Грамотный IPFW - как именно сделать?
Добавлено: 2006-12-30 16:09:58
Есть сеть внутренняя 192.168.0.0/24
Внутренний интерфейс 192.168.0.254
Внешний интерфейс 213.142.192.193
Внутри два DC 4, 11.
Мыло 10.
На FreBSD - SQUID NAT SAMBA FTP
Стараюсь написать IPFW так чтобы и снаружи закрыто всё подряд было, и чтобы сервер в АД регистрировался. Чтобы пользователи ходили через SQUID, но есть компы в сети, на которых установлены такие программы, которые не понимают проксей - и нужен НАТ. Также из локалки должна быть видна шара на этом сервере чтобы выкладывать туда инфу и чтобы потом люди с другого города забирали её по FTP.
Как сделать так, чтобы через NAT ходили только те, кому можно, а остальные только через SQUID - потому что статистика и всё такое...
/sbin/ipfw -f flush
/sbin/ipfw -f pipe flush
/sbin/ipfw -f queue flush
cmd="/sbin/ipfw -q add "
ip_external="213.142.192.193"
ip_internal="192.168.0.254"
interface_internal="vr0"
interface_external="fxp0"
network_external="213.142.192.0/24"
network_internal="192.168.0.0/24"
lan="192.168.0"
${cmd} check-state
${cmd} allow ip from any to any via lo0
${cmd} deny all from any to 127.0.0.0/8
${cmd} deny all from 127.0.0.0/8 to any
${cmd} deny icmp from any to any
${cmd} deny all from any to any frag
${cmd} deny all from any to me 22 via ${interface_external}
#Deny Internal
${cmd} deny all from ${network_external} to any in via ${interface_internal}
${cmd} deny ip from any to 10.0.0.0/8 in via ${interface_external}
${cmd} deny ip from any to 172.16.0.0/12 in via ${interface_external}
${cmd} deny ip from any to 192.168.0.0/16 in via ${interface_external}
${cmd} deny ip from any to 0.0.0.0/8 in via ${interface_external}
${cmd} deny ip from any to 169.254.0.0/16 in via ${interface_external}
${cmd} deny ip from any to 224.0.0.0/4 in via ${interface_external}
${cmd} deny ip from any to 240.0.0.0/4 in via ${interface_external}
#FTP
${cmd} allow all from any to ${ip_external} 21 via ${interface_external}
#DNS
#${cmd} allow udp from ${lan}.10, ${lan}.4, ${lan}.11 to me 53 via ${interface_internal} keep-state
#${cmd} allow udp from ${network_internal} to ${lan}.10, ${lan}.4, ${lan}.11 dst-port 53 via ${interface_internal} keep-state
#MAIL
#${cmd} allow tcp from ${lan}.10 to ${network_internal} dst-port 25,110,143 via ${interface_internal} keep-state
#${cmd} allow tcp from ${network_internal} to ${lan}.10 dst-port 25,110,143 via ${interface_internal} keep-state
#AD
#${cmd} allow all from ${lan}.4 to me via ${interface_internal} keep-state
#${cmd} allow all from me to ${lan}.4 dst-port 88,137,139,389,464,3268 via ${interface_internal} keep-state
#${cmd} allow all from ${lan}.11 to me via ${interface_internal} keep-state
#${cmd} allow all from me to ${lan}.11 dst-port 88,137,139,389,464,3268 via ${interface_internal} keep-state
#NAT DIVERT
${cmd} divert natd ip from ${network_internal} to any out via ${interface_external}
${cmd} divert natd ip from any to ${ip_external} in via ${interface_external}
#Deny External
${cmd} deny all from ${network_internal} to any in via ${interface_external}
${cmd} deny ip from 10.0.0.0/8 to any out via ${interface_external}
${cmd} deny ip from 172.16.0.0/12 to any out via ${interface_external}
${cmd} deny ip from 192.168.0.0/16 to any out via ${interface_external}
${cmd} deny ip from 0.0.0.0/8 to any out via ${interface_external}
${cmd} deny ip from 169.254.0.0/16 to any out via ${interface_external}
${cmd} deny ip from 224.0.0.0/4 to any out via ${interface_external}
${cmd} deny ip from 240.0.0.0/4 to any out via ${interface_external}
#NAT COMPUTER
${cmd} allow all from ${lan}.56 to any setup
${cmd} allow all from any to ${lan}.56
#БЕЗ НЕГО ВООБЩЕ НИЧЕГО НЕ РАБОТАЕТ
${cmd} allow all from any to any
#NAT
natd -f /etc/natd.conf -n ${interface_external}
Внутренний интерфейс 192.168.0.254
Внешний интерфейс 213.142.192.193
Внутри два DC 4, 11.
Мыло 10.
На FreBSD - SQUID NAT SAMBA FTP
Стараюсь написать IPFW так чтобы и снаружи закрыто всё подряд было, и чтобы сервер в АД регистрировался. Чтобы пользователи ходили через SQUID, но есть компы в сети, на которых установлены такие программы, которые не понимают проксей - и нужен НАТ. Также из локалки должна быть видна шара на этом сервере чтобы выкладывать туда инфу и чтобы потом люди с другого города забирали её по FTP.
Как сделать так, чтобы через NAT ходили только те, кому можно, а остальные только через SQUID - потому что статистика и всё такое...
/sbin/ipfw -f flush
/sbin/ipfw -f pipe flush
/sbin/ipfw -f queue flush
cmd="/sbin/ipfw -q add "
ip_external="213.142.192.193"
ip_internal="192.168.0.254"
interface_internal="vr0"
interface_external="fxp0"
network_external="213.142.192.0/24"
network_internal="192.168.0.0/24"
lan="192.168.0"
${cmd} check-state
${cmd} allow ip from any to any via lo0
${cmd} deny all from any to 127.0.0.0/8
${cmd} deny all from 127.0.0.0/8 to any
${cmd} deny icmp from any to any
${cmd} deny all from any to any frag
${cmd} deny all from any to me 22 via ${interface_external}
#Deny Internal
${cmd} deny all from ${network_external} to any in via ${interface_internal}
${cmd} deny ip from any to 10.0.0.0/8 in via ${interface_external}
${cmd} deny ip from any to 172.16.0.0/12 in via ${interface_external}
${cmd} deny ip from any to 192.168.0.0/16 in via ${interface_external}
${cmd} deny ip from any to 0.0.0.0/8 in via ${interface_external}
${cmd} deny ip from any to 169.254.0.0/16 in via ${interface_external}
${cmd} deny ip from any to 224.0.0.0/4 in via ${interface_external}
${cmd} deny ip from any to 240.0.0.0/4 in via ${interface_external}
#FTP
${cmd} allow all from any to ${ip_external} 21 via ${interface_external}
#DNS
#${cmd} allow udp from ${lan}.10, ${lan}.4, ${lan}.11 to me 53 via ${interface_internal} keep-state
#${cmd} allow udp from ${network_internal} to ${lan}.10, ${lan}.4, ${lan}.11 dst-port 53 via ${interface_internal} keep-state
#${cmd} allow tcp from ${lan}.10 to ${network_internal} dst-port 25,110,143 via ${interface_internal} keep-state
#${cmd} allow tcp from ${network_internal} to ${lan}.10 dst-port 25,110,143 via ${interface_internal} keep-state
#AD
#${cmd} allow all from ${lan}.4 to me via ${interface_internal} keep-state
#${cmd} allow all from me to ${lan}.4 dst-port 88,137,139,389,464,3268 via ${interface_internal} keep-state
#${cmd} allow all from ${lan}.11 to me via ${interface_internal} keep-state
#${cmd} allow all from me to ${lan}.11 dst-port 88,137,139,389,464,3268 via ${interface_internal} keep-state
#NAT DIVERT
${cmd} divert natd ip from ${network_internal} to any out via ${interface_external}
${cmd} divert natd ip from any to ${ip_external} in via ${interface_external}
#Deny External
${cmd} deny all from ${network_internal} to any in via ${interface_external}
${cmd} deny ip from 10.0.0.0/8 to any out via ${interface_external}
${cmd} deny ip from 172.16.0.0/12 to any out via ${interface_external}
${cmd} deny ip from 192.168.0.0/16 to any out via ${interface_external}
${cmd} deny ip from 0.0.0.0/8 to any out via ${interface_external}
${cmd} deny ip from 169.254.0.0/16 to any out via ${interface_external}
${cmd} deny ip from 224.0.0.0/4 to any out via ${interface_external}
${cmd} deny ip from 240.0.0.0/4 to any out via ${interface_external}
#NAT COMPUTER
${cmd} allow all from ${lan}.56 to any setup
${cmd} allow all from any to ${lan}.56
#БЕЗ НЕГО ВООБЩЕ НИЧЕГО НЕ РАБОТАЕТ
${cmd} allow all from any to any
#NAT
natd -f /etc/natd.conf -n ${interface_external}