forum.lissyara.su

Добавлено: **2007-08-16 16:30:27**

Добрый день.

Помогите пожалуйста решить следующую проблему.

Есть шлюз FreeBSD 6.1.
Есть два внешних ip. <IP1> и <IP2>
Есть внутрення сеть 192.168.0.0/24

Через IP1 пользователи ходять в инет, через IP2 ,в задумке, сервер из внутренней сети должен общаться с миром.

На интерфейсе я прописал ilias
ifconfig_rl1="inet <IP1> netmask 255.255.255.240"
ifconfig_rl1_alias0="<IP2> netmask 255.255.255.255"

Настройки natd
natd_enable="YES"
natd_flags="-f /etc/natd.conf"

cat /etc/natd.conf
interface rl1
unregistered_only
redirect_address 192.168.0.120 <IP2>

Код: Выделить всё

#!/bin/sh 

fwcmd="/sbin/ipfw" 

${fwcmd} -f flush 

        oif="rl1" 
        onet="<external net>" 
        omask="255.255.255.240" 
        oip="<IP1>" 
        oip_2="<IP2>" 
        iif="rl0" 
        inet="192.168.0.0" 
        imask="255.255.255.0" 
        iip="192.168.0.25" 
        iip_2="192.168.0.120" 
        ip_lan="192.168.0" 


########## 

        ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} 
        ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} 
        ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} 
        ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} 
        ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} 
        ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} 
        ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} 
        ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} 
        ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} 
        ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} 

        ${fwcmd} add divert natd all from any to any via ${oif} 

        ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} 
        ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} 
        ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} 
        ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} 
        ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} 
        ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} 
        ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} 
        ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} 

        # Allow TCP through if setup succeeded 
        ${fwcmd} add pass tcp from any to any established 

        # Allow IP fragments to pass through 
        ${fwcmd} add pass all from any to any frag 


######### GATEWAY ################ 
######### IN ########### 

        # Allow SSH to gateway 
        ${fwcmd} add pass tcp from any to ${oip} 22 setup 

        # Allow access to our DNS 
        ${fwcmd} add pass tcp from any to ${oip} 53 setup 
        ${fwcmd} add pass udp from any to ${oip} 53 
        ${fwcmd} add pass udp from ${oip} 53 to any 


######## OUT ##################### 

        ${fwcmd} add pass icmp from any to any 

        # Allow DNS queries out in the world 
        ${fwcmd} add pass udp from ${oip} to any 53 keep-state 

        # Allow NTP queries out in the world 
        ${fwcmd} add pass udp from ${oip} to any 123 keep-state 
########################################## 

# Internal server
######### OUT ########## 
        # Allow HTTP out 
        ${fwcmd} add allow tcp from ${iip_2} to any 80 in via ${iif} setup 
        ${fwcmd} add pass tcp from ${oip_2} to any 80 setup setup
        # Allow SMTP out 
        ${fwcmd} add allow tcp from ${iip_2} to any 25 in via ${iif} setup 
        ${fwcmd} add pass tcp from ${oip_2} to any 25 setup 

######### IN ########## 

        ${fwcmd} add pass tcp from any to ${oip_2} 25 setup 
        ${fwcmd} add pass tcp from any to ${iip_2} 25 setup 

        ${fwcmd} add pass tcp from any to ${oip_2} 80 setup 
        ${fwcmd} add pass tcp from any to ${iip_2} 80 setup 

######################################### 

${fwcmd} add deny log tcp from any to ${oip} in via ${oif} setup 

${fwcmd} add allow tcp from ${oip} to any out via ${oif} setup 
${fwcmd} add allow tcp from any to ${oip} in via ${iif} setup 


############# USERS ##################### 


        ${fwcmd} add pass tcp from ${inet} to ${iip} in via ${iif} 
        # Allow everyone 
        ${fwcmd} add pass tcp from ${inet} to any 80  in via ${iif} setup 
        ${fwcmd} add pass tcp from ${inet} to any 443 in via ${iif} setup 
        ${fwcmd} add pass tcp from ${inet} to any 110  in via ${iif} setup 
        ${fwcmd} add pass tcp from ${inet} to any 5190 in via ${iif} setup 
        ${fwcmd} add pass tcp from any 20  to ${inet} 
        ${fwcmd} add pass udp from ${inet} to any 53 keep-state 

############ VSE OSTAL'NOE ZAPRETIT' #### 
        ${fwcmd} add deny ip from any to any

После добавления redirect_address инет на внутреннем сервере работать перестаёт.

Помогите разобраться.

ps: ipfw изначально по статье lissyara настраивался.

ps2: Голова не варит уже.

Добавлено: **2007-08-16 16:46:20**

1. Нужно 2 ната
2. в конфиге Nat'ов пишешь не интерфейс, а IP-Адрес.

alias_address IP-Адрес

Добавлено: **2007-08-16 19:59:19**

Спасибо, завтра на работе обязательно попробую!

Добавлено: **2007-08-17 12:24:15**

Мдя...решил я задачу решить через pf, через 10 минут редирект ip работал. Красота.

forum.lissyara.su

natd redirect_address

natd redirect_address

Re: natd redirect_address

Re: natd redirect_address

Re: natd redirect_address