ipfw+NAT+fwd
Добавлено: 2015-01-28 12:25:18
Здравствуйте! Подскажите, где я ошиблась?
FreeBSD 9.2-RELEASE
#!/bin/sh
cmd="/sbin/ipfw -q"
## External interface igb0 (white ip 1.2.3.2)
## Internal interface igb1 (10.92.128.1/24)
## table 1 - allowed ip from 10.92.128.0/24
## table 0 - blocked ip
${cmd} -f flush
${cmd} -f pipe flush
${cmd} add allow ip from any to any via lo0
${cmd} add deny all from any to 127.0.0.0/8
${cmd} add deny all from 127.0.0.0/8 to any
${cmd} add allow ip from 10.92.128.0/24 to 10.92.128.0/24
${cmd} add allow tcp from any to me 3232 # SSH
${cmd} add allow all from me to any keep-state
${cmd} add allow icmp from any to me icmptypes 0,8,11
${cmd} add allow all from any to me 80
${cmd} add fwd 10.92.128.1,80 tcp from "table(0)" to any dst-port 80,8080 via igb1 # to httpd, затем редиректит на 1.2.3.5
---->не работает. Может эту строчку надо в другое место?
${cmd} nat 1 config log if igb0 reset same_ports deny_in
${cmd} add nat 1 ip from any to any via igb0
${cmd} add allow ip from "table(0)" to 1.2.3.5
${cmd} add allow ip from 1.2.3.5 to "table(0)"
---->на 1.2.3.5 не заходит, не пингуется.
${cmd} add allow ip from "table(0)" to 1.2.3.6
${cmd} add allow ip from 1.2.3.6 to "table(0)"
---->это DNS. Адреса выдаются, но не пингуется.
${cmd} add pipe 10 ip from any to "table(1)" out via igb1
${cmd} add pipe 11 ip from "table(1)" to any in via igb1
${cmd} pipe 10 config mask dst-ip 0xffffffff bw 30960K
${cmd} pipe 11 config mask src-ip 0xffffffff bw 30960K
${cmd} add deny ip from any to any
FreeBSD 9.2-RELEASE
#!/bin/sh
cmd="/sbin/ipfw -q"
## External interface igb0 (white ip 1.2.3.2)
## Internal interface igb1 (10.92.128.1/24)
## table 1 - allowed ip from 10.92.128.0/24
## table 0 - blocked ip
${cmd} -f flush
${cmd} -f pipe flush
${cmd} add allow ip from any to any via lo0
${cmd} add deny all from any to 127.0.0.0/8
${cmd} add deny all from 127.0.0.0/8 to any
${cmd} add allow ip from 10.92.128.0/24 to 10.92.128.0/24
${cmd} add allow tcp from any to me 3232 # SSH
${cmd} add allow all from me to any keep-state
${cmd} add allow icmp from any to me icmptypes 0,8,11
${cmd} add allow all from any to me 80
${cmd} add fwd 10.92.128.1,80 tcp from "table(0)" to any dst-port 80,8080 via igb1 # to httpd, затем редиректит на 1.2.3.5
---->не работает. Может эту строчку надо в другое место?
${cmd} nat 1 config log if igb0 reset same_ports deny_in
${cmd} add nat 1 ip from any to any via igb0
${cmd} add allow ip from "table(0)" to 1.2.3.5
${cmd} add allow ip from 1.2.3.5 to "table(0)"
---->на 1.2.3.5 не заходит, не пингуется.
${cmd} add allow ip from "table(0)" to 1.2.3.6
${cmd} add allow ip from 1.2.3.6 to "table(0)"
---->это DNS. Адреса выдаются, но не пингуется.
${cmd} add pipe 10 ip from any to "table(1)" out via igb1
${cmd} add pipe 11 ip from "table(1)" to any in via igb1
${cmd} pipe 10 config mask dst-ip 0xffffffff bw 30960K
${cmd} pipe 11 config mask src-ip 0xffffffff bw 30960K
${cmd} add deny ip from any to any
, что не просто, пробуйте вместо fwd пакет datapipe или делайте fwd на локальный сервак там настройте httpd.