PAT

archy · Отправлено: **21:31, 22-11-2005** | #2

для ipfw
fwd 192.168.1.73,80 tcp from any to 217.30.243.142 8080 in via $if_out

MooSE · Отправлено: **11:25, 23-11-2005** | #3

Вобщем конфиги такие:

Код:

su-2.05b# cat /etc/ipfw.rules
#PAT
add 00035 fwd 192.168.1.73:80 tcp from any to 217.30.243.142 80 in via fxp0

# NAT
add 00040 divert natd all from any to any via fxp0
add 00045 pass all from any to any

# localhost
add 00010 allow all from me to me
add 00011 allow all from any to any via lo0
add 00012 deny all from any to 127.0.0.0/8
add 00013 deny all from 127.0.0.0/8 to any

# management
add 00020 allow all from 192.168.1.0/24 to me
add 00020 allow all from 192.168.1.0/24 to 192.168.1.57
add 00021 allow all from me to 192.168.1.0/24
add 00021 allow all from 192.168.1.57 to 192.168.1.0/24
add 00023 allow all from 83.151.2.235 to me
add 00024 allow all from me to 83.151.2.235
add 00025 allow all from me to 217.30.242.54
add 00026 allow all from 217.30.242.54 to me

# dynamic rules
add 00040 check-state

# artvid
add 00050 allow ip from 81.25.168.50 to me
add 00051 allow ip from 81.25.172.0/24 to 83.151.2.8
add 00052 allow ip from 217.66.20.134 to 83.151.2.9
add 00053 allow ip from 81.25.168.50 to 83.151.2.9
add 00054 allow ip from 81.25.172.0/24 to 83.151.2.9
add 00055 allow ip from 217.74.34.132 to me
add 00056 allow ip from me to 217.74.34.132
add 00076 allow ip from 217.30.243.142 to any
add 00077 allow ip from any to 217.30.243.142
add 00078 allow ip from 213.132.116.136 to 217.30.243.142
# in ftp
#tatintelcom
add 00601 allow ip from 217.30.243.0/24 to 217.30.243.142
add 00602 allow ip from 217.30.242.0/24 to 217.30.243.142
#tatintelcom nets
add 00603 allow ip from 217.30.240.0/20 to 217.30.243.142
add 00604 allow ip from 83.69.96.0/19 to 217.30.243.142
#tattelecom
add 00605 allow ip from 217.118.176.0/20 to 217.30.243.142
add 00606 allow ip from 217.23.176.0/20 to 217.30.243.142
add 00607 allow ip from 84.18.96.0/19 to 217.30.243.142
add 00608 allow ip from 193.238.132.0/22 to 217.30.243.142
#center telecom
add 00609 allow ip from 217.198.0.0/20 to 217.30.243.142
#comtat
add 00610 allow ip from 212.22.64.0/19 to 217.30.243.142
#tnpko
add 00611 allow ip from 217.107.77.0/24 to 217.30.243.142
add 00697 allow ip from 195.161.207.0/24 to 217.30.243.142
#
#danil vip
add 00612 allow ip from 213.59.59.192/26 to 217.30.243.142
#office tatintelcom
add 00613 allow ip from 217.30.242.54/32 to 217.30.243.142
#intelcom clients
add 00614 allow ip from 83.69.116.0/24 to 217.30.243.142
add 00615 allow ip from 83.69.117.0/24 to 217.30.243.142
#telecet
add 00616 allow ip from 81.22.200.0/21 to 217.30.243.142
add 00617 allow ip from 81.22.208.0/21 to 217.30.243.142
#melt
add 00618 allow ip from 81.176.178.0/24 to 217.30.243.142
add 00619 allow ip from 81.176.179.0/24 to 217.30.243.142
add 00620 allow ip from 195.161.74.0/24 to 217.30.243.142
add 00621 allow ip from 195.161.75.0/24 to 217.30.243.142
add 00622 allow ip from 213.24.9.0/24 to 217.30.243.142
add 00623 allow ip from 213.24.138.0/24 to 217.30.243.142
add 00624 allow ip from 213.24.139.0/24 to 217.30.243.142
add 00625 allow ip from 213.59.51.0/24 to 217.30.243.142
add 00626 allow ip from 213.59.252.0/24 to 217.30.243.142
add 00627 allow ip from 213.59.253.0/24 to 217.30.243.142
add 00628 allow ip from 217.107.104.0/24 to 217.30.243.142
add 00629 allow ip from 217.107.105.0/24 to 217.30.243.142
#bancorp
add 00630 allow ip from 81.25.160.0/20 to 217.30.243.142
add 00631 allow ip from 217.107.74.0/23 to 217.30.243.142
add 00632 allow ip from 217.107.80.0/23 to 217.30.243.142
#local network
add 00633 allow ip from 192.168.1.0/24 to 192.168.1.57
#intelset
add 00634 allow ip from 83.151.0.0/24 to 217.30.243.142
#needed rules
add 00698 allow ip from me to any
add 00699 deny tcp from any to 217.30.243.142 ftp


# in icmp
add 00063 allow icmp from 213.59.59.192/26 to me

# in http
add 00064 allow tcp from any to me 80
add 00065 allow tcp from me to any 80

# smtp and mail
add 00070 allow tcp from any 25 to me
add 00071 allow tcp from any to me 25
add 00072 allow tcp from any 110 to me
add 00073 allow tcp from any to me 110
add 00074 allow tcp from any 8010 to me
add 00075 allow tcp from any to me 8010

#in ssh
add 00100 allow tcp from any to me 22

#deny everything
add 65000 reset log logamount 10000 all from any to any

Код:

su-2.05b# cat /etc/rc.conf

# -- sysinstall generated deltas -- # Tue Nov  8 17:31:00 2005
# Created: Tue Nov  8 17:31:00 2005
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="217.30.243.141"

font8x14="cp866-8x14"
font8x16="cp866b-8x16"
font8x8="cp866-8x8"
keymap="ru.koi8-r"

hostname="217.30.243.142"

ifconfig_fxp0="inet 217.30.243.142  netmask 255.255.255.252"
ifconfig_rl0="inet 192.168.1.57  netmask 255.255.255.128"

inetd_enable=YES
#inetd_flags="-a 217.30.243.146"

gateway_enable="YES"

natd_enable="YES"
natd_interface="fxp0"
#natd_flags="-f /etc/natd.conf -l yes"
natd_flags="-l yes"


mousechar_start="3"
moused_enable="YES"
moused_port="/dev/psm0"
moused_type="intellimouse"

scrnmap="koi8-r2cp866"

sshd_enable=YES

usbd_enable=YES

sendmail_enable="NO"

named_enable=NO

squid_enable="YES"

firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="/etc/ipfw.rules"
firewall_quiet="YES"

#apache_enable="YES"

mysql_enable="YES"
#mysql_flags="--port=3310"

Код:

su-2.05b# ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet 192.168.1.57 netmask 0xffffff80 broadcast 192.168.1.127
        inet6 fe80::280:48ff:fe15:7b5%rl0 prefixlen 64 scopeid 0x1
        ether 00:80:48:15:07:b5
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet 217.30.243.142 netmask 0xfffffffc broadcast 217.30.243.143
        inet6 fe80::211:11ff:fe94:3932%fxp0 prefixlen 64 scopeid 0x2
        ether 00:11:11:94:39:32
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4

Вот как на этом всё осуществить переброс пакетов, при обращении к 217.30.243.142:80 на 192.168.1.73:80

Предложенный выше вариант я добавил. Не помогло.

mar · Отправлено: **12:27, 23-11-2005** | #4

а в ядре что для всего этого включено?

MooSE · Отправлено: **13:31, 23-11-2005** | #5

Да... Всё. Могу приклеить конфиг ядра.

Вообще я сейчас попробовал вот так:

Код:

su-2.05b# cat /etc/natd.conf
use_sockets yes
same_ports yes
redirect_port tcp 217.30.243.142:80 80

и

Код:

su-2.05b# cat /etc/rc.conf

...

natd_enable="YES"
natd_interface="fxp0"
natd_flags="-f /etc/natd.conf -l yes"
...

Вот не знаю что не так. Вроде бы всё правильно сделал....

mar · Отправлено: **14:45, 23-11-2005** | #6

MooSE
не надо конфига ядра, надо понять, есть ли там IPFIREWALL_FORWARD

MooSE · Отправлено: **14:54, 23-11-2005** | #7

Есть.

IgorK · Отправлено: **15:41, 24-11-2005** | #8

Рекомендую:
redirect_port tcp 217.30.243.142:80 80
заменить
redirect_port tcp 192.168.1.57:80 80

Так, для начала.

А потом набрать man natd и внимательнее прочитать мануал.

MooSE · Отправлено: **18:27, 03-12-2005** | #9

ДА я уже разобрался. Если кому интересно, то могу слазить и достать свои конфиги.