Страница 1 из 1

Одних пускать на 80/443 через SQUID, других - по NAT-у

Добавлено: 2009-08-27 14:39:36
SeasAdmin
Всем привет!

Парни, разрулите пжл. такую ситуацию (что я не так делаю).

Код: Выделить всё

FreeBSD gw-bsd.ndm.local 6.3-RELEASE FreeBSD 6.3-RELEASE #5: Mon Aug 10 16:07:11 VOLST 2009     seasadmin@gw-bsd.ndm.local:/usr/obj/usr/src/sys/sys/KERNELGW  i3
Нужно чтобы все ходили по 80/443/21 порту через сквид, а определенным ип - по нат-у.
Squid 2.7 Stable6, + SAMS + Rejik + авторизация NTLM (не прозрачный прокси).

Выкладываю правила, напишите пжл, где ошибка.

Код: Выделить всё

gw-bsd# ipfw show
00001     0       0 check-state
00002     0       0 deny log logamount 5 ip from 219.91.0.0/16 to me via ste0
00003     6     366 reject log logamount 5 icmp from any to me in via ste0
00004     0       0 reject log logamount 5 tcp from any to any tcpflags syn,fin,ack,psh,rst,urg
00004     0       0 reject log logamount 5 tcp from any to any tcpflags !syn,!fin,!ack,!psh,!rst,!urg
00004     0       0 reject log logamount 5 tcp from any to any not established tcpflags fin
00004   277   42167 deny log logamount 5 ip from any to any not verrevpath in
00005     0       0 deny log logamount 5 icmp from any to any frag
00006     0       0 deny log logamount 5 icmp from any to 255.255.255.255 in via ste0
00007     0       0 deny log logamount 5 icmp from any to 255.255.255.255 out via ste0
00008     0       0 deny ip from 192.168.0.0/16 to any in via ste0
00008     0       0 deny ip from 172.16.0.0/12 to any in via ste0
00008     0       0 deny ip from 10.0.0.0/8 to any in via ste0
00008     0       0 deny ip from 127.0.0.0/8 to any in via ste0
00008     0       0 deny ip from 0.0.0.0/8 to any in via ste0
00008     0       0 deny ip from 169.254.0.0/16 to any in via ste0
00008     0       0 deny ip from 192.0.2.0/24 to any in via ste0
00008     0       0 deny ip from 204.152.64.0/23 to any in via ste0
00008     0       0 deny ip from 224.0.0.0/3 to any in via ste0
00008   211   16455 allow ip from any to any via lo0
00009     0       0 deny ip from any to 127.0.0.0/8
00010     0       0 deny ip from 127.0.0.0/8 to any
00012     0       0 skipto 800 tcp from 192.168.1.174 to 91.199.156.210 dst-port 20,21,25,80,110,443,1100,1024-1500 out via ste0 setup keep-state
00013     7     430 fwd 192.168.1.200,3128 tcp from 192.168.1.0/24 to not 91.199.156.210 dst-port 80 in via sk0
00014  5615  994770 allow log logamount 5 tcp from me to not 192.168.1.0/24 dst-port 21,80,443 out via ste0
00015  7546 2336556 divert 8668 log logamount 5 ip from any to any in via ste0
00017 30932 7936300 allow ip from any to any via sk0
00018  7364 2331886 allow tcp from any to any established
00019     8     518 count udp from 192.168.1.0/24 to 89.31.16.51,89.31.16.35 dst-port 53 out via ste0
00020    28    1758 skipto 800 udp from 192.168.1.0/24 to 89.31.16.51,89.31.16.35 dst-port 53 out via ste0 keep-state
00021     0       0 count udp from 89.31.16.51,89.31.16.35 to 89.31.нн.нн dst-port 53 in via ste0
00022     0       0 allow udp from 89.31.16.51,89.31.16.35 to 89.31.нн.нн dst-port 53 in via ste0 limit src-addr 10
00023     0       0 count tcp from 192.168.1.1,192.168.1.2,192.168.1.7,192.168.1.181 to any dst-port 22,3389,3390,3391,3392,4898,4899,5900,5901,5902 out via ste0
00024     0       0 skipto 800 tcp from 192.168.1.1,192.168.1.2,192.168.1.7,192.168.1.181 to any dst-port 22,3389,3390,3391,3392,4898,4899,5900,5901,5902 out via ste0 setup keep-state
00025     1      48 count tcp from any to 89.31.нн.нн dst-port 22,3389,3390,3391,3392,4898,4899,5900,5901,5902 in via ste0
00026     5     240 allow log logamount 5 tcp from any to 89.31.нн.нн dst-port 22,3389,3390,3391,3392,4898,4899,5900,5901,5902 in via ste0 setup limit src-addr 10
00027     0       0 count tcp from 192.168.1.7 to any dst-port 25 out via ste0
00028     0       0 skipto 800 tcp from 192.168.1.7 to any dst-port 25 out via ste0 setup keep-state
00029    72    4540 count tcp from any to 89.31.нн.нн dst-port 25 in via ste0
00030  2615  227203 allow log logamount 5 tcp from any to 89.31.нн.нн dst-port 25 in via ste0 setup limit src-addr 5
00031     0       0 count tcp from any to 89.31.нн.нн dst-port 110 via ste0
00032     0       0 allow log logamount 5 tcp from any to 89.31.нн.нн dst-port 110 via ste0 setup limit src-addr 5
00033     0       0 count tcp from 192.168.1.1 20,21,5000-7000 to any in via ste0
00034     0       0 skipto 800 tcp from 192.168.1.1 20,21,5000-7000 to any in via ste0 setup
00035     0       0 count tcp from any to 89.31.нн.нн dst-port 20,21,5000-7000 in via ste0
00036     0       0 allow tcp from any to 89.31.нн.нн dst-port 20,21,5000-7000 in via ste0 setup limit src-addr 5
00037     0       0 count tcp from me to any out via ste0 uid root
00038     0       0 skipto 800 tcp from me to any out via ste0 setup uid root keep-state
00040     0       0 count tcp from 192.168.1.179,192.168.1.180,192.168.1.30,192.168.1.182 to any dst-port 25 out via ste0
00041     0       0 skipto 800 tcp from 192.168.1.179,192.168.1.180,192.168.1.30,192.168.1.182 to any dst-port 25 out via ste0 setup keep-state
00042    48    2304 count tcp from 192.168.1.179,192.168.1.180,192.168.1.30,192.168.1.182 to any dst-port 110 out via ste0
00043  2020  147606 skipto 800 tcp from 192.168.1.179,192.168.1.180,192.168.1.30,192.168.1.182 to any dst-port 110 out via ste0 setup keep-state
00044     4     192 count tcp from 192.168.1.179,192.168.1.180,192.168.1.30,192.168.1.182 to any dst-port 5190,6667,6678,6679,7000 out via ste0
00045  1525  249794 skipto 800 tcp from 192.168.1.179,192.168.1.180,192.168.1.30,192.168.1.182 to any dst-port 5190,6667,6678,6679,7000 out via ste0 setup keep-state
00046     1      48 count tcp from 192.168.1.179,192.168.1.180,192.168.1.30,192.168.1.182 to any dst-port 22,3389,3390,3391,3392,4898,4899,5900,5901,5902 out via ste0
00047   365   97810 skipto 800 tcp from 192.168.1.179,192.168.1.180,192.168.1.30,192.168.1.182 to any dst-port 22,3389,3390,3391,3392,4898,4899,5900,5901,5902 out via ste0 setup keep-state
00048     0       0 skipto 800 icmp from 192.168.1.179,192.168.1.180,192.168.1.30,192.168.1.182,192.168.1.1,192.168.1.2,192.168.1.7,192.168.1.181,192.168.1.200 to any out via ste0 keep-state
00049     0       0 count tcp from 192.168.1.179,192.168.1.180,192.168.1.30,192.168.1.182 to any dst-port 20-22 out via ste0
00050     0       0 skipto 800 tcp from 192.168.1.179,192.168.1.180,192.168.1.30,192.168.1.182 to any dst-port 20-22 out via ste0 setup keep-state
00100     6     288 deny ip from 192.168.0.0/16 to any out via ste0
00101     0       0 deny ip from 172.16.0.0/12 to any out via ste0
00102     0       0 deny ip from 10.0.0.0/8 to any out via ste0
00103     0       0 deny ip from 127.0.0.0/8 to any out via ste0
00104     0       0 deny ip from 0.0.0.0/8 to any out via ste0
00105     0       0 deny ip from 169.254.0.0/16 to any out via ste0
00106     0       0 deny ip from 192.0.2.0/24 to any out via ste0
00107     0       0 deny ip from 204.152.64.0/23 to any out via ste0
00108     0       0 deny ip from 224.0.0.0/3 to any out via ste0
00130     0       0 deny log logamount 5 ip from any to any frag in via ste0
00200   153    8363 deny log logamount 5 ip from any to any in via ste0
00210   817   47756 deny log logamount 5 ip from any to any out via ste0
00800  1254  102112 divert 8668 log logamount 5 ip from any to any out via ste0
00801  3938  496968 allow ip from any to any
00999     0       0 deny log logamount 5 ip from any to any
65535     8     634 deny ip from any to any
Что происходит сейчас. Когда пытаюсь с 192.168.1.174 зайти на 91.199.156.210:80/443 и т.д. по NAT-у, пакеты проходят через сквид, минуя мое правило №12. Почему, хз, в логах ничего путного не нашел.

Re: Одних пускать на 80/443 через SQUID, других - по NAT-у

Добавлено: 2009-09-20 20:44:16
Alex Keda
нарисуйте конфиг попроще, для начала...
в этом без поллиты не разберёшься.