IPFW + kernel NAT

[kotig]

окай! поехали!
что было сделано
1 установлен FreeBsd 7.2
2 сборка ядра:

Код: Выделить всё

cd /usr/src/sys/i386/conf
make LINT
cp GENERIC ROUTE
less LINT | grep IPFIREWALL >> ROUTE
less LINT | grep LIBALIAS >> ROUTE

итого в конце файла ROUTE

Код: Выделить всё

options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=100
#options        IPFIREWALL_DEFAULT_TO_ACCEPT
options         IPFIREWALL_FORWARD
options         IPFIREWALL_NAT
options         LIBALIAS

3 /etc/rc.conf

Код: Выделить всё

defaultrouter="192.168.1.1"
gateway_enable="YES"
hostname="mur"
ifconfig_vr0="inet 192.168.1.11  netmask 255.255.255.0"
ifconfig_vr1="inet 192.168.0.254 netmask 255.255.255.0"
keymap="us.iso"
#ntpdate_enable="YES"
#ntpdate_flags="asia.pool.ntp.org"
sshd_enable="YES"
firewall_enable="YES"
firewall_type="/etc/rc.firewall"
firewall_logging="YES"
apache_enable="YES"
squid_enable="YES"
mysql_enable="YES"
samsd_enable="YES"
openfire_enable="YES"
vsftpd_enable="YES"

4 /etc/rc.firewall

Код: Выделить всё

#!/bin/sh

if [ -z "${source_rc_confs_defined}" ]; then
        if [ -r /etc/defaults/rc.conf ]; then
                . /etc/defaults/rc.conf
                source_rc_confs
        elif [ -r /etc/rc.conf ]; then
                . /etc/rc.conf
        fi
fi

ipfw="/sbin/ipfw -q"


ifout="vr0"
ifuser="vr1"

$ipfw add 200 allow icmp from any to xxx.xxx.xxx.xxx in via $ifout icmptypes 0,8,11 limit src-addr 2

$ipfw add 300 allow tcp from any to me ssh, 5222, 5223, 21, 20

$ipfw add 400 allow ip from any to any via vr1

$ipfw add 500 deny ip from any to 192.168.0.0/16 in recv vr0
$ipfw add 600 deny ip from 192.168.0.0/16 to any in recv vr0
$ipfw add 700 deny ip from any to 172.16.0.0/12 in recv vr0
$ipfw add 800 deny ip from 172.16.0.0/12 to any in recv vr0
$ipfw add 900 deny ip from any to 10.0.0.0/8 in recv vr0
$ipfw add 1000 deny ip from 10.0.0.0/8 to any in recv vr0
$ipfw add 1100 deny ip from any to 169.254.0.0/16 in recv vr0
$ipfw add 1120 deny ip from 169.254.0.0/16 to any in recv vr0

$ipfw nat 1 config log if vr0 reset same_ports deny_in redirect_port tcp xxx.xxx.xxx.xxx:6881 6881

$ipfw add 1130 nat 1 ip from any to any via vr0

$ipfw add 65534 deny all from any to any

так вот сча встал вопрос натить только определенные сервисы, после долгих гуглов сейчас собраю ядро с опцией IPDIVERT.
есть люди которые могут подсказать как натить определенные сервисы с помощью ядерного НАТа???

[Raven]

Настругал так сказать "на коленке":

Код: Выделить всё

#!/bin/sh
IPFW="/sbin/ipfw"
EXT="re0"
EXT_IP="xxx.xxx.xxx.xxx"
INT="rl0"
INT_IP="192.168.0.x"
LAN_MSK="255.255.255.0"
LAN="192.168.0.0"
SQL="IP_SQL-server"

${IPFW} -f flush
${IPFW} -f pipe flush
${IPFW} -f queue flush
${IPFW} add check-state

${IPFW} add allow ip from any to any via lo0
${IPFW} add deny ip from any to 127.0.0.0/8
${IPFW} add deny ip from 127.0.0.0/8 to any

${IPFW} add allow ip from any to any via ${INT}

${IPFW} add deny ip from any to 10.0.0.0/8 in via ${EXT}
${IPFW} add deny ip from any to 172.16.0.0/12 in via ${EXT}
${IPFW} add deny ip from any to 192.168.0.0/16 in via ${EXT}
${IPFW} add deny ip from any to 0.0.0.0/8 in via ${EXT}
${IPFW} add deny ip from any to 169.254.0.0/16 in via ${EXT}
${IPFW} add deny ip from any to 240.0.0.0/4 in via ${EXT}
${IPFW} add deny icmp from any to any frag
${IPFW} add deny log icmp from any to 255.255.255.255 in via ${EXT}
${IPFW} add deny log icmp from any to 255.255.255.255 out via ${EXT}

${IPFW} add deny ip from 10.0.0.0/8 to any out via ${EXT}
${IPFW} add deny ip from 172.16.0.0/12 to any out via ${EXT}
${IPFW} add deny ip from 192.168.0.0/16 to any out via ${EXT}
${IPFW} add deny ip from 0.0.0.0/8 to any out via ${EXT}
${IPFW} add deny ip from 169.254.0.0/16 to any out via ${EXT}
${IPFW} add deny ip from 224.0.0.0/4 to any out via ${EXT}
${IPFW} add deny ip from 240.0.0.0/4 to any out via ${EXT}

${IPFW} add allow tcp from any to any established

${IPFW} add allow udp from any 53 to any via ${EXT}
${IPFW} add allow udp from any to any 53 via ${EXT}
${IPFW} add allow icmp from any to any icmptypes 0,8,11
${IPFW} add allow tcp from any to ${EXT_IP} 22 via ${EXT}

${IPFW} add fwd ${SQL},1433 tcp from ${LAN}/${LAN_MSK} to any 1433 via ${EXT}
${IPFW} add divert natd ip from ${LAN}/${LAN_MSK} to any out via ${EXT}
${IPFW} add divert natd ip from any to ${EXT_IP} in via ${EXT}

${IPFW} add allow tcp from any to any 80,443 via ${EXT} setup keep-state

${IPFW} add deny log ip from any to any

попробуй запустить, не запустится так ругань сюда
+ добавить строчки в rc.conf

Код: Выделить всё

natd_enable="YES"
natd_interface="внешняя карточка"

[kotig]

Код: Выделить всё

net.inet.ip.fw.enable: 1 -> 0
natd not running? (check /var/run/natd.pid).
Starting natd.
Loading /lib/libalias_cuseeme.so
Loading /lib/libalias_ftp.so
Loading /lib/libalias_irc.so
Loading /lib/libalias_nbt.so
Loading /lib/libalias_pptp.so
Loading /lib/libalias_skinny.so
Loading /lib/libalias_smedia.so
Flushed all rules.
ipfw: setsockopt(IP_DUMMYNET_FLUSH): Protocol not available
ipfw: setsockopt(IP_DUMMYNET_FLUSH): Protocol not available
00100 check-state
00200 allow ip from any to any via lo0
00300 deny ip from any to 127.0.0.0/8
00400 deny ip from 127.0.0.0/8 to any
00500 allow ip from any to any via vr1
00600 deny ip from any to 10.0.0.0/8 in via vr0
00700 deny ip from any to 172.16.0.0/12 in via vr0
00800 deny ip from any to 192.168.0.0/16 in via vr0
00900 deny ip from any to 0.0.0.0/8 in via vr0
01000 deny ip from any to 169.254.0.0/16 in via vr0
01100 deny ip from any to 240.0.0.0/4 in via vr0
01200 deny icmp from any to any frag
01300 deny log logamount 100 icmp from any to 255.255.255.255 in via vr0
01400 deny log logamount 100 icmp from any to 255.255.255.255 out via vr0
01500 deny ip from 10.0.0.0/8 to any out via vr0
01600 deny ip from 172.16.0.0/12 to any out via vr0
01700 deny ip from 192.168.0.0/16 to any out via vr0
01800 deny ip from 0.0.0.0/8 to any out via vr0
01900 deny ip from 169.254.0.0/16 to any out via vr0
02000 deny ip from 224.0.0.0/4 to any out via vr0
02100 deny ip from 240.0.0.0/4 to any out via vr0
02200 allow tcp from any to any established
02300 allow udp from any 53 to any via vr0
02400 allow udp from any to any dst-port 53 via vr0
02500 allow icmp from any to any icmptypes 0,8,11
02600 allow tcp from any to xxx.xxx.xxx.xxx dst-port 22 via vr0
ipfw: bad width ``255.255.255.0''
ipfw: bad width ``255.255.255.0''
02700 divert 8668 ip from any to xxx.xxx.xxx.xxx in via vr0
02800 allow tcp from any to any dst-port 80,443 via vr0 setup keep-state
02900 deny log logamount 100 ip from any to any
Firewall rules loaded.
Firewall logging enabled.
net.inet.ip.fw.enable: 0 -> 1

[Raven]

ipfw: setsockopt(IP_DUMMYNET_FLUSH): Protocol not availableipfw: setsockopt(IP_DUMMYNET_FLUSH): Protocol not available

Это не айс... Ядро пересобрал?

[kotig]

собрал, ток дамминет не собирал

[kotig]

или дамминет тоже в обяз надо собирать?

[Raven]

или дамминет тоже в обяз надо собирать?

нет, дамминет нужен только для урезания скорости юзерским машинам

[Raven]

Блин, забыл! Удали строки:

${IPFW} -f pipe flush

${IPFW} -f queue flush

Основой конфига был мой рабочий конф, так что вот, остались рудименты.

[Raven]

Код: Выделить всё

#!/bin/sh

ipfw -q -f flush

IPFW="ipfw -q add"
SKIP="skipto 800"
EXT="re0"
INT="rl0"


${IPFW} 005 allow all from any to any via xl0
${IPFW} 010 allow all from any to any via lo0
${IPFW} 014 divert natd ip from any to any in via ${EXT}
${IPFW} 015 check-state
${IPFW} add allow ip from any to any via lo0
${IPFW} add allow ip from any to any via ${INT}
${IPFW} 020 ${SKIP} tcp from any to any 53 out via ${EXT} setup keep-state
${IPFW} 040 ${SKIP} tcp from any to any 80 out via ${EXT} setup keep-state
${IPFW} 050 ${SKIP} tcp from any to any 443 out via ${EXT} setup keep-state
${IPFW} 060 ${SKIP} tcp from any to any 1433 out via ${EXT} setup keep-state
${IPFW} 060 ${SKIP} tcp from any to any 5190 out via ${EXT} setup keep-state
#${IPFW} 070 ${SKIP} tcp from me to any out via ${EXT} setup keep-state uid root
${IPFW} 080 ${SKIP} icmp from any to any out via ${EXT} keep-state
${IPFW} 110 ${SKIP} tcp from any to any 22 out via ${EXT} setup keep-state
${IPFW} 300 deny all from 192.168.0.0/16  to any in via ${EXT}  
${IPFW} 301 deny all from 172.16.0.0/12   to any in via ${EXT}
${IPFW} 302 deny all from 10.0.0.0/8      to any in via ${EXT}
${IPFW} 303 deny all from 127.0.0.0/8     to any in via ${EXT}
${IPFW} 304 deny all from 0.0.0.0/8       to any in via ${EXT}
${IPFW} 305 deny all from 169.254.0.0/16  to any in via ${EXT}
${IPFW} 306 deny all from 192.0.2.0/24    to any in via ${EXT}
${IPFW} 307 deny all from 204.152.64.0/23 to any in via ${EXT}
${IPFW} 308 deny all from 224.0.0.0/3     to any in via ${EXT}
${IPFW} 315 deny tcp from any to any 113 in via ${EXT}
${IPFW} 330 deny all from any to any frag in via ${EXT}
${IPFW} 332 deny tcp from any to any established in via ${EXT}
${IPFW} 380 allow tcp from any to me 22 in via ${EXT} setup limit src-addr 2
${IPFW} 400 deny log all from any to any in via ${EXT}
${IPFW} 450 deny log all from any to any out via ${EXT}
${IPFW} 800 divert natd ip from any to any out via ${EXT}
${IPFW} 801 allow ip from any to any
${IPFW} 999 deny log all from any to any

Пробуй.

[kotig]

Момент!!!
ядро то я пересобирал только с добавлением IPDIVERT
т.е. остались еще опции фаервола как LIBALIAS
сам факт то что меня интересует... по выше указанному конфигу фаервола тушится свет и на самом серваке и про нат вообще молчу... конфиг брался не тупо копи паст, а были подправки:

1. ${IPFW} 005 allow all from any to any via xl0
2. ${IPFW} 010 allow all from any to any via lo0
${IPFW} 014 divert natd ip from any to any in via ${EXT}
${IPFW} 015 check-state
1. ${IPFW} add allow ip from any to any via lo0
2. ${IPFW} add allow ip from any to any via ${INT}

когда перезапускаю ipfw выдает вот такое чудо...
/etc/rc.d/ipfw restart
net.inet.ip.fw.enable: 1 -> 0
Stopping natd.
Waiting for PIDS: 1091, 1091, 1091, 1091, 1091.
Starting natd.
Loading /lib/libalias_cuseeme.so
Loading /lib/libalias_ftp.so
Loading /lib/libalias_irc.so
Loading /lib/libalias_nbt.so
Loading /lib/libalias_pptp.so
Loading /lib/libalias_skinny.so
Loading /lib/libalias_smedia.so
Firewall rules loaded.
Firewall logging enabled.
net.inet.ip.fw.enable: 0 -> 1

помимо того что добавил /etc/rc.conf
natd_enable="YES"
natd_interface="vr0"
надо куда то еще что то чепатать???????????