Re: ipfw fwd & pipe связать вместе.
Добавлено: 2014-04-03 1:04:40
Нат как реализован?
И давайте все правила фаерволла(я дал конфиг который работает)
Могу дать и для pppoe
И давайте все правила фаерволла(я дал конфиг который работает)
Могу дать и для pppoe
Код: Выделить всё
#!/bin/sh
#############################################
#**** FireWall - конфигурационный файл *****#
#** специально для локальной сети **#
#############################################
# бинарник ipfw
FwCMD="/sbin/ipfw -q "
# шаблон таблицы
FwTable="${FwCMD} table "
#*******************************************#
#**** ISP1 ****#
#*******************************************#
# IP сервера в сети ISP1
IpOut_ISP1="1.1.1.2"
# Интерфейс, смотрящий в сеть ISP1
LanOut_ISP1="vr0"
GW_ISP1="1.1.1.1"
/usr/sbin/setfib -0 route add default ${GW_ISP1}
/usr/sbin/setfib -2 route add default ${GW_ISP1}
#*******************************************#
#**** Все что качается ISP2 ****#
#*******************************************#
# IP сервера в сети ISP2
IpOut_ISP2="2.2.2.2"
# Интерфейс, смотрящий в сеть ISP2
LanOut_ISP2_Phys="re0"
LanOut_ISP2="tun0"
GW_ISP@=$(/sbin/ifconfig | /usr/bin/grep "inet 2.2.2.2" | awk '{print $4}')
/usr/sbin/setfib -1 route add default ${GW_ISP2}
#*******************************************#
#* Все что качается локальной сети *#
#*******************************************#
# Локальная сеть
NetIn="10.0.0.0/24"
# IP сервера в локальной сети
IpIn="10.0.0.1"
# Интерфейс, смотрящий в локальную сеть
LanIn="em0"
/sbin/sysctl net.inet.ip.forwarding=1
/sbin/sysctl net.inet.ip.fastforwarding=1
/sbin/sysctl net.inet.ip.fw.autoinc_step=1
#*******************************************#
#***************** СЕРВИСЫ *****************#
#*******************************************#
#* DNS,NTP *#
TCP="domain"
UDP="domain,ntp"
#############################################
${FwCMD} disable one_pass
${FwCMD} enable debug
#############################################
################# CLEAN ALL #################
${FwCMD} -f flush
${FwCMD} -f queue flush
${FwCMD} -f pipe flush
${FwCMD} -f sched flush
${FwCMD} nat 4 config if ${LanOut_ISP1} unreg_only same_ports reset log \
redirect_port tcp 10.1.1.2:8000 8000
${FwCMD} nat 5 config if ${LanOut_ISP2} unreg_only same_ports reset log \
redirect_port tcp 10.1.1.2:8000 8000
${FwCMD} add reass in // REASS in
${FwCMD} add skipto 15000 in via lo0 // MOVE incoming LoopBack
${FwCMD} add skipto 20000 out via lo0 // MOVE outgoing LoopBack
${FwCMD} add skipto 25000 in via ${LanOut_ISP1} // MOVE incoming LanOut_ISP1
${FwCMD} add skipto 30000 out via ${LanOut_ISP1} // MOVE outgoing LanOut_ISP1
${FwCMD} add skipto 35000 in via ${LanOut_ISP2} // MOVE incoming LanOut_ISP2
${FwCMD} add skipto 40000 out via ${LanOut_ISP2} // MOVE outgoing LanOut_ISP2
${FwCMD} add skipto 45000 in via ${LanIn} // MOVE incoming LanIn
${FwCMD} add skipto 50000 out via ${LanIn} // MOVE outgoing LanIn
${FwCMD} add skipto 55000 in via ${LanOut_ISP2_Phys} // MOVE outgoing LanOut_ISP2_Phys
${FwCMD} add skipto 60000 out via ${LanOut_ISP2_Phys} // MOVE outgoing LanOut_ISP2_Phys
${FwCMD} add skipto 65534 via any // Drop any other packets
# LoopBack lo0
${FwCMD} add 15000 count in // COUNT in lo0
${FwCMD} add permit in // ALLOW in lo0
${FwCMD} add 20000 count out // COUNT out lo0
${FwCMD} add permit out // ALLOW out lo0
# ISP1 LanOut_ISP1
${FwCMD} add 25000 count in // COUNT in IpOut_ISP!
${FwCMD} add skipto 65534 not dst-ip ${IpOut_ISP1} in // DROP not for IpOut_ISP1
${FwCMD} add nat 4 dst-ip ${IpOut_ISP1} in // NAT in IpOut_ISP1
${FwCMD} add set 5 permit tcp from any to any dst-ip ${IpOut_ISP1} dst-port ${TCP} in setup // PERMIT TCP to our services in IpOut_ISP1
${FwCMD} add set 5 permit udp from any to any dst-ip ${IpOut_ISP1} dst-port ${UDP} in keep-state // PERMIT UDP to our services in IpOut_ISP1
${FwCMD} add set 5 permit tcp from any to any dst-ip ${IpOut_ISP1} dst-port 22 in setup // PERMIT in TCP to IpOut_ISP1 ssh
${FwCMD} add permit tcp from any to any dst-ip ${IpOut_ISP1} in established // PERMIT in TCP established to IpOut_ISP1
${FwCMD} add permit dst-ip table\(100\) in // PERMIT in to clients
${FwCMD} add permit icmp from any to any dst-ip ${IpOut_ISP1} in keep-state // PERMIT ICMP to IpOut_ISP1 in
${FwCMD} add skipto 65534 in // DROP any other packets in
${FwCMD} add 30000 count out // COUNT out IpOut_ISP1
${FwCMD} add nat global src-ip table\(100\) out // CHECK global NAT
${FwCMD} add skipto 34000 src-ip ${IpOut_ISP1} out // PERMIT from IpOut_ISP1
${FwCMD} add fwd ${GW_ISP2} src-ip ${IpOut_ISP2} // FWD IpOut_ISP2
${FwCMD} add nat 4 src-ip table\(100\) out // NAT clients
${FwCMD} add 34000 permit src-ip ${IpOut_ISP1} out keep-state // PERMIT from IpOut_ISP1
${FwCMD} add skipto 65534 out // DROP any other packets out
# ISP2 LanOut_ISP2
${FwCMD} add 35000 count in // COUNT in IpOut_ISP2
${FwCMD} add skipto 65534 not dst-ip ${IpOut_ISP2} in // DROP not for IpOut_ISP2
${FwCMD} add nat 5 dst-ip ${IpOut_ISP2} in // NAT in IpOut_ISP2
${FwCMD} add set 5 permit tcp from any to any dst-ip ${IpOut_ISP2} dst-port ${TCP} in setup // PERMIT TCP to our services in IpOut_ISP2
${FwCMD} add set 5 permit udp from any to any dst-ip ${IpOut_ISP2} dst-port ${UDP} in keep-state // PERMIT UDP to our services in IpOut_ISP2
${FwCMD} add set 5 permit tcp from any to any dst-ip ${IpOut_ISP2} dst-port 22 in setup // PERMIT in TCP to IpOut_ISP2 ssh
${FwCMD} add permit tcp from any to any dst-ip ${IpOut_ISP2} in established // PERMIT in TCP established to IpOut_ISP2
${FwCMD} add permit dst-ip table\(100\) in // PERMIT in to clients
${FwCMD} add permit icmp from any to any dst-ip ${IpOut_ISP2} in keep-state // PERMIT ICMP to IpOut_ISP2 in
${FwCMD} add skipto 65534 in // DROP any other packets in
${FwCMD} add 40000 count out // COUNT out IpOut_ISP2
${FwCMD} add nat global src-ip table\(100\) out // CHECK global NAT
${FwCMD} add skipto 44000 src-ip ${IpOut_ISP2} out // PERMIT from IpOut_ISP2
${FwCMD} add fwd ${GW_ISP1} src-ip ${IpOut_ISP1} // FWD IpOut_ISP1
${FwCMD} add nat 5 src-ip table\(100\) out // NAT clients
${FwCMD} add 44000 permit src-ip ${IpOut_ISP2} out keep-state // PERMIT from IpOut_ISP2
${FwCMD} add skipto 65534 out // DROP any other packets out
# Lan
${FwCMD} add 45000 count in // COUNT in Lan
${FwCMD} add skipto 65534 not src-ip table\(100\) not dst-ip me in // DROP closed clients to not me in Lan
${FwCMD} add set 2 setfib 1 in // SETFIB 1 in Lan
${FwCMD} add set 12 setfib 0 src-ip 10.0.0.135/32 in
${FwCMD} add set 2 permit in fib 1 // PERMIT fib 1 in Lan
${FwCMD} add set 12 permit in fib 0
${FwCMD} add permit in // PERMIT any packets in Lan
${FwCMD} add skipto 65534 in // DROP any packets in Lan
${FwCMD} add 50000 count out // COUNT out Lan
# ISP2 LanOut_ISP2_Phys
${FwCMD} add 55000 set 25 count in // COUNT in LanOut_ISP2_Phys
${FwCMD} add set 25 permit in // PERMIT in LanOut_ISP2_Phys
${FwCMD} add 60000 set 25 count out // COUNT out LanOut_ISP2_Phys
${FwCMD} add set 25 permit out // PERMIT out LanOut_ISP2_Phys
${FwCMD} add skipto 65534 out // DROP any packets out
${FwCMD} add 65534 deny via any // DROP any packets