Problém s NATD
Pavel Obr
obr at sosgastro.cz
Mon Mar 6 08:54:31 CET 2006
Dobry den,
resim problem s natd...Zkousel jsem kde co a hledal na internetu, ale
opravdu nevim co je spatne...
NAT pozivam nejakou dobu smerem ven bez problemu podle handbooku, ale
presmerovani "dovnitr" se mi nevede....
K pripojeni na internet pouzivame router naseho providera. Pokud
potrebuji povolit u nas na serveru nejakou sluzbu na urcitem portu,
pozadam ho a on mi dany port presmeruje na muj stroj.
Router providera ma IP 192.168.1.1 a moje z internetu dostupne sluzby
jsou na strojich s IP 192.168.1.0/24 (zde poskytuji z internetu dostupne
sluzby + Apache, proxy, NAT). Moje LAN ma IP v rozsahu 192.168.3.0/24.
Bohuzel musim zacit poskytovat z jednoho stroje z vnitrni LAN
(192.168.3.0/24) jednu sluzbu, kterou je mozne zatim provozovat na
Windows stroji - jde o sluzbu vazanou na ISS webovsky server microsoftu.
Windows mam jen na stanicich v LAN 192.168.3.0/24.
To znamena musim pouzit NAT "obracene" u stroje s 2 sitovkami, který
poskytuje NAT + squid proxy a odeslat pozadavek na dany windows stroj.
Jedna sitovka je 192.168.1.0/24 a druha je clenem 192.168.3.0/24.
NAT smerem ven mi funguje, ovsem dovnitr (presmerovani na onu windows
stanici) vubec...
Asi bude problem v ipfw.rules, ale nevim co.
Diky za radu....
Pavel
Jadro je zkompilovane s temito volbami:
_______________________________________
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options IPFIREWALL_DEFAULT_TO_ACCEPT # tuto volbu chci po vzreseni
problemz odebrat a znova prekompilovat
Soubor rc.conf:
_______________________________________
sendmail_enable="NONE"
sshd_enable="YES"
#Nastaveni site
ifconfig_xl0="inet 192.168.1.10 netmask 255.255.255.0"
ifconfig_rl0="inet 192.168.3.12 netmask 255.255.255.0"
defaultrouter="192.168.1.1" # router providera
hostname="xxx.xxx.xxx.cz"
apm_enable="NO"
#Apache
apache_enable="YES" # Apache posloucha na portu 80
apache_flags="-DSSL"
apache_pidfile="/var/run/httpd.pid"
#MySQL
mysql_enable="YES"
#NTPDate - nastaveni casu
ntpdate_flags="ntp.karpo.cz"
ntpdate_enable="YES"
# volby pro NAT
gateway_enable="YES"
natd_enable="YES"
natd_interface="xl0" # "vnejsi" adresa 192.168.1.10
natd_flags="-f /etc/natd.conf"
firewall_type="OPEN"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
squid_enable="YES"
ipfw.rules: je stejny jako v prikladu v HANDBOOKU
______________________________________
#!/bin/sh
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
skip="skipto 800"
pif="xl0" # public interface name of NIC
# facing the public Internet
#################################################################
# No restrictions on Inside LAN Interface for private network
# Change xl0 to your LAN NIC interface name
#################################################################
$cmd 005 allow all from any to any via rl0
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 010 allow all from any to any via lo0
#################################################################
# check if packet is inbound and nat address if it is
#################################################################
$cmd 014 divert natd ip from any to any in via $pif
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 015 check-state
#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public Internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP's DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 020 $skip tcp from any to 62.77.67.2 53 out via $pif setup keep-state
# Allow out access to my ISP's DHCP server for cable/DSL configurations.
#$cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state
# Allow out non-secure standard www function
$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state
# Allow out secure www function https over TLS SSL
$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state
# Allow out send & get email function
$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state
# Allow out FreeBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root
# Allow out ping
$cmd 080 $skip icmp from any to any out via $pif keep-state
# Allow out Time
$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state
# Allow out nntp news (i.e. news groups)
$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state
# Allow out whois
$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state
# Allow ntp time server
$cmd 130 $skip udp from any to any 123 out via $pif keep-state
#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################
# Deny all inbound traffic from non-routable reserved address spaces
#$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918
private IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918
private IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918
private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for
docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E
multicast
# Deny ident
$cmd 315 deny tcp from any to any 113 in via $pif
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 320 deny tcp from any to any 137 in via $pif
$cmd 321 deny tcp from any to any 138 in via $pif
$cmd 322 deny tcp from any to any 139 in via $pif
$cmd 323 deny tcp from any to any 81 in via $pif
# Deny any late arriving packets
$cmd 330 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 332 deny tcp from any to any established in via $pif
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for 'user ppp' type connection to
# the public Internet. This is the same IP address you captured
# and used in the outbound section.
#$cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state
# Allow in standard www function because I have Apache server
$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2
$cmd 375 allow tcp from any to me 443 in via $pif setup limit src-addr 2
# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
#$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2
# Reject & Log all unauthorized incoming connections from the public
Internet
$cmd 400 deny log all from any to any in via $pif
# Reject & Log all unauthorized out going connections to the public Internet
$cmd 450 deny log all from any to any out via $pif
# This is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 999 deny log all from any to any
################ End of IPFW rules file ###############################
soubor natd.conf:
___________________________________
redirect_port tcp 192.168.3.37:80 8080
More information about the Users-l
mailing list