 192.168.0.174
${fw} table 1 add 192.168.0.221
${fw} table 1 add 192.168.0.185
${fw} table 1 add 192.168.0.50
${fw} table 1 add 192.168.0.24
${fw} table 1 add 192.168.0.70
${fw} table 1 add 192.168.0.215
${fw} table 1 add 192.168.0.119
${fw} table 1 add 192.168.0.234
${fw} table 1 add 192.168.0.244
${fw} table 1 add 192.168.0.179
${fw} table 1 add 192.168.0.62
${fw} table 1 add 192.168.0.186
${fw} table 1 add 192.168.0.86
${fw} table 1 add 192.168.0.138
${fw} table 1 add 192.168.0.116
${fw} table 1 add 192.168.0.107
${fw} table 1 add 192.168.0.55
${fw} table 1 add 192.168.0.151
#Tablica 2 - dlya polzovateley s neogranichennoy skorostyu v internet
#${fw} table 2 add 192.168.0.151
${fw} add pipe 1 ip from not ${oip}/22 to "table(1)"
${fw} pipe 1 config bw 150000bit/s mask dst-ip 0xffffffff
${fw} add allow ip from any to any via lo0
${fw} add allow ip from not ${lan} to me dst-port 22 via ${oif}
${fw} add deny ip from any to 127.0.0.0/8
${fw} add deny ip from 127.0.0.0/8 to any
${fw} add deny ip from any to 10.0.0.0/8 in via ${oif}
${fw} add deny ip from any to 172.16.0.0/12 in via ${oif}
${fw} add deny ip from any to 0.0.0.0/8 in via ${oif}
${fw} add deny ip from any to 169.254.0.0/16 in via ${oif}
${fw} add deny ip from any to 240.0.0.0/4 in via ${oif}
${fw} add deny ip from any to 10.0.0.0/8 out via ${oif}
${fw} add deny ip from any to 172.16.0.0/12 out via ${oif}
${fw} add deny ip from any to 0.0.0.0/8 out via ${oif}
${fw} add deny ip from any to 169.254.0.0/16 out via ${oif}
${fw} add deny ip from any to 240.0.0.0/4 out via ${oif}
#==pdc==
${fw} add allow ip from ${lan} to ${lan} via ${iif}
${fw} add allow ip from ${pl} to 81.95.227.98,77.220.195.38,94.141.69.218 via ${iif}
${fw} add fwd 127.0.0.1,3129 tcp from "table(1)" to any 80 recv ${iif}
${fw} add fwd 127.0.0.1,3129 tcp from "table(2)" to any 80 recv ${iif}
${fw} add allow ip from "table(1)" to any 443 via ${iif}
${fw} add allow ip from "table(2)" to any via ${iif}
#==NAT==
${fw} nat 2 config if ${oif} reset same_ports deny_in
${fw} add nat 2 ip from any to any via ${oif}
#==DNS==
${fw} add allow tcp from any to any 53
${fw} add allow tcp from any 53 to any
${fw} add allow udp from any to any 53
${fw} add allow udp from any 53 to any
${fw} add allow icmp from any to any icmptype 0,3,4,8,11,12
#${fw} add allow log tcp from ${lan} to any 5190,25,2041 in via ${iif} setup
${fw} add deny log ip from any to any
Код: Выделить всё
[Charlz_Klug@server-netnew ~]$ cat /usr/local/etc/squid/squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3129 intercept
#dns_nameservers 192.168.0.5
coredump_dir /var/squid/cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
[Charlz_Klug@server-netnew ~]$
Код: Выделить всё
[Charlz_Klug@server-netnew ~]$ cat /etc/rc.conf
# -- sysinstall generated deltas -- # Tue Oct 18 21:35:10 2011
# Created: Tue Oct 18 21:35:10 2011
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
hostname="server-netnew.server-net"
#ifconfig_re0="DHCP"
keymap="ru.koi8-r"
moused_enable="YES"
sshd_enable="YES"
mysql_enable="YES"
apache22_enable="YES"
gateway_enable="YES"
firewall_script="/usr/local/etc/ipfw.conf"
firewall_enable="YES"
dhcpd_enable="YES"
dhcpd_interface="em0"
ifconfig_em0="inet 192.168.0.5 netmask 255.255.255.0"
ppp_enable="YES"
ppp_mode="ddial"
ppp_nat="NO"
ppp_profile="uzbhim"
rcshutdown_timeout="300"
ftpd_enable="YES"
samba_enable="YES"
squid_enable="YES"
named_enable="YES"
Код: Выделить всё
[Charlz_Klug@server-netnew ~]$ cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver 84.54.74.228
nameserver 84.54.74.227
nameserver 84.54.74.230
Код: Выделить всё
[Charlz_Klug@server-netnew ~]$ cat /usr/local/etc/dhcpd.conf
option domain-name "server-net";
option domain-name-servers 192.168.0.5;
default-lease-time 9999999;
max-lease-time 9999999;
ddns-update-style none;
subnet 192.168.0.0 netmask 255.255.255.0 {
next-server 192.168.0.5;
option routers 192.168.0.5;
range 192.168.0.0 192.168.0.4;
range 192.168.0.6 192.168.0.49;
range 192.168.0.51 192.168.0.54;
range 192.168.0.56 192.168.0.69;
range 192.168.0.71 192.168.0.85;
range 192.168.0.87 192.168.0.118;
range 192.168.0.120 192.168.0.127;
range 192.168.0.129 192.168.0.136;
range 192.168.0.138 192.168.0.150;
range 192.168.0.152 192.168.0.161;
range 192.168.0.163 192.168.0.173;
range 192.168.0.175 192.168.0.178;
range 192.168.0.180 192.168.0.184;
range 192.168.0.187 192.168.0.195;
range 192.168.0.197 192.168.0.206;
range 192.168.0.208 192.168.0.214;
range 192.168.0.216 192.168.0.220;
range 192.168.0.223 192.168.0.233;
range 192.168.0.235 192.168.0.239;
range 192.168.0.241 192.168.0.242;
range 192.168.0.245 192.168.0.255;
}
host 01 {
hardware ethernet d0:27:88:38:9b:dc;
fixed-address 192.168.0.55;
}
host 02 {
hardware ethernet 00:0c:76:e6:59:5a;
fixed-address 192.168.0.196;
}
host 03 {
hardware ethernet 00:15:58:54:a5:2f;
fixed-address 192.168.0.222;
}
host 04 {
hardware ethernet 00:0a:48:1f:0d:07;
fixed-address 192.168.0.128;
}
host 06 {
hardware ethernet 00:15:58:68:cb:3a;
fixed-address 192.168.0.174;
}
host 07 {
hardware ethernet 00:0a:e6:b7:56:f5;
fixed-address 192.168.0.221;
}
host 08 {
hardware ethernet 00:15:58:68:ca:08;
fixed-address 192.168.0.185;
}
host 09 {
hardware ethernet 00:15:58:54:ab:3b;
fixed-address 192.168.0.50;
}
host 10 {
hardware ethernet d0:27:88:33:85:ef;
fixed-address 192.168.0.70;
}
host 11 {
hardware ethernet 00:15:58:68:cb:51;
fixed-address 192.168.0.215;
}
host 12 {
hardware ethernet 00:0b:6a:e7:35:b4;
fixed-address 192.168.0.119;
}
host 13 {
hardware ethernet 00:0a:e6:96:0a:9a;
fixed-address 192.168.0.234;
}
host 14 {
hardware ethernet 00:19:21:2f:c8:c1;
fixed-address 192.168.0.244;
}
host 15 {
hardware ethernet 00:1d:92:29:04:03;
fixed-address 192.168.0.179;
}
host 16 {
hardware ethernet 00:c0:ee:6b:3d:e3;
fixed-address 192.168.0.162;
}
host 17 {
hardware ethernet 00:0c:76:e6:59:f8;
fixed-address 192.168.0.186;
}
host 18 {
hardware ethernet 10:78:d2:8b:1a:4e;
fixed-address 192.168.0.86;
}
host 19 {
hardware ethernet 00:1d:92:3a:0b:1e;
fixed-address 192.168.0.240;
}
host 20 {
hardware ethernet 00:15:58:68:cb:47;
fixed-address 192.168.0.207;
}
host 21 {
hardware ethernet 00:0c:76:e6:58:eb;
fixed-address 192.168.0.151;
}
host 22 {
hardware ethernet 00:21:85:62:6a:a5;
fixed-address 192.168.0.243;
}
host 23 {
hardware ethernet 00:01:2e:0b:5f:17;
fixed-address 192.168.0.137;
}
Код: Выделить всё
[Charlz_Klug@server-netnew ~]$ cat /etc/namedb/named.conf
options {
// All file and path names are relative to the chroot directory,
// if any, and should be fully qualified.
directory "/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
listen-on { 127.0.0.1; 192.168.0.5;};
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
forwarders {
84.54.74.228; 84.54.74.227; 84.54.74.230;
};
};