FreeBSD router
Добавлено: 2012-05-16 12:19:25
Проблема в следующем. Есть внутренний сервер на котором крутятся базы. Они доступны на порту 22112.
Извне все работает. Для этого используется связка ipfw+nat. НО... Если в сети забить <Внешний_ИП>:22112, то клиент отказывается коннектиться, а если внутренний адрес то соединяется. Я бы забил на это, но есть мобильные пользователи, которым влом прописывать каждый раз. Не подскажете в какую сторону копать?
tcpdump молчит.
Извне все работает. Для этого используется связка ipfw+nat. НО... Если в сети забить <Внешний_ИП>:22112, то клиент отказывается коннектиться, а если внутренний адрес то соединяется. Я бы забил на это, но есть мобильные пользователи, которым влом прописывать каждый раз. Не подскажете в какую сторону копать?
tcpdump молчит.
Код: Выделить всё
FreeBSD satellite 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Nov 11 11:59:29 UTC 2011 root@satellitte:/usr/obj/usr/src/sys/FTTB3 amd64
Код: Выделить всё
#!/bin/sh
fwcmd="/sbin/ipfw -q"
# bce0 - link to ISP;
# bge0 - our local net;
# bge1 - security;
${fwcmd} -f flush
# deny grey ip on out interface;
${fwcmd} table 10 flush
${fwcmd} table 10 add 10.0.0.0/8
${fwcmd} table 10 add 172.16.0.0/12
${fwcmd} table 10 add 192.168.0.0/16
${fwcmd} table 10 add 0.0.0.0/8
${fwcmd} table 10 add 169.254.0.0/16
${fwcmd} table 10 add 240.0.0.0/4
# access to security network;
${fwcmd} table 20 flush
${fwcmd} table 20 add 192.168.105.4
${fwcmd} table 20 add 192.168.105.99
${fwcmd} table 20 add 192.168.105.14
${fwcmd} table 20 add 192.168.105.16
${fwcmd} table 20 add 192.168.105.40
# spoofing deny;
${fwcmd} add 60 deny ip from any to any not verrevpath in
# fragmented deny;
${fwcmd} add 65 deny ip from any to any frag
# allow access via lo0;
${fwcmd} add 90 allow ip from any to any via lo0
${fwcmd} add 91 deny ip from any to 127.0.0.0/8
${fwcmd} add 92 deny ip from 127.0.0.0/8 to any
# local subnet access/deny;
${fwcmd} add 96 allow ip from table\(20\) to 192.168.106.0/24
${fwcmd} add 97 allow ip from 192.168.106.0/24 to table\(20\)
${fwcmd} add 98 allow ip from 192.168.105.0/24 to 192.168.106.0/24
${fwcmd} add 99 allow ip from 192.168.106.0/24 to 192.168.105.0/24
#${fwcmd} add 100 deny ip from 192.168.105.0/24 to 192.168.106.0/24
#${fwcmd} add 110 deny ip from 192.168.106.0/24 to 192.168.105.0/24
# deny grey ip;
${fwcmd} add 200 deny ip from any to table\(10\) in via bce0
${fwcmd} add 210 deny log icmp from any to 255.255.255.255 in via bce0
${fwcmd} add 220 deny log icmp from any to 255.255.255.255 out via bce0
# divert some ports with natd;
${fwcmd} add 300 divert natd tcp from 192.168.105.0/24 to 77.47.128.140 119 out via bce0
${fwcmd} add 310 divert natd gre from 192.168.105.0/24 to any out via bce0
# access to contact;
${fwcmd} add 315 divert natd tcp from 192.168.105.2 389,135 to any out via bce0
# this ports added only for testing before squid configured!
${fwcmd} add 320 divert natd tcp from 192.168.105.0/24 to any 80,443,20,21,22,222,5190,3390,11409 out via bce0
# main ports to mail access;
${fwcmd} add 330 divert natd tcp from 192.168.105.0/24 to any 25,993,587,995,465,5060,110,143 out via bce0
# lyubich access;
${fwcmd} add 335 divert natd tcp from 192.168.105.0/24 to any 2106,17453,7777 out via bce0
# ports access to edocs;
${fwcmd} add 340 divert natd tcp from 192.168.105.0/24 to any 5000,9000 out via bce0
# ftp passive mode access;
${fwcmd} add 345 divert natd tcp from 192.168.105.33 to any 10000-65534 out via bce0 keep-state
#${fwcmd} add 346 divert natd tcp from 192.168.105.99 to any 10000-65534 out via bce0 keep-state
# access to liga server at elsi.com.ua;
${fwcmd} add 350 divert natd tcp from 192.168.105.0/24 to any 30583 out via bce0
# access to ukrposhta.com;
${fwcmd} add 355 divert natd tcp from 192.168.105.0/24 to any 8080 out via bce0
${fwcmd} add 400 divert natd tcp from 192.168.105.4 3389,20102,22112 to any out via bce0
${fwcmd} add 480 divert natd icmp from 192.168.105.0/24 to any out via bce0 icmptype 0,3,4,8,11,12
# access to base out;
${fwcmd} add 490 divert natd tcp from 192.168.105.0/24 to any 12010-12012,20101,20102,22010-22012,22111,22112,32010-32012,42010-42012,52010-52012 out via bce0
# ATS port redirect;
${fwcmd} add 535 divert natd udp from any to 91.142.165.174 dst-port 5060,10000-20000 in recv bce0
${fwcmd} add 540 divert natd udp from any to 91.142.165.174 src-port 5060,10000-20000 in recv bce0
${fwcmd} add 545 divert natd udp from 192.168.105.7 to any dst-port 5060,10000-20000 out xmit bce0
${fwcmd} add 550 divert natd udp from 192.168.105.7 to any src-port 5060,10000-20000 out xmit bce0
${fwcmd} add 555 pass udp from any to 192.168.105.7 dst-port 5060,10000-20000 via any
${fwcmd} add 560 pass udp from any to 192.168.105.7 src-port 5060,10000-20000 via any
${fwcmd} add 565 pass udp from 192.168.105.7 to any dst-port 5060,10000-20000 via any
${fwcmd} add 570 pass udp from 192.168.105.7 to any src-port 5060,10000-20000 via any
# pptp server;
${fwcmd} add 575 pass tcp from any to me 1723 in via bce0
${fwcmd} add 580 pass tcp from me 1723 to any out via bce0
${fwcmd} add 585 pass gre from me to any out via bce0
${fwcmd} add 590 pass gre from any to me in via bce0
${fwcmd} add 600 divert natd ip from any to внешний_ип in via bce0
${fwcmd} add 610 allow ip from внешний_ип to any out via bce0
${fwcmd} add 620 allow ip from any to внешний_ип in via bce0
# deny grey ip;
${fwcmd} add 700 deny ip from table\(10\) to any out via bce0
${fwcmd} add 710 deny ip from 240.0.0.0/4 to any out via bce0
# allow access via vpn;
${fwcmd} add 720 allow ip from any to any via ng*
# allow localnet to external ip via local interfaces;
${fwcmd} add 750 allow ip from 192.168.105.0/24 to any in via bge0
${fwcmd} add 760 allow ip from 192.168.106.0/24 to any in via bge1
${fwcmd} add 800 allow ip from any to 192.168.105.0/24 in via bce0
${fwcmd} add 810 allow gre from any to 192.168.105.0/24 in via bce0
${fwcmd} add 850 allow ip from any to 192.168.105.0/24 out via bge0
${fwcmd} add 860 allow ip from any to 192.168.106.0/24 out via bge1
# deny all if not in rules;
${fwcmd} add 65000 deny ip from any to any
