natd + ipfw

Martyn conf. mkudlacekconf at centrum.cz
Thu Feb 26 18:48:42 CET 2004


Zdravim vsechny (uz je to tu zas:-()

mam problem s pripojenim z vnitrni lokalni site (192.168.0.x) pres server 
FreeBSD 5.1 Release (natd + ipfw) do Internetu (je to pres ADSL: sitovka 
(10.0.0.100,) - ten se pripojuje na modem 10.0.0.138 - a dal se to stara 
ADSL jde do vnitrni site providera (viz. nize ifconfig s tun0, brana by 
mela byt 81.2.208.129) : do tohoto uz ale nevidim zcela.

Pres program PPTPClient se prihlasim na Internet. Ze sitovky (server) 
10.0.0.100 s Internetem komunikuji. Bohuzel z vnitrni site pingnu pouze 
192.168.0.198 z pocitace 192.168.0.120 ale nedostanu se dal. Myslim ze 
chyba bude v natd. Postupoval jsem podle man natd a z prispevku v teto 
konferenci.

Ja bych chtel, aby uzivatele z vnitrni site (192.168.0.x) mohli provozovat 
sluzby www, ftp, smtp, pop3, mysql 3306...) na Internetu.

A ted specifikace, nejdrive co jsem nastavil (dle navodu) a pak vypisy 
(bude toho dost:-(() Omlouvam se za tak rozsahly email,ale nechtel jsem nic 
vynechat. Pokud mi dokaze nekdo poradit, kde jsem udelal chybu, tak mu budu 
velmi vdecny

Mam zavedenou podporu v jadre : IPFIREWALL, IPFIREWALL_VERBOSE, IPDIVERT

obe sitovky funguji
rl0:  10.0.0.100, netmask 255.0.0.0
rl1: 192.168.0.198, netmask 255.255.255.0

rc.conf :
hostname="kohoutek.monstav2.com"
ifconfig_rl0="inet 10.0.0.100 netmask 255.0.0.0"
ifconfig_rl1="inet 192.168.0.198  netmask 255.255.255.0"
defaultrouter="81.2.208.129"
gateway_enable="YES"
natd_enable="YES"
natd_interface="rl0"
natd_flags="-s -m -dynamic"
firewall_enable="YES"
firewall_type="/etc/ipfw.conf"
firewall_script="/etc/rc.firewall"
sendmail_enable="NONE"
sshd_enable="YES"
inetd_enable="YES"
linux_enable="YES"


pravidla v /etc/ipfw.conf (udelal jsem to uplne otevrene, az to rozchodim 
budu je upravovat):
add divert natd all from any to any via rl0
add pass all  from any to any

nameservery v /etc/resolv.conf
nameserver 81.2.194.208
nameserver 81.2.194.201

Pridavam z vypisu
tcpdump na rl0 - vubec nic nechyta kdyz pingnu z 192.168.0.120 na 10.0.0.100
tcpdump na rl1 (vnitrni sit) z 192.168.0.120 na 10.0.0.100
18:36:14.219309 0.00:c0:9f:1b:cf:52.453 > 
0.ff:ff:ff:ff:ff:ff.453:ipx-rip-resp 8293b429/1.2

18:36:18.076879 kohoutek.monstav2.com.netbios-ns > 
192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST


- vypis sysctl -A | grep forward
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 0
net.inet6.ip6.forwarding: 0


- nastartovani sitovych sluzeb po pripojeni do site ADSL: pomoci 
/etc/netstart > soubor.txt
hw.bus.devctl_disable: 1 -> 1

Setting hostname: kohoutek.monstav2.com
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet6 fe80::250:fcff:fea8:5f92%rl0 prefixlen 64 scopeid 0x1
	inet 10.0.0.100 netmask 0xff000000 broadcast 10.255.255.255
	ether 00:50:fc:a8:5f:92
	media: Ethernet autoselect (10baseT/UTP)
	status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet6 fe80::208:54ff:fe05:2e8a%rl1 prefixlen 64 scopeid 0x2
	inet 192.168.0.198 netmask 0xffffff00 broadcast 192.168.0.255
	ether 00:08:54:05:2e:8a
	media: Ethernet autoselect (100baseTX)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
	inet 127.0.0.1 netmask 0xff000000
Flushed all rules.
00100 divert 8668 ip from any to any via rl0
00200 allow ip from any to any
Firewall rules loaded, starting divert daemons: natdnatd: Unable to bind 
divert socket.:Address already in use
.
net.inet.ip.fw.enable: 1 -> 1
add net default: gateway 81.2.208.129: File exists
Additional routing options: IP gateway=YES.



- ifconfig ma navic mimo rl0, rl1, lo i tun0 (PPTP pripojeni ADSL) 
ifconfig > soubor.txt

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
	inet 81.2.208.129 --> 81.2.224.3 netmask 0xffffffff
	Opened by PID 576


Martyn Kudlacek






More information about the Users-l mailing list